McAfee, a famous internet security company, reported that feeble security controls in the systems that were used for software creation make it simple for hackers to steal important data from technology companies. In a white paper released McAfee said “such systems often don’t impose adequate security by default”. The McAfee paper pointed out on issues in the popular system made by Perforce Software, whose customers include Google and many other technology companies.
Security in IT is always an issue – especially in the areas around developers. Unfortunately, good security is sometimes inconvenient, time consuming and administratively costly – it is trying to duplicate lock&key security after all. In an active development environment, deadlines are all important and anything that impacts the ability to deliver on time, especially for key project elements will get shunted aside. Also, just to get the SCM1 software up and running I suspect that “default” installs are the norm rather than the exception. There is a naive expectation that since these tools are on the “inside”, they are safe. I’ve heard security folk describe a great many organizations’ IT security as “Hard and Crunchy on the outside, Soft and Chewy on the inside. The assumption being made that just by keeping the bad guys out will keep you safe. Unfortunately, there are bad guys on the inside too. Or if the bad guys do get in there isn’t anything to stop them once their past the gate.
Besides the SCM2 tools mentioned, there are others in the Open Source arena like SubVersion or proprietary ones like PVCS that I suspect may have similar holes.
This is also particularly frightening especially if you want to really create an exploit – just think what could happen if you can check out source code, modify it to build your own “back door”, then put it back. That could be way better than stealing code – especially if it is in the financial services arena or government (law enforcement or intelligence).
{ 3 } Comments
I agree! It makes me sad to think of the lack of importance given to security within an organization. From personal experience and after talking to many smart IT Security personnel in large organizations, I have realized that internal IT security is not given the significance and attention it deserves. Dont companies understand, they are being Penny wise pound foolish! They may be saving money now, but isnt it too big a risk that may have massive financial repercussions in the long run!
A
Well, I mostly agree with the comment above except for one point. I am aware that companies fail to place the necessary importance on security. From confidential material being sent to gmail, hotmail accounts to google apps being used for a lot of collaboration, personal workstations that don’t ask for username and passwords to people taking stuff home in their laptops, I have witnessed many wrong practices. And these kind of things happen in big, established, multi-million dollar organizations. It is a pity, really…
On the other hand, I am a believer of the claim you will never be 100 percent secure. Like Joe stated in his post, some people inside do all kinds of things to have leverage in case they are in trouble or to be fired in future. I too heard stories that involve employees encrypting proprietary software code so that no one can use it if they leave, opening back doors etc… So perhaps the companies are aware that it is quite hard (if not impossible) to control what their employees are doing, and therefore their systems will never be 100% secure. That could be the reason behind them not pushing too hard on clogging the holes.
I agree with both of Joe and KAtesci’s points of view. Indeed, a lot companies didn’t pay enough attention to IT security. But with more and more events of Hackers and Criminals, most companies care about this issue and put a lot of effort on it. However, like KAtesci said, there is 100% secure about IT security. So the more important thing is how to deal with these kinds of issues when facing them.