Re: [cryptography] [Cryptography] What is Intel(R) Core™ vPro™ Technology Animation

[coderman]

On Mon, Sep 23, 2013 at 1:33 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> ...
> Do you just snatch the source code and intellectual property, or do
> you use it as a springboard into other things? (I've never really
> thought about it).


for better or for worse (mostly better) these systems have made their
way into release package builds and production deployment processes.

i'm speaking in generalities here, for various reasons, but common
trajectories include:
- obtaining the private keys or http auth passwords for access to
source code repositories.
- obtaining ssh private keys for access to other systems, e.g. remote
build hosts or even production hosts.
- obtaining kerberos/ldap/http/* auth credentials for bug reporting
systems, release code signing, or other facilities.
- obtaining access to datacenter or operations automation: cfengine,
chef, puppet, etc. these are really useful ;)
- obtaining test automation tools and other "QA" hooks with elevated
access and fewer controls.
- privilege escalation on the CI host which in turn is often
whitelisted and useful as further pivot.
- providing example usage for invocation of and command line
parameters for custom internal software.
- providing excellent watering hole "infection vector" for technical
staff in an org. e.g. taking over engineering workstations.


from here you've got everything you need to infiltrate an entire organization.

the source code provides "hard coded" keys/passwords or pointers to
files where interesting bits lay,

the conduit to engineering systems which grant access to public facing
services and data stores,

the credentials and access for all operational concerns,

the org is your oyster...