And he also notes that major vulnerabilities in open source software, like the recent Log4j flaws, have often lurked undiscovered for years or even decades, similar to inconspicuous typos that aren't caught by an author, editor, or copyeditor. Google's Huntley points out that the same broad and diverse vetting needed to secure open source software is also vital for critical proprietary source code, just in case it is ever stolen or leaks. In fact, as open source software shows, it's possible for source code to be publicly available without making the software it underpins less secure. Attackers can't take over Cortana from Microsoft or access users' accounts simply because they have some of the source code for the platform. But source code alone isn't a road map to find exploitable bugs. In other words, when attackers gain access to source code-and especially when they leak it for all to see-a company's intellectual property could be exposed in the process, and attackers may be able to spot vulnerabilities in their systems more quickly. Just because someone can see the source code doesn't mean they'll be able to exploit it right then.”
“For a vulnerability hunter, it makes certain things easier, allowing them to skip a lot of steps. “Some source code does represent trade secrets, some parts of source code may make it easier for people to abuse systems, but accounts and user data are typically the biggest things companies have to protect,” says Shane Huntley, director of Google's Threat Analysis Group. Researchers say, though, that while source code leaks may seem catastrophic, and certainly aren't good, they typically aren't the worst-case scenario of a criminal data breach.
Sounds bad, right?īusinesses, governments, and other institutions have been plagued by ransomware attacks, business email compromise, and an array other breaches in recent years. At the end of March, alongside revelations that they had breached an Okta subprocessor, the hackers also dropped a trove of data containing portions of the source code for Microsoft's Bing, Bing Maps, and its Cortana virtual assistant. And among other things, the group is known for grabbing and leaking source code at every opportunity, including from Samsung, Qualcomm, and Nvidia. The Lapsus$ digital extortion group is the latest to mount a high-profile data-stealing rampage against major tech companies.
0 kommentar(er)
