By Norman Yue – Chief Technology Officer
Recently, I stumbled across an interesting blog post about trusting security software on Reddit (http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html). This got me thinking, and kicked off a few conversations – to be honest, pretty much any open source software can be backdoored, and a good number of open source software packages have been/still are. It doesn’t need to be an obvious backdoor – simply omitting a security control, or rendering it weaker than it could be, could be just as effective (and much, much more difficult to detect during a source code audit).
For an attacker, the payoff is potentially huge, depending on the particular software being backdoored (just imagine if a tool such as nmap, or some FIM software, was to be backdoored). The cost can range from the attacker putting his hand up to “maintain” an open source WordPress plugin, to going after something unrelated and ending up with access to the source code repository of a popular security tool in his/her lap.
The same problem extends to both closed source software, and perhaps more interestingly, firmware (e.g. routers). As those of you on the full-disclosure mailing list have seen, there is often unannounced functionality in various bits of router firmware (http://www.devttys0.com/blog/), that’s sat around for a long time since no-one’s actually gone and looked for it (or they’ve kept the findings private). What’s the bet there’s quite a few firmware updates floating around with some bonus functionality graciously added by a curious Internet citizen?
The old adage “many eyes make short work of bugs” often doesn’t apply here, because either no-one’s looking (e.g. wp-recaptcha – random example) or they’re not looking for security issues beyond the most basic ones/not checking logs.
Just something to think about.