Risky Business #743 -- A chat about the xz backdoor with the guy who found it
Apr 3, 2024
auto_awesome
Andres Freund, the Postgres developer, talks about discovering a backdoor in the xz Linux compression library. The podcast delves into the SSH backdoor issue, Microsoft's security vulnerabilities, Ukraine hacking Russia, and push-notifications vs Apple. They also discuss the implications of the supply chain attack in Linuxland and explore the technical aspects of the backdoor issue.
Andres Freund discovered a sophisticated SSH backdoor in the XZ compression library, allowing root access via SSH servers.
Microsoft faced criticism from the CSRB for security lapses in handling a major hack affecting government organizations.
The podcast emphasizes the shift to using security-focused enterprise browsers like Island for improved disaster recovery and incident response.
Deep dives
Complex Backdoor in XZ Compression Library
A detailed discussion in the podcast highlighted a sophisticated backdoor implanted in the XZ compression library, affecting Unix systems. The backdoor allowed pre-authenticated access to SSH servers, enabling malicious actors to execute commands as root. The infiltration involved a bogus maintainer, G. A. Tan, who gained trust within the open-source ecosystem, escalating the attack as a response to impending changes in Linux. The backdoor was part of release versions of XZ, targeting vulnerable systems running developer releases of Linux distributions.
Uncovering the SSH Backdoor Operation
The podcast featured an interview with Andres Freund, a developer at Microsoft, who discovered the SSH backdoor during a code review. Through meticulous profiling and analysis, Freund uncovered the stealthy operation that injected anomalous behavior into the build process. The backdoor, hidden within the XZ compression library, exhibited a level of complexity that evaded immediate detection, challenging conventional assumptions about open-source security reviews. Freund's expertise and persistence played a crucial role in unveiling the deliberate malicious activity.
Critical Analysis of Microsoft's Security Failures
The podcast detailed the Cyber Safety Review Board's scathing report on Microsoft's handling of the massive hack involving the State Department and other organizations. The report criticized Microsoft's lax security practices, emphasizing failures in key rotation, authentication mechanisms, and communication with customers. It highlighted the link between the attackers behind this breach and previous high-profile cyber incidents, indicating a recurring pattern of sophisticated attacks. The report underscored the need for Microsoft to prioritize security over sales and return to the core principles of trustworthiness in computing.
Future Security Considerations and National Context
Amid concerns of potential state-sponsored involvement in cyberattacks, the podcast explored the implications for national security and cloud service providers. Speculation arose about the involvement of Russia's advanced persistent threat group in the breach, raising questions about the level of sophistication and motivations behind such coordinated attacks. The discussion delved into the necessity of regulatory measures to strengthen cloud service security standards and mitigate risks posed by state-backed threat actors. The episode underscored the critical need for continuous vigilance and proactive security measures to safeguard against evolving cyber threats.
Impact of Microsoft's Communication During Security Incidents
Discussing the importance of Microsoft addressing cybersecurity issues and the significance of effective communication during security incidents. The podcast highlights instances where Microsoft faced breaches in Azure and M365 and emphasizes the need for improved communication strategies during such events. Additionally, there is a mention of global implications, with UK government entities and private individuals being affected by these security breaches, showcasing the widespread concerns regarding cybersecurity.
Use of Enterprise Browser for Disaster Recovery and Incident Response
Exploring how organizations are leveraging enterprise browsers like Ireland as a substitute for traditional VDI solutions, particularly in disaster recovery and incident response scenarios. The podcast details how using an enterprise browser can facilitate resiliency by providing alternative paths for application access and aiding rapid recovery post-incidents. It illustrates the versatility of browsers in maintaining communication channels, restoring critical apps quickly, and ensuring adherence to cybersecurity standards even on unmanaged devices.
On this week’s show Patrick and Adam discuss the week’s security news, including:
The SSH backdoor that dreams (or nightmares) are made of
Microsoft gets a solid spanking from the CSRB
Ukraine uses an old Russian WinRAR bug to hack Russia
Push-notifications and social-engineering combined-arms vs Apple
And much, much more.
We have a special guest in this week’s show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library.
This week’s show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island’s Bradon Rogers is this week’s sponsor guest and he’ll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs.
