McAfee: Source code is easy target within corporations

SAN FRANCISCO--The type of software corporations use to house source code that criminals targeted in the recent attacks on Google and others is generally weak in security protection, McAfee researchers said on Wednesday.

McAfee analyzed a commonly used software for housing intellectual property called Perforce and released its findings during a session at the RSA security conference here. The company helped in the discovery that a hole in Internet Explorer 6 was exploited in at least some of the recent attacks on U.S. firms and named the attacks "Operation Aurora" after the malware used.

Now the security company is turning its attention to looking at what attackers would be capable of doing once they are inside an organization.

When Google disclosed the targeted attack on its network in mid-January, it said intellectual property was stolen. Gmail users who are human rights activists were also targeted in attacks and Google said the attacks appeared to originate in China and that it would stop censoring its Web results there and possibly exit the market entirely.

Meanwhile, sources said at least 30 other companies were targeted in attacks in which intellectual property was at risk. Adobe and Intel have publicly disclosed that they were targeted in attacks last year, although it is unclear whether they are part of the attacks that targeted Google.

Stuart McClure, general manager risk compliance at McAfee, said he could not say whether Perforce was used at the companies McAfee knows were attacked.

"We know that within a number of companies this kind of software is targeted all the time and I think it's safe to say this is a common target and would have been a target within Aurora," he said in an interview on Wednesday morning.

Other document management software used for housing intellectual property is Microsoft SharePoint and Documentum, but McAfee has not analyzed those products, he said.

"In our analysis and work on Aurora it became clear to us that these intellectual property repositories were a target and the first one we turned to was Perforce," McClure said.

In Perforce, McAfee found that there are no additional security mechanisms in place, so the security is only as strong as the security already created on the system, according to McClure. Many of the usernames and passwords get transmitted as clear text and authentication can be totally bypassed, he said.

"Strictly by knowing a user name, which I can figure out, I can assume the identity of that user within the Perforce system," he said. "Source code control systems tend to be one of the most open systems we have inside an organization," he added.

Also during the session, McAfee Chief Technology Officer George Kurtz showed a video demonstration of a way to create an attack "cocktail" by combining the IE vulnerability exploited in the Google attacks with a vulnerability in the 32-bit versions of the Windows kernel to take control of a Windows 7 system running IE 8.

Microsoft had said that IE 6 was vulnerable to the Aurora attack but that technologies added to later versions of the browser mitigated any affect the attack would have on systems running IE 7 and IE 8. However, Kurtz said his demonstration shows how the newer browsers "are still susceptible to attack by the latest techniques."

Microsoft patched the IE hole January 21 and a security update to fix the Windows hole, which would allow an attacker who got inside a system to elevate privileges to full system access, was released on February 9.

Kurtz and McClure also showed a demonstration of a man-in-the-middle attack designed to steal bank log-in credentials and which uses a private Twitter account to send commands to infected computers.

Under this scenario, a user gets malware installed on a system by visiting a site with malicious code hiding on it or by opening up a malicious e-mail attachment.

The malware installs a program called a Browser Helper Object on IE that grabs a user name and the password and token combination when they are typed in to a bank site. The attacker posts commands to the private Twitter page and when the user logs in to the bank site the malware hiding on the user's browser gets its instructions off the Twitter page and performs the transaction, all invisible to the user.

"There's malware out there right now that does this in an automated way for banks around the world," Kurtz said.

Updated at 3:15 p.m. PST with additional attacks demonstrated at the session, and at 2:32 p.m. PST with conclusion of talk.