On Mon, Sep 23, 2013 at 1:33 PM, Jeffrey Walton <noloader@gmail.com> wrote:
... Do you just snatch the source code and intellectual property, or do you use it as a springboard into other things? (I've never really thought about it).
for better or for worse (mostly better) these systems have made their way into release package builds and production deployment processes. i'm speaking in generalities here, for various reasons, but common trajectories include: - obtaining the private keys or http auth passwords for access to source code repositories. - obtaining ssh private keys for access to other systems, e.g. remote build hosts or even production hosts. - obtaining kerberos/ldap/http/* auth credentials for bug reporting systems, release code signing, or other facilities. - obtaining access to datacenter or operations automation: cfengine, chef, puppet, etc. these are really useful ;) - obtaining test automation tools and other "QA" hooks with elevated access and fewer controls. - privilege escalation on the CI host which in turn is often whitelisted and useful as further pivot. - providing example usage for invocation of and command line parameters for custom internal software. - providing excellent watering hole "infection vector" for technical staff in an org. e.g. taking over engineering workstations. from here you've got everything you need to infiltrate an entire organization. the source code provides "hard coded" keys/passwords or pointers to files where interesting bits lay, the conduit to engineering systems which grant access to public facing services and data stores, the credentials and access for all operational concerns, the org is your oyster...