The software at the heart of the Internet is maintained not by any tech giant or government, but by a handful of volunteers and open source developers. The Economist reveals how this could have ended in disaster very recently.
It was at the end of March that a developer at Microsoft was able to notice that ssh – which is a system for securely logging into another device over the Internet – was running about 500 milliseconds slower than it should. Thanks to that discovery, the world was spared what could have been the largest supply chain attack to date.
Malicious code detected
A closer investigation revealed that malicious code was deeply embedded in xz Utils. It is a software designed to compress data used in the Linux operating system. Linux runs on pretty much every publicly available internet server.
The servers form the basis of the Internet, including important financial and government-related services. The malware would have acted as a “master key” that would have allowed an attacker to steal encrypted data or plant other malicious code.
So how did the malicious code get there? xz Utils is based on open source code. This means that the code can be inspected and modified by anyone. In February, two developers who had helped with code hundreds of times over the past few years and built up trust smuggled in the malware.
“Own back door”
A security analyst tells The Economist that the significance of the attack is “enormous”. The back door, the analyst continues, is also “very peculiar” in terms of how it is implemented. “Smart” and “sneaky” are other reviews. Perhaps it was even too stealthy as it might have slowed down the code and thus made the program detectable.
However, the security analyst raises the possibility that it could be a sophisticated intelligence operation by a state actor. Russia is suspected, but the evidence is still too weak.
Most ambitious attack
In addition to being perhaps the most ambitious supply chain attack to date, this attack is also a stark illustration of the weaknesses of the Internet and the crowdsourced code on which it rests.
The code is open, can be inspected by anyone, and bugs or intentional backdoors will eventually be discovered through collective review.
Now the attack was discovered and could be stopped before it could cause extensive damage. However, whether the attackers have snooped on other parts of Internet software is unknown.
Read also: Wave of cyber threats: Now more modern cyber security is required
2024-04-04 11:38:18
#Developers #saved #world #cyber #disaster