Old and busted: Targeting servers and web bugs. New hotness: Pwning devs with targeted poisoned stacks

'Most developers are highly intelligent, but also highly stupid'

28 Reg comments Got Tips?

Hard-working but naive developers are a little known but highly dangerous soft spot in an organisation that attackers can exploit.

This is according to Rich Jones, co-founder of security consultancy Gun.io. Speaking at the 2020 Disclosure conference, Jones outlined how the trust many developers put in their software stacks and shared code, paired with a disturbing lack of online savvy, can make them easy pickings for hackers.

"Systems are generally hardened - they have patches, they have firewalls, they have monitoring," Jones explained, "but [some] developers will run literally any bullshit they find on Stack Overflow. They keep credentials lying about, they're obviously going to have the source code and some production data sitting on their hardware as well."

As one example of the tactic, Jones pointed to the July attack at Twitter in which employees were spear-phished, leading to the takeover of 130 celebrity accounts.

"This was not a hack of the Twitter production system: this was a hack of Twitter employees using classic social engineering tricks," he noted. "This is pretty powerful stuff, it's practical, and you can cause serious damage with it."

So how exactly would an aggressor go about attacking a specific developer?

Jones said much of it is down to exploiting the trust developers put into shared code and software stacks. By selecting a developer and studying their projects, an attacker would be able to map out the software stack being used.

From there, the attacker would pick out a weak spot in that stack – say, a dependency or GitHub project – and slip poisoned code in. This could be as simple as slipping attack code into StackOverflow.

Because so many developers will pull, copy, and share their open source code without a second thought, they will happily exploit their own machines. Jones said this is even the case when the dev's computer tries to warn them that something bad is going to happen.

Much of this, he said, is due to learned behavior rather than ignorance. After years of sharing code and tips with other developers and seeing their peers ignoring warnings while working on projects, many coders have unlearned some of the basic rules other users follow.

"Most developers consider themselves to be moderately intelligent but not stupid," mused Jones. "I have found most developers are highly intelligent, but also highly stupid."

The problem is amplified by the fact that developers are also extremely high-value targets. In addition to their own code, many devs will have things like security keys or admin access to other networked devices. This can open the door to everything from server takeovers to DNS rebinding or man-in-the-middle attacks.

"Developers have all the juicy bits of production systems sitting around on their laptops," said Jones. "And that will give you the foothold you need to completely take over their organization."

The solution, it seems, is for developers to re-learn some best practices. Jones advised basic steps for devs such as not storing production code on their local machine, scrutinizing the projects they use in their software stacks, not oversharing information about their projects on social media, and, er, actually paying attention to warning messages. ®


Keep Reading

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Microsoft reprieves SHA-1 deprecation in Edge 85 security baseline

Wait! What? Aaah ... legacy systems strike again, but won't get another bite

Alarming news: ADT to flog Nest smart home kit after Google ploughs $450m into corporate security dinosaur

Resell agreement set up amid plans to build next gen of home automation and security gear

Microsoft will release a web browser for Linux next month. Repeat, Microsoft will release a browser for Linux – and it uses Google's technology

Ignite This means Linus Torvalds has definitely won, doesn't it?

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

Happy Hacking Professional Hybrid mechanical keyboard: Weird, powerful, comfortable ... and did we mention weird?

Review Once you're over the learning curve, it's a cross-platform all-rounder

Soft press keys for locked-down devs: Three new models of old school 60-key Happy Hacking 'board out next month

Good news if you're a fan of Topre switches

When you see PWA, Microsoft and Google want you to think Programs With Attitude: Web app release tool tweaked

More native applications we smoke, yo, our rep gets bigger

Biting the hand that feeds IT © 1998–2020