Software Engineering Radio - the podcast for professional software developers

SE Radio 630: Luis Rodríguez on the SSH Backdoor Attack

Aug 22, 2024

44:00

Snipd AI

Luis Rodríguez, CTO of Xygeni.io, discusses a recent SSH backdoor attack that posed a threat to over 20 million servers. He details how the malicious code was inserted via a compromised compression library and the sophisticated social engineering employed by the attacker. The conversation highlights the limitations of traditional exploit detection methods and the implications for open source security. Rodríguez emphasizes the importance of community vigilance in identifying legitimate contributions to prevent future incidents.

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The attempted SSH backdoor attack highlighted the need for vigilant contributors in software communities, as even non-security specialists can uncover vulnerabilities.

The incident demonstrated the effectiveness of social engineering in manipulating open-source repository maintainers, underscoring the necessity for stricter oversight and security measures.

Deep dives

Overview of the Supply Chain Attack

A significant supply chain attack involved the introduction of a backdoor in a popular Linux compression library, LCMA. This backdoor was eventually embedded into OpenSSH, resulting in malicious command execution capabilities. The attack exemplified advanced techniques, including the use of obfuscation to evade detection from reviewers, ultimately affecting potentially over 20 million OpenSSH servers. Fortunately, the issue was identified and contained quickly, preventing further distribution and potential exploitation.

Intro

2min

Unmasking the SSH Backdoor

10min

Exploring Vulnerabilities in Process Runtimes and Security Measures

2min

Unmasking the SSH Backdoor Attack

13min

Navigating Open Source Security Challenges

14min

Understanding Social Engineering in Cyber Attacks

2min

Luis Rodríguez, CTO of Xygeni.io, joins host Robert Blumen for a discussion of the recently thwarted attempt to insert a backdoor in the SSH (Secure Shell) daemon. OpenSSH is a popular implementation of the protocol used in major Linux distributions for authentication over a network. Luis describes how a backdoor in a supporting library was recently discovered and removed before the package was published to stable releases of the Linux distros. The conversation explores the mechanism of the attack through modifying a function table in the runtime; how the attack was inserted during the build; how the attack was carefully staged in a series of modifications to the lz compression library; the nature of “Jia Tan,” the entity who committed the changes to the open source project; social engineering that the entity used to gain the trust of the open source community; what forensics indicates about the location of the entity; hypotheses about whether criminal or state actors backed the entity; how the attack was detected; implications for other open source projects; why traditional methods for detecting exploits would not have helped find this; and lessons learned by the community.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Software Engineering Radio - the podcast for professional software developers

SE Radio 630: Luis Rodríguez on the SSH Backdoor Attack