Sunday, 24 Nov 2024

One engineer

One engineer?s curiosity may have saved us from a devastating cyber-attack | John Naughton


One engineer
1.9 k views

On Good Friday, a Microsoft engineer named Andres Freund noticed something peculiar. He was using a software tool called SSH for securely logging into remote computers on the internet, but the interactions with the distant machines were significantly slower than usual. So he did some digging and found malicious code embedded in a software package called XZ Utils that was running on his machine. This is a critical utility for compressing (and decompressing) data running on the Linux operating system, the OS that powers the vast majority of publicly accessible internet servers across the world. Which means that every such machine is running XZ Utils.

Freund's digging revealed that the malicious code had arrived in his machine via two recent updates to XZ Utils, and he alerted the Open Source Security list to reveal that those updates were the result of someone intentionally planting a backdoor in the compression software. It was what is called a "supply-chain attack" (like the catastrophic SolarWinds one of 2020) - where malicious software is not directly injected into targeted machines, but distributed by infecting the regular software updates to which all computer users are wearily accustomed. If you want to get malware out there, infecting the supply chain is the smart way to do it.

So what was the malware discovered by Freund designed to do? Basically to break the authentication process that makes SSH secure and thereby create a backdoor that would enable an intruder remotely to gain unauthorised access to the entire system. Since SSH is a vital tool for the safe operation of a networked world, anything that undermines it is really bad news - which is why the cybersecurity world has been on high alert in the past week. Those running the different flavours of Linux that are in use across the world have been alerted to the dangers posed by the two rogue updates.

So stable door bolted, and hopefully no horses missing. None of this would have been true, though, if Freund hadn't been so hawk-eyed and inquisitive. "The world owes Andres unlimited free beer," observed one security expert. "He just saved everybody's arse in his spare time."

In some ways, the story of how the malware got into the updates is even more instructive. XZ Utils is open-source software, ie software with source code that anyone can inspect, modify and enhance. Much open source is written and maintained by small teams of programmers, and in many case by a single individual. In XZ Utils, that individual for years has been Lasse Collin, who has been with the project since its inception. Until recently he was the person who had been assembling and distributing the updates of the software.

So now the plot thickens. Cybersecurity experts are clearly taking the attack seriously. "The backdoor is very peculiar in how it is implemented, but it is really clever stuff and very stealthy," a well-known South African security guru told the Economist. Even more interesting is the existence of a concerted online campaign to persuade Lasse Collin to pass control of XZ Utils to "Jia Tan". This particular guru suspects that the SVR, the Russian foreign intelligence service behind the SolarWinds penetration of US government networks, might even have played a role in the attack.

Who knows? But two clear lessons can be drawn from what we know so far. The first is that we have constructed a whole new world on top of a technology that is intrinsically and fundamentally insecure. The second is that we are critically dependent on open-source software that is often maintained by volunteers who do it for love rather than money - and generally without support from either industry or government. We can't go on like this, but we will. Those whom the Gods wish to destroy, they first make complacent.

How to-talitarian How could Trump actually turn the US into a fascist state? Robert Reich outlines Trump's five-stage plan on his Substack.

The consequences of Conservative government What have 14 years of Conservative rule done to Britain? You know the answer, but Sam Knight gives some useful detail in a New Yorker essay.

Our priceless planetWhy capitalism can't solve the climate crisis - Prof Brett Christophers explains in Time magazine.

you may also like

Italy expected to draw travelers by the millions as Pope Francis kicks off Holy Year
  • by foxnews
  • descember 09, 2016
Italy expected to draw travelers by the millions as Pope Francis kicks off Holy Year

The 2025 Jubilee will bring tourists to the Vatican, Rome and Italy to celebrate the Catholic tradition of patrons asking for forgiveness of sins. Hope will be a central theme.

read more