Critical Backdoor Internet Security Breach Accidentally Found Before Implementation – MishTalk

/in


I am fascinated by a story of how a Microsoft engineer discovered a major, heavily disguised, backdoor security breach that was years in the making, and nearly implemented.

Background

Hidden in a widely use compression utility was a software backdoor that would allow someone remote access to entire systems.

This was a multi-year endeavor by user named Jia Tan, @JiaT75 who gained trust over many years. His account is now suspended everywhere.

HackerNews has this interesting snip.

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday.

The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

The Long Game

These opensource projects are volunteer work. They pay nothing.

The person normally responsible for the code, Lasse Collin (Larhzu), maintained the utility since 2009 but was suffering burnout.

Jia Tan started contributing in the last 2-2.5 years and gained commit access, and then release manager rights, about 1.5 years ago.

Backdoor Uncovered in Years-Long Hacking Plot

Much of this story is extremely geekish and difficult to understand. An article on Unicorn Riot is generally readable.

Please consider Backdoor Uncovered in Years-Long Hacking Plot

A fascinating but ominous software story dropped on Friday: a widely used file compression software package called “xz utils” has a cleverly embedded system for backdooring shell login connections, and it’s unclear how far this dangerous package got into countless internet-enabled devices. It appears the persona that injected this played a long game, gaining the confidence of the legitimate main developer, and thus empowered to release new versions themselves.

Andreas Freund reported this Friday morning on an industry security mailing list, leading many experts to spend the day poking under rocks and peering into the abyss of modern digital insecurity: “The upstream xz repository and the xz tarballs have been backdoored,” Freund wrote. It cleverly pokes a hole in the SSH daemon (sshd), which is essential to modern-day computing at the most fundamental level.

The…

Source…