The GitHub attack – is the worst still to come?


What we can learn from the recent cyber attack to the popular website GitHub and why we should worry about what is likely to come next.

 

TTL analysis performed by Netresec in SwedenOver the last few days the popular website GitHub has been the target of a massive Distributed Denial Of Service attack – DDoS, apparently originated from China. As I write this note, the GitHub status webpage now indicates “Everything operating normally” and “All systems reporting at 100%”. However, I am afraid the story is far from over and the worst may still be to come.

GitHub is the largest and most popular repository of open source projects and a key infrastructure website for the Internet. Among other, GitHub hosts the Linux project – arguably the world’s most widespread open source software. Various flavors of Linux power most of the Internet servers and an ever-increasing number of consumer devices across the globe.

According to GitHub sources, the attack began around 2AM UTC on Thursday, March 26 and involved a wide combination of attack vectors. These include a combination of exploits seen in previous attacks and some sophisticated new techniques that use the web browsers of unsuspecting people to flood the github.com website with high levels of traffic.

By applying TTL analysis techniques, some independent researchers have been able to trace the origin of the attack to China. They also conclude that an unidentified entity is using the Chinese Internet monitoring infrastructure – also known as the Great Firewall of China – to perform a man-on-the-side attack against GitHub servers.

A man-on-the-side attack is a form of Internet attack similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attackers only have regular access to the communication channel, which allows them to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. However, the attackers rely on a timing advantage to make sure the response they send in reply to the victim’s request arrives before the legitimate response, which is then ignored by the target machine.

Here is a plausible scenario of how this man-on-the-side attack has been carried out:

  • An innocent user browses the Internet from outside China.
  • One website the user visits loads a JavaScript from a server in China, for example the Baidu analytics script that often is used by web administrators to track visitor statistics.
  • The web browser’s request for the Baidu JavaScript is detected by the Chinese monitoring infrastructure as it enters China.
  • A fake response is sent out from within China instead of the actual Baidu analytics script.
  • This fake response is a malicious obfuscated JavaScript that tells the user’s browser to continuously reload a few specific pages on GitHub.com, overloading the GitHub.com network capacity, and ultimately taking down the service.

GitHub is not just a software repository. It is also a very popular blogging platform and the place where people may find censored information and software tools to circumvent Internet censorship. Among many software projects hosted by GitHub are github.com/greatfire and github.com/cn-nytimes. These are copies of the websites greatfire.com and cn.nytimes.com. GreatFire provides tools for bypassing China’s Internet censorship and the NYTimes contains news otherwise censored by the Chinese government.

Therefore, some say the intent of this attack is to “persuade” GitHub to remove this kind of content and that Chinese authorities are likely behind this attack in an effort to curb access to information.

Although the analysis of the attack is sufficiently clear, in fact surprisingly timely and accurate, still no one can say for sure whether actual Chinese entities are behind the attack, or whether other actors might have taken momentary control of the Chinese critical infrastructure to mount this attack.

Either way, a first reason to worry is that this attack demonstrates how the supposedly passive network monitoring and filtering infrastructure in China can in fact be used to carry out powerful cyber attacks. We should realize that the Great Firewall cannot be considered just a technology for passively inspecting and censoring the Internet traffic of Chinese citizens. This incident clearly shows that this technology can be used as a platform for conducting cyber warfare against any targets anywhere in the world. And we know even too well that Internet monitoring infrastructure is not just a Chinese prerogative.

But the reason why I am most concerned about this attack is the nature of the “content” stored on GitHub servers: the source code and the binaries (executable files) of the software that powers most of the Internet, arguably today’s most sensitive piece of critical infrastructure. On one hand, there is plenty of evidence that Denial of Service attacks have been used in the past to hide more sophisticated and subtle network infiltration attempts – known as targeted attacks – intended to take permanent control of the corporate networks of specific technology providers. On the other hand, we have seen in the past elaborated multistage attacks that compromise one technology provider to penetrate then the defense of many other high value targets.

Case in point: the RSA data breach in 2011 when “sophisticated hackers” first breached the RSA corporate network, a leading provider of security solutions, and then used stolen RSA information to hack Lockheed Martin, U.S. government’s top information technology services provider, and likely many other U.S. defense contractors. A second similar incident happened in 2012 when hackers successfully breached Adobe release servers in order to remotely sign their malware – Adobe software ships preinstalled in virtually any computer and mobile device, see Don’t be naive about mobile security.

I wouldn’t be surprised if this attack to GitHub is in fact a diversion to hide a far more sinister plot. I think we should consider the possibility that the attackers may have obtained access to some portions of the source code hosted on GitHub to weaken the strength of security software, to add backdoors or to plant malware. And the fact that open source code is open for everyone to review, doesn’t necessarily guarantee that eventual malicious changes can be easily identified and fixed – so called open security. In particular, some security algorithms are so complex, and their implementation so obscure, that even the brightest cryptographists may overlook some fundamental software flaws – as clearly demonstrated by the Heartbleed vulnerability in the OpenSSL cryptography library, disclosed in 2014, and by the POODLE exploit that takes advantage of Internet security software clients’ fallback to SSL 3.0.

“The notion that open source software is more secure because it is open to inspection by everyone is really quite suspect” says Mike Borza, Chief Technology Officer at Elliptic Technologies, a leading security provider.   While it is true that anyone could inspect the source code of an open source project, the fact is that few do.  We’ve seen this truth play out in the hundreds of manufacturers of security sensitive equipment like gateway routers. “Many vendors simply took the OpenSSL source tree and integrated it in their products without ever really analyzing what the software was doing. This amplified the impact of Heartbleed”, continues Borza. While the OpenSSL project is now being properly funded to handle internal security reviews, a Linux system build incorporates hundreds of packages, many of which may also admit vulnerabilities.  “The general issue continues to exist”, warns Borza.

Open source communities that rely on GitHub have been advised to carefully review their repositories and look in particular for indicators of compromise such as unexpected repository forks or unauthorized users access. I am afraid this is going to prove almost irrelevant if the attackers had in fact access to the inner mechanics of the Git database itself, which is potentially vulnerable to attack as any other software in the world.

“This attack points to the need for open source groups to collaborate more on security initiatives, including the addition of hardware-based protection schemes at the device level to augment the existing software based approaches” says Art Swift, President of prpl Foundation, a leading open source organization.

GitHub and similar services are fantastic resources for the open source community. But it becomes incumbent on the maintainers and contributors of these projects to ensure that the contributions achieve their objectives without introducing accidental (or intentional) vulnerabilities. Git users frequently point out that the repository is replicated locally and therefore more robust than other similar tools.  “The fact is that for many distributions GitHub is a kind of a master repository from which updates are pulled. Using a DDoS attack as cover for a more devious attack on code stored in the system is a real concern”, concludes Borza.

 

Does your organization depend on open source software? How concerned are you with the ongoing systematic attempts to weaken Internet security? Is security by obscurity a better approach? What should open source software organizations do to better protect the work of their communities? Would love to hear from you …

 

About Cesare Garlati
Chief Security Strategist prpl Foundation Co-Chair Mobile Group Cloud Security Alliance

One Response to The GitHub attack – is the worst still to come?

  1. anon coward says:

    DDoS is usually a smokescreen to hide something more sinister: my guess – they got control of some core servers, and are wreaking havoc with other peoples sources.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: