Microsoft Investigating Claims of Hacked Source Code Repositories (bleepingcomputer.com) 26
Microsoft says they are investigating claims that the Lapsus$ data extortion hacking group breached their internal Azure DevOps source code repositories and stolen data. BleepingComputer reports: Unlike many extortion groups we read about today, Lapsus$ does not deploy ransomware on their victim's devices. Instead, they target the source code repositories for large companies, steal their proprietary data, and then attempt to ransom that data back to the company for millions of dollars. While it is not known if the extortion group has successfully ransomed stolen data, Lapsus has gained notoriety over the past months for their confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre. Unfortunately, Lapsus$ has a good track record, with their claims of attacks on other companies later confirmed to be true.
While the leaking of source code makes it easier to find vulnerabilities in a company's software, Microsoft has previously stated that leaked source code does not create an elevation of risk. Microsoft says that their threat model assumes that threat actors already understand how their software works, whether through reverse engineering or previous source code leaks. "At Microsoft, we have an inner source approach -- the use of open source software development best practices and an open source-like culture -- to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code," explained Microsoft in a blog post about the SolarWinds attackers gaining access to their source code. "So viewing source code isn't tied to elevation of risk." However, source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.
While the leaking of source code makes it easier to find vulnerabilities in a company's software, Microsoft has previously stated that leaked source code does not create an elevation of risk. Microsoft says that their threat model assumes that threat actors already understand how their software works, whether through reverse engineering or previous source code leaks. "At Microsoft, we have an inner source approach -- the use of open source software development best practices and an open source-like culture -- to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code," explained Microsoft in a blog post about the SolarWinds attackers gaining access to their source code. "So viewing source code isn't tied to elevation of risk." However, source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.
Tinylimp (Score:2)
Re: (Score:2)
Re: (Score:2)
The truth usually is.
Re: (Score:2)
You are definitely on to something there, powershell is dog-shit for usability. You can accomplish a lot but the syntax will make you want to kill your self.
Re: (Score:2)
Debian getting payback for unleashing systemd on the world.
Re: (Score:2)
Windows 2000 it is
Re: (Score:2)
ummm no (Score:3)
However, source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.
only for incompetent developers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
However, source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.
only for incompetent developers.
Indeed. But MS has tons of these, obviously. They have a reputation to maintain after all.
From my experience in regulated industries, code repositories get scanned for hard-coded passwords, API keys and secret certificates. And if one is found, your repo gets locked away and you have real problems getting access again and need to prove you fixed things. I doubt MS does anything like that.
Re: ummm no (Score:2)
Re: (Score:2)
And yet, their security sucks, their reliability sucks and installing their patches tempts fate. I wonder why that is then?
Also, why would MS buy crap code? (Score:2)
And MS knows their code is crap.
Re: Also, why would MS buy crap code? (Score:2)
Re: (Score:2)
Ms not only does that it writes many of the tools to scan and detect those issues.
Which are of the same crappy quality, obviously. Well, that and a broken wannabee software-"architecture" that nobody does worse than MS.
Better not have credentials in version control (Score:2)
They'd better bloody well not contain that kind of stuff. You don't check sensitive information like that into version control, it should be external to the source code and supplied as configuration so you can change it in the event of a compromise without having to rebuild and redeploy the application. C'mon, that's developer security 101 stuff.
Re: (Score:2)
C'mon, that's developer security 101 stuff.
It is. But you know how many mandatory security classes many/most CS curriculums contain to this day? Zero. Not much better for people learning coding as a trade-skill.