Risk

8/14/2007
01:30 AM
50%
50%

The Ultimate Insider

Flaws in applications can lead to the compromise of your enterprise - from inside out

The dirty little secret of computer security is that protection against insiders mostly amounts to squeezing your eyes shut very tightly and crossing your fingers.

The insider has always been a major computer security threat, but as the software applications we use every day become massively distributed via technologies such as Service Oriented Architecture and Web 2.0 technologies, the risk of an insider attack grows larger. With the advent of modern software architectures, distinguishing an insider from an outsider is becoming more difficult.

Insider attacks are the bugaboo of computer security. A majority of computer security technology is designed to keep malicious hackers out of our networks and off our personal computers (mostly by putting network gear between us and them, and by keeping an eye out for possible intrusions).

Unfortunately, firewalls and intrusion detection systems do almost nothing to address insider attacks. In fact, despite the seriousness of the insider threat, very little has been done to stop it.

Defending against insiders is a hard problem, because insiders have legitimate access to a variety of resources. Of course, they can also misuse and abuse these resources, especially if they have a fair measure of privilege. Let's look at a couple of examples.

Exploiting Online Games
In our new book Exploiting Online Games, Greg Hoglund and I describe a number of successful attacks that allow cheating in massively multiplayer online role playing games (MMORPGs), such as Blizzard Entertainment’s World of Warcraft (WOW). The kinds of attacks we describe in the book have become wildly popular among black hats, mainly due to the fact that a successful attack can be leveraged into lots of money. (See Online Games to Cause Software Security Issues.)

The most successful exploits against MMORPGs work by abusing the game client software in some way or another. If you think about it carefully, you can construe the kinds of attacks that we describe as insider attacks. Here’s why.

MMORPG architecture usually follows a classic client-server model. However, a popular game like WOW doesn’t involve a handful of clients and a server or two. What makes MMORPGs "massive" is their sheer numbers.

At any given time, about 400,000 people are playing WOW. That means 400,000 client PCs attaching over the Internet to a large number of servers in a load-balanced server farm. Each of the 400,000 or more clients runs the client game software on an Internet-connected PC. The game client software itself is part of a sophisticated, massively distributed game architecture.

When the architects of WOW and other MMORPGs were building their game, they gave very little thought to the notion of an insider attack. Many of their design decisions involve sharing a huge amount of "state" with the game client software.

Astute readers will see the problem immediately. How can the game client software be trusted to produce valid and meaningful game play if the player sets out to cheat? What if the gamer is a cheating skunk who sets out to manipulate the game through the client software on his or her own PC?

Therein lies the big "insider issue" in the sky. In a normal model, insiders are trusted, and outsiders are not. But when insiders and outsiders blend in a big pool of possible users, trouble ensues.

Deep down, the real problem is trust. In the old days, trust was easy to assign. Insiders were trusted and outsiders were not. But in the modern era, trust models are much more complex, and security architecture has a long way to go to catch up.

To give you a flavor of what I mean, consider the following "insider" attacks (all of which are described in gory detail with lots of code in the book): Build yourself a "bot" program to play the game automatically for you; abuse the client’s "state" to manipulate the game; change the logic of the game client entirely, but fool the server into thinking that everything is fine.

Bots can be as simple as scripts in the macro language supplied with the game, or as complex as debuggers that attach to the game process and splay it wide open for the attacker. The game client software is an "insider" in the game architecture, and the server-side functionality is not set up to expect insider attacks coming from the game client itself. Note that no remote-exploit or network security hacking is required to exploit online games, which creates some legal issues as well.

This entire online game hacking phenomenon could be no more than an interesting little aside for computer security – except for the fact that MMORPG security is a harbinger of software issues to come. Because these games push the limits of software technology – especially when it comes to state, time, and user participation, they are the forerunners of highly interactive applications to come in other arenas.

In the future, all kinds of software will evolve to be massively distributed, with servers interacting with and providing services for thousands of users at once. The move to Web services and SOA – built on technologies like Ajax and Ruby – is only the beginning. Let's look at a real-world example in the world of Google.

Exploiting Google Desktop Search
In February of 2007, the software security firm Watchfire (since acquired by IBM) discovered an attack methodology against Google Desktop that provides evidence of the "insider" problem in modern software architecture. The attack that Watchfire describes works by misusing the trust model set up between Google’s Website and Google Desktop.

As in the gaming exploits, the attack on Google Desktop requires no malicious hacking or binary payload injection. The problem results from an architectural misunderstanding in the trust relationships. Take a closer look at the paper to see what I mean.

These are the kinds of security problems that result from modern software architectures, where trust model boundaries are confused. As long as software designers don’t explicitly consider the case of the "insider gone bad" in their design, we’re in for a whole lot of hurt – and not just in the virtual world of gaming, but in the real world as well.

— Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8948
PUBLISHED: 2019-02-20
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
CVE-2019-8950
PUBLISHED: 2019-02-20
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
CVE-2019-8942
PUBLISHED: 2019-02-20
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c...
CVE-2019-8943
PUBLISHED: 2019-02-20
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...
CVE-2019-8944
PUBLISHED: 2019-02-20
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.