Risk
8/14/2007
01:30 AM
50%
50%

The Ultimate Insider

Flaws in applications can lead to the compromise of your enterprise - from inside out

The dirty little secret of computer security is that protection against insiders mostly amounts to squeezing your eyes shut very tightly and crossing your fingers.

The insider has always been a major computer security threat, but as the software applications we use every day become massively distributed via technologies such as Service Oriented Architecture and Web 2.0 technologies, the risk of an insider attack grows larger. With the advent of modern software architectures, distinguishing an insider from an outsider is becoming more difficult.

Insider attacks are the bugaboo of computer security. A majority of computer security technology is designed to keep malicious hackers out of our networks and off our personal computers (mostly by putting network gear between us and them, and by keeping an eye out for possible intrusions).

Unfortunately, firewalls and intrusion detection systems do almost nothing to address insider attacks. In fact, despite the seriousness of the insider threat, very little has been done to stop it.

Defending against insiders is a hard problem, because insiders have legitimate access to a variety of resources. Of course, they can also misuse and abuse these resources, especially if they have a fair measure of privilege. Let's look at a couple of examples.

Exploiting Online Games
In our new book Exploiting Online Games, Greg Hoglund and I describe a number of successful attacks that allow cheating in massively multiplayer online role playing games (MMORPGs), such as Blizzard Entertainment’s World of Warcraft (WOW). The kinds of attacks we describe in the book have become wildly popular among black hats, mainly due to the fact that a successful attack can be leveraged into lots of money. (See Online Games to Cause Software Security Issues.)

The most successful exploits against MMORPGs work by abusing the game client software in some way or another. If you think about it carefully, you can construe the kinds of attacks that we describe as insider attacks. Here’s why.

MMORPG architecture usually follows a classic client-server model. However, a popular game like WOW doesn’t involve a handful of clients and a server or two. What makes MMORPGs "massive" is their sheer numbers.

At any given time, about 400,000 people are playing WOW. That means 400,000 client PCs attaching over the Internet to a large number of servers in a load-balanced server farm. Each of the 400,000 or more clients runs the client game software on an Internet-connected PC. The game client software itself is part of a sophisticated, massively distributed game architecture.

When the architects of WOW and other MMORPGs were building their game, they gave very little thought to the notion of an insider attack. Many of their design decisions involve sharing a huge amount of "state" with the game client software.

Astute readers will see the problem immediately. How can the game client software be trusted to produce valid and meaningful game play if the player sets out to cheat? What if the gamer is a cheating skunk who sets out to manipulate the game through the client software on his or her own PC?

Therein lies the big "insider issue" in the sky. In a normal model, insiders are trusted, and outsiders are not. But when insiders and outsiders blend in a big pool of possible users, trouble ensues.

Deep down, the real problem is trust. In the old days, trust was easy to assign. Insiders were trusted and outsiders were not. But in the modern era, trust models are much more complex, and security architecture has a long way to go to catch up.

To give you a flavor of what I mean, consider the following "insider" attacks (all of which are described in gory detail with lots of code in the book): Build yourself a "bot" program to play the game automatically for you; abuse the client’s "state" to manipulate the game; change the logic of the game client entirely, but fool the server into thinking that everything is fine.

Bots can be as simple as scripts in the macro language supplied with the game, or as complex as debuggers that attach to the game process and splay it wide open for the attacker. The game client software is an "insider" in the game architecture, and the server-side functionality is not set up to expect insider attacks coming from the game client itself. Note that no remote-exploit or network security hacking is required to exploit online games, which creates some legal issues as well.

This entire online game hacking phenomenon could be no more than an interesting little aside for computer security – except for the fact that MMORPG security is a harbinger of software issues to come. Because these games push the limits of software technology – especially when it comes to state, time, and user participation, they are the forerunners of highly interactive applications to come in other arenas.

In the future, all kinds of software will evolve to be massively distributed, with servers interacting with and providing services for thousands of users at once. The move to Web services and SOA – built on technologies like Ajax and Ruby – is only the beginning. Let's look at a real-world example in the world of Google.

Exploiting Google Desktop Search
In February of 2007, the software security firm Watchfire (since acquired by IBM) discovered an attack methodology against Google Desktop that provides evidence of the "insider" problem in modern software architecture. The attack that Watchfire describes works by misusing the trust model set up between Google’s Website and Google Desktop.

As in the gaming exploits, the attack on Google Desktop requires no malicious hacking or binary payload injection. The problem results from an architectural misunderstanding in the trust relationships. Take a closer look at the paper to see what I mean.

These are the kinds of security problems that result from modern software architectures, where trust model boundaries are confused. As long as software designers don’t explicitly consider the case of the "insider gone bad" in their design, we’re in for a whole lot of hurt – and not just in the virtual world of gaming, but in the real world as well.

— Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.