I was going to write something else for July but this topic is in my wheelhouse so I thought it would be fun do this piece instead.
A big eyeroll to the whole CrowdStrike incident. Millions of computers crashed by something a few people did, or didn’t do, in one modest-sized software company. Air travel, banking, health care, all significantly disrupted.
If it was an accident it was inexcusable. But more importantly, it would not be that hard to mount a real, much larger, cyberattack. Industry knows this but they are too busy “move fast and break things”-ing to urgently fix one of the world’s most vulnerable and massive attack surfaces: open source computer code. This weakness is being exploited daily, without doubt.
Huh?
Virtually all of the software infrastructure running the planet now uses at least some code written by crowds of developers who are not directly affiliated and who are not directly accountable to anyone other than their other non-affiliated peers. They can come from anywhere in the world with an Internet connection.
The only consequence of a code contributor’s total incompetence or malfeasance is being ostracized from the cadre of other contributors. That is, if - a big if - the “maintainers” of the code catch the problem.
So called “open source” code development has been a terrifyingly rapid way for software to eat the world. Why? Because much of its development process is free of the friction of inconvenient things like oversight, quality assurance, or testing before release. “Move fast and break things” - the mantra that has powered a generation, as if breaking things was a good thing.
So open source code powers everything on the Internet. And in your PC. Your phone. Your cars. The world runs on open source. And there is nobody officially accountable for any of these millions of lines of code. Nobody to fire, nobody bound by an oath of duty, nobody to haul before a congressional committee or put in jail.
Nerdy Part
Here’s a toy example of some malicious code in a pseudo computer language:
global mask=1;
-----
function ReadALine
x = getmask()
readline( Input)
index = 0
loop( Input, lengthof( Input ) )
if Input[ index ] & x
writelog( "parity calculation correct for P" )
else
writelog( "parity failure for P" )
index = index + 1
end loop
x = x * 2
putmask( x )
return Input
end function
This example is trivial and should be caught by an open source project team. If there is a team, that is. Or if code maintainers do exist, and are diligent and on the lookout.
The code outputs to a log file everything needed to exfiltrate bits of the data a user might enter, while appearing to be innocuous. If this code is in a collection of other code in another project, and then used to get a password input from a user, and is called eight times, then the entire password can be collected from the log by an unrelated piece of software and sent to - wherever.
There are thousands upon thousands of small open source programs where this kind of surreptitious exfiltration (called a “covert channel”) could be introduced and never seen or caught. Programmers working for companies like … well, every company that works with software … grab these almost anonymous bits and pieces of code from the Internet daily and incorporate them into … well, everything.
And this sort of attack is undetectable by antivirus and malware scanners. By network firewalls. Router settings. All your defenses are useless. Once injected into the open source ecosystem and incorporated into a product, code like this could remain quietly poised indefinitely, awaiting a trigger to detonate.
Now Imagine
Imagine a world of state organizations with limitless resources, staffed by thousands of some of the smartest and most committed zealots on the planet. Organizations like … well, all the intelligence and military agencies of the US, EU, Russia, China, Iran, Israel, Australia, Japan, Korea, Ukraine …
Imagine their goal is to infiltrate teams developing open source code and introduce subtle vulnerabilities that can be exploited at will.
There every reason to assume they are diligently working to exploit the open source ecosystem wherever possible as you read this.
The Heartbleed incident of ten years ago appears to have been a bug, though it may have been something else, perhaps? Eventually discovered, the code anomaly caused a major earthquake throughout the Internet of the day. A similar incident now would be much worse.
Is there malicious code, under the control of world-class covert agencies and criminals, running on PC’s, phones, servers, browsers? Without doubt. The Great CrowdStrike Incident may have been a test of a system for causing widespread disruption. It may have been a test of recovery or resistance to such an attack. It may have been just a handful of employees who forgot to check some checkboxes. Impossible to say from here.
Photo credits: Pexels; Ivan Samkov & Tima Miroshnichenko
Did you know you can inject malicious code into systems using image files?