Old and busted: Targeting servers and web bugs. New hotness: Pwning devs with targeted poisoned stacks

'Most developers are highly intelligent, but also highly stupid'


Hard-working but naive developers are a little known but highly dangerous soft spot in an organisation that attackers can exploit.

This is according to Rich Jones, co-founder of security consultancy Gun.io. Speaking at the 2020 Disclosure conference, Jones outlined how the trust many developers put in their software stacks and shared code, paired with a disturbing lack of online savvy, can make them easy pickings for hackers.

"Systems are generally hardened - they have patches, they have firewalls, they have monitoring," Jones explained, "but [some] developers will run literally any bullshit they find on Stack Overflow. They keep credentials lying about, they're obviously going to have the source code and some production data sitting on their hardware as well."

As one example of the tactic, Jones pointed to the July attack at Twitter in which employees were spear-phished, leading to the takeover of 130 celebrity accounts.

"This was not a hack of the Twitter production system: this was a hack of Twitter employees using classic social engineering tricks," he noted. "This is pretty powerful stuff, it's practical, and you can cause serious damage with it."

So how exactly would an aggressor go about attacking a specific developer?

Jones said much of it is down to exploiting the trust developers put into shared code and software stacks. By selecting a developer and studying their projects, an attacker would be able to map out the software stack being used.

From there, the attacker would pick out a weak spot in that stack – say, a dependency or GitHub project – and slip poisoned code in. This could be as simple as slipping attack code into StackOverflow.

Because so many developers will pull, copy, and share their open source code without a second thought, they will happily exploit their own machines. Jones said this is even the case when the dev's computer tries to warn them that something bad is going to happen.

Much of this, he said, is due to learned behavior rather than ignorance. After years of sharing code and tips with other developers and seeing their peers ignoring warnings while working on projects, many coders have unlearned some of the basic rules other users follow.

"Most developers consider themselves to be moderately intelligent but not stupid," mused Jones. "I have found most developers are highly intelligent, but also highly stupid."

The problem is amplified by the fact that developers are also extremely high-value targets. In addition to their own code, many devs will have things like security keys or admin access to other networked devices. This can open the door to everything from server takeovers to DNS rebinding or man-in-the-middle attacks.

"Developers have all the juicy bits of production systems sitting around on their laptops," said Jones. "And that will give you the foothold you need to completely take over their organization."

The solution, it seems, is for developers to re-learn some best practices. Jones advised basic steps for devs such as not storing production code on their local machine, scrutinizing the projects they use in their software stacks, not oversharing information about their projects on social media, and, er, actually paying attention to warning messages. ®

Similar topics

Broader topics


Other stories you might like

  • Google shows off immersive maps, AR-flavored search, Pixel 7, and more
    Your essential de-hyped guide to what the Chocolate Factory teased at developer shindig

    Google IO Google I/O, the ad biz's annual developer conference, returned to the Shoreline Amphitheater in California's Mountain View on Wednesday, for the first time in three years. The gathering remained largely a remote event due to the persistence of COVID-19 though there were enough Googlers, partners, and assorted software developers in attendance to fill venue seats and punctuate important points with applause.

    Sundar Pichai, CEO of Google parent Alphabet, opened the keynote by sounding familiar themes. He leaned into the implied sentiment, "We're here to help," an increasingly iffy proposition in light of the many controversies facing the company.

    He said he wanted to explain how Google is advancing its mission in two ways, "by deepening our understanding of information so that we can turn it into knowledge and advancing the state of computing so that knowledge is easier to access no matter who or where you are."

    Continue reading
  • Half of developers still at screens even during breaks
    Going for a walk: Good. Doomscrolling: Bad

    What are your peers doing to stave off burnout? Research from Stack Overflow suggests about half of developers are still spending their breaks in front of a screen.

    The Q&A programming resource surveyed 800 devs, and found most of the top five things they do when they need a break involve screens: listening to music (46 percent), visiting Stack Overflow (41 percent), browsing social media (37 percent), and watching videos (36 percent).

    Actually talking with fellow humans did not make the top five, and 4 percent of respondents had some other outlet for stress (possibly angrily banging some really terse comments into the source).

    Continue reading
  • RAD Basic – the Visual Basic 7 that never was – releases third alpha
    Spend your weekend wallowing in the good old days

    RAD Basic has edged a little closer to bringing Visual Basic 6 back to your PC with the release of 0.5.0 Alpha 3.

    We last looked at RAD Basic a year ago and soaked in a warm bath of nostalgia for a time when Windows applications could be knocked out with the same skills needed to persuade Sinclair or Commodore hardware to display naughty words in a 1980s computer shop.

    While Microsoft ditched Visual Basic 6 in favor of .NET and C# many years ago, there remain plenty of IT professionals who owe their career to the language and an abundance of lashed-up solutions still underpinning substantial chunks of the corporate world.

    Continue reading

Biting the hand that feeds IT © 1998–2022