This article is more than 1 year old
Old and busted: Targeting servers and web bugs. New hotness: Pwning devs with targeted poisoned stacks
'Most developers are highly intelligent, but also highly stupid'
Hard-working but naive developers are a little known but highly dangerous soft spot in an organisation that attackers can exploit.
This is according to Rich Jones, co-founder of security consultancy Gun.io. Speaking at the 2020 Disclosure conference, Jones outlined how the trust many developers put in their software stacks and shared code, paired with a disturbing lack of online savvy, can make them easy pickings for hackers.
"Systems are generally hardened - they have patches, they have firewalls, they have monitoring," Jones explained, "but [some] developers will run literally any bullshit they find on Stack Overflow. They keep credentials lying about, they're obviously going to have the source code and some production data sitting on their hardware as well."
As one example of the tactic, Jones pointed to the July attack at Twitter in which employees were spear-phished, leading to the takeover of 130 celebrity accounts.
"This was not a hack of the Twitter production system: this was a hack of Twitter employees using classic social engineering tricks," he noted. "This is pretty powerful stuff, it's practical, and you can cause serious damage with it."
So how exactly would an aggressor go about attacking a specific developer?
Jones said much of it is down to exploiting the trust developers put into shared code and software stacks. By selecting a developer and studying their projects, an attacker would be able to map out the software stack being used.
From there, the attacker would pick out a weak spot in that stack – say, a dependency or GitHub project – and slip poisoned code in. This could be as simple as slipping attack code into StackOverflow.
Because so many developers will pull, copy, and share their open source code without a second thought, they will happily exploit their own machines. Jones said this is even the case when the dev's computer tries to warn them that something bad is going to happen.
Much of this, he said, is due to learned behavior rather than ignorance. After years of sharing code and tips with other developers and seeing their peers ignoring warnings while working on projects, many coders have unlearned some of the basic rules other users follow.
"Most developers consider themselves to be moderately intelligent but not stupid," mused Jones. "I have found most developers are highly intelligent, but also highly stupid."
The problem is amplified by the fact that developers are also extremely high-value targets. In addition to their own code, many devs will have things like security keys or admin access to other networked devices. This can open the door to everything from server takeovers to DNS rebinding or man-in-the-middle attacks.
"Developers have all the juicy bits of production systems sitting around on their laptops," said Jones. "And that will give you the foothold you need to completely take over their organization."
The solution, it seems, is for developers to re-learn some best practices. Jones advised basic steps for devs such as not storing production code on their local machine, scrutinizing the projects they use in their software stacks, not oversharing information about their projects on social media, and, er, actually paying attention to warning messages. ®