SolarWinds hackers accessed Microsoft source code, the company says:
It is not clear how much or what parts of Microsoft's source code repositories the hackers were able to access, but the disclosure suggests that the hackers who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft products as well.
[...] Microsoft had already disclosed that like other firms it found malicious versions of SolarWinds' software inside its network, but the source code disclosure — made in a blog post — is new.
[...] Three people briefed on the matter said Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security employees had been working "around the clock" and that "when there is actionable information to share, they have published and shared it."
The SolarWinds hack is among the most ambitious cyber operations ever disclosed, compromising at least half-a-dozen federal agencies and potentially thousands of companies and other institutions. U.S. and private sector investigators have spent the holidays combing through logs to try to understand whether their data has been stolen or modified.
[...] Matt Tait, an independent cybersecurity researcher, agreed that the source code could be used as a roadmap to help hack Microsoft products, but he also cautioned that elements of the company's source code were already widely shared - for example with foreign governments. He said he doubted that Microsoft had made the common mistake of leaving cryptographic keys or passwords in the code.
Both Tait and Ronen Slavin, Cycode's chief technology officer, said a key unanswered question was which source code repositories were accessed.
Slavin said he was worried by the possibility that the SolarWinds hackers were poring over Microsoft's source code as prelude to a much more ambitious offensive.
"To me the biggest question is, 'Was this recon for the next big operation?'" he said.
(Score: 1, Troll) by fakefuck39 on Saturday January 02, @06:29PM
now that skilled programmers who could hack microsoft have their source code, maybe they can finally fix some shit.
(Score: 2) by requerdanos on Saturday January 02, @06:44PM (2 children)
From the article itself: "Source code — the underlying set of instructions that run a piece of software or operating system— is typically among a technology company’s most closely guarded secrets "
To which I would say, it depends. See the many free softwares hosted on Microsoft's own Github, for example.
(Score: 2) by KilroySmith on Saturday January 02, @06:46PM
And the fact that many governments, universities, and others have access to the source code for various reasons ranging from security auditing to educational. If a state actor wanted access to Windows Source code, I don't think it's a lot harder than calling up their National Sales Rep and having a bit of a negotiation.
(Score: 3, Insightful) by hash14 on Saturday January 02, @06:53PM
There are plenty of technically competent journalists, but not every news source has them. Some outlets, like this one probably, don't seem to prioritise this as much. And sadly, that makes articles like this difficult to write and might cause a lot of readers to be misinformed.
(Score: 2) by Rich on Saturday January 02, @06:49PM
I'm making the uneducated guess that any self-respecting secret service has binary analysis tools to dissect software back to source level and find low-level vulnerabilities. I would also guess that they have suitable diff tools, and a team set on to each major software piece to track changes really made. Or to put it into relation: with the cost to launch just a single spy satellite (budget solutions starting at $100M), one could keep a core OS development team for a decade.
So would such a service trample through there like a horde of elephants just to look at things? Just to get the smart comments of the Microsofties on top of what they have? Thinking for the time it took to type this, I see three targets worthy of the exposition risk: 1.) Internal business strategy. Or maybe not, given how headless they appear. 2.) Introducing bugs. Like one "goto fail" too much (and I have to repeat: that could never have been put in like it was by XCode...), or 3.) root signing keys. No one needs this crappy secure boot anyway, especially not when checking out traveller laptops in airport backrooms. (One would expect them to be handled air-gapped in faraday-cage-lined rooms, but given the general state of the industry, they can probably be found in some build logs).