The GitHub attack – is the worst still to come?

What we can learn from the recent cyber attack to the popular website GitHub and why we should worry about what is likely to come next.

 

TTL analysis performed by Netresec in SwedenOver the last few days the popular website GitHub has been the target of a massive Distributed Denial Of Service attack – DDoS, apparently originated from China. As I write this note, the GitHub status webpage now indicates “Everything operating normally” and “All systems reporting at 100%”. However, I am afraid the story is far from over and the worst may still be to come.

GitHub is the largest and most popular repository of open source projects and a key infrastructure website for the Internet. Among other, GitHub hosts the Linux project – arguably the world’s most widespread open source software. Various flavors of Linux power most of the Internet servers and an ever-increasing number of consumer devices across the globe.

According to GitHub sources, the attack began around 2AM UTC on Thursday, March 26 and involved a wide combination of attack vectors. These include a combination of exploits seen in previous attacks and some sophisticated new techniques that use the web browsers of unsuspecting people to flood the github.com website with high levels of traffic.

By applying TTL analysis techniques, some independent researchers have been able to trace the origin of the attack to China. They also conclude that an unidentified entity is using the Chinese Internet monitoring infrastructure – also known as the Great Firewall of China – to perform a man-on-the-side attack against GitHub servers.

A man-on-the-side attack is a form of Internet attack similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attackers only have regular access to the communication channel, which allows them to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. However, the attackers rely on a timing advantage to make sure the response they send in reply to the victim’s request arrives before the legitimate response, which is then ignored by the target machine.

Here is a plausible scenario of how this man-on-the-side attack has been carried out:

  • An innocent user browses the Internet from outside China.
  • One website the user visits loads a JavaScript from a server in China, for example the Baidu analytics script that often is used by web administrators to track visitor statistics.
  • The web browser’s request for the Baidu JavaScript is detected by the Chinese monitoring infrastructure as it enters China.
  • A fake response is sent out from within China instead of the actual Baidu analytics script.
  • This fake response is a malicious obfuscated JavaScript that tells the user’s browser to continuously reload a few specific pages on GitHub.com, overloading the GitHub.com network capacity, and ultimately taking down the service.

GitHub is not just a software repository. It is also a very popular blogging platform and the place where people may find censored information and software tools to circumvent Internet censorship. Among many software projects hosted by GitHub are github.com/greatfire and github.com/cn-nytimes. These are copies of the websites greatfire.com and cn.nytimes.com. GreatFire provides tools for bypassing China’s Internet censorship and the NYTimes contains news otherwise censored by the Chinese government.

Therefore, some say the intent of this attack is to “persuade” GitHub to remove this kind of content and that Chinese authorities are likely behind this attack in an effort to curb access to information.

Although the analysis of the attack is sufficiently clear, in fact surprisingly timely and accurate, still no one can say for sure whether actual Chinese entities are behind the attack, or whether other actors might have taken momentary control of the Chinese critical infrastructure to mount this attack.

Either way, a first reason to worry is that this attack demonstrates how the supposedly passive network monitoring and filtering infrastructure in China can in fact be used to carry out powerful cyber attacks. We should realize that the Great Firewall cannot be considered just a technology for passively inspecting and censoring the Internet traffic of Chinese citizens. This incident clearly shows that this technology can be used as a platform for conducting cyber warfare against any targets anywhere in the world. And we know even too well that Internet monitoring infrastructure is not just a Chinese prerogative.

But the reason why I am most concerned about this attack is the nature of the “content” stored on GitHub servers: the source code and the binaries (executable files) of the software that powers most of the Internet, arguably today’s most sensitive piece of critical infrastructure. On one hand, there is plenty of evidence that Denial of Service attacks have been used in the past to hide more sophisticated and subtle network infiltration attempts – known as targeted attacks – intended to take permanent control of the corporate networks of specific technology providers. On the other hand, we have seen in the past elaborated multistage attacks that compromise one technology provider to penetrate then the defense of many other high value targets.

Case in point: the RSA data breach in 2011 when “sophisticated hackers” first breached the RSA corporate network, a leading provider of security solutions, and then used stolen RSA information to hack Lockheed Martin, U.S. government’s top information technology services provider, and likely many other U.S. defense contractors. A second similar incident happened in 2012 when hackers successfully breached Adobe release servers in order to remotely sign their malware – Adobe software ships preinstalled in virtually any computer and mobile device, see Don’t be naive about mobile security.

I wouldn’t be surprised if this attack to GitHub is in fact a diversion to hide a far more sinister plot. I think we should consider the possibility that the attackers may have obtained access to some portions of the source code hosted on GitHub to weaken the strength of security software, to add backdoors or to plant malware. And the fact that open source code is open for everyone to review, doesn’t necessarily guarantee that eventual malicious changes can be easily identified and fixed – so called open security. In particular, some security algorithms are so complex, and their implementation so obscure, that even the brightest cryptographists may overlook some fundamental software flaws – as clearly demonstrated by the Heartbleed vulnerability in the OpenSSL cryptography library, disclosed in 2014, and by the POODLE exploit that takes advantage of Internet security software clients’ fallback to SSL 3.0.

“The notion that open source software is more secure because it is open to inspection by everyone is really quite suspect” says Mike Borza, Chief Technology Officer at Elliptic Technologies, a leading security provider.   While it is true that anyone could inspect the source code of an open source project, the fact is that few do.  We’ve seen this truth play out in the hundreds of manufacturers of security sensitive equipment like gateway routers. “Many vendors simply took the OpenSSL source tree and integrated it in their products without ever really analyzing what the software was doing. This amplified the impact of Heartbleed”, continues Borza. While the OpenSSL project is now being properly funded to handle internal security reviews, a Linux system build incorporates hundreds of packages, many of which may also admit vulnerabilities.  “The general issue continues to exist”, warns Borza.

Open source communities that rely on GitHub have been advised to carefully review their repositories and look in particular for indicators of compromise such as unexpected repository forks or unauthorized users access. I am afraid this is going to prove almost irrelevant if the attackers had in fact access to the inner mechanics of the Git database itself, which is potentially vulnerable to attack as any other software in the world.

“This attack points to the need for open source groups to collaborate more on security initiatives, including the addition of hardware-based protection schemes at the device level to augment the existing software based approaches” says Art Swift, President of prpl Foundation, a leading open source organization.

GitHub and similar services are fantastic resources for the open source community. But it becomes incumbent on the maintainers and contributors of these projects to ensure that the contributions achieve their objectives without introducing accidental (or intentional) vulnerabilities. Git users frequently point out that the repository is replicated locally and therefore more robust than other similar tools.  “The fact is that for many distributions GitHub is a kind of a master repository from which updates are pulled. Using a DDoS attack as cover for a more devious attack on code stored in the system is a real concern”, concludes Borza.

 

Does your organization depend on open source software? How concerned are you with the ongoing systematic attempts to weaken Internet security? Is security by obscurity a better approach? What should open source software organizations do to better protect the work of their communities? Would love to hear from you …

 

Cesare Garlati Joins prpl Foundation as Chief Security Strategist

prpl FoundationSANTA CLARA, CA–(Marketwired – April 07, 2015) – Well-known information security expert Cesare Garlati today joins the prpl Foundation as Chief Security Strategist. Garlati will assist the Foundation with security strategy in the newly formed Security PEG (prpl Engineering Group), a working group dedicated to creating an open standard framework that addresses next-generation security requirements for connected devices.

“Cesare Garlati is an internationally renowned leader in the mobile security space,” said prpl Foundation president Art Swift. “We all look forward to his contributions in security strategy and his participation in the ground-breaking Security PEG.”

Read more of this post

European Data Protection Reform – How to minimize impact and costs

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

Read more of this post

European Data Protection Reform – How to prepare for what is coming

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

How to prepare for what is coming

U.S. companies who market goods and services to European consumers should not wait for the regulation to enter into force. You should act promptly to avoid the disruptions and the liability resulting from an untimely implementation of these new rules.

At a minimum, your checklist should include: Read more of this post

European Data Protection Reform – Should you worry yet?

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

Should you worry yet?

According to Viviane Reding, EU Justice Commissioner, there is a full commitment of the European bodies to pass this legislation by the end of the year. However, the experts are skeptical with regard to a swift approval by the council of ministers of the EU member states. Read more of this post

European Data Protection Reform – The Enforced Data Privacy Officer

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The enforced Data Privacy Officer – revenue generation for lawyers?

For private legal entities, the obligation set forth in Art. 35 of the regulation to designate a Data Privacy Officer (DPO) only applies to the processing of personal data that affects large amounts of individuals (≥ 5000 data subjects in 12 months) or regular and systematic monitoring of data subjects or the processing of special categories of data, location data or children´s data in large scale filing systems. Read more of this post

European Data Protection Reform – 24 hour disclosure or undue delay?

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

24 hour disclosure or undue delay?

The new regulation establishes the consumer right to know when their data has been “hacked”. Companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible, if feasible within 24 hours, so that users can take appropriate measures. Read more of this post

European Data Protection Reform – The 100 Million Euro Fine

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The 100 million euro fine: outrageous sanctions set a disturbing precedent.

Under the current national European data protection laws enacted or amended in the wake of Directive 95/46/EC, administrative fines are rather limited – i.e. in Germany the maximum fine is €300,000 – and rarely imposed at all. The new regulation entails a paradigm change in that it introduces substantial sanctions for non-compliance with the new rules. Read more of this post

European Data Protection Reform – What you should know.

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

EU regulation vs. U.S. laws: a matter of cultural bias?

The consolidated version of the EU commission´s proposal for a General Data Protection Regulation following the LIBE Committee vote of October 21, 2013 differs fundamentally from the U.S. approach to the protection of personal data. “Whether one approach is better than the other, is a question of data protection culture. You might think that these are two extremes. On the one hand you have very restrictive regulation with higher fines, which are in my opinion over the top. On the other hand, there is so much leeway under the U.S. data protection laws that you can do almost anything as long as it’s not specifically prohibited.” observes Andreas Leupold, the German IT attorney recipient of the “Lawyer of The Year 2013” award who advises clients across Germany, England and the U.S.

Read more of this post

How secure is Mobile Device Management anyway?

Objective-C HookingResearchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.


As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Read more of this post

Follow

Get every new post delivered to your Inbox.

Join 27 other followers