Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/14/2007
01:30 AM
50%
50%

The Ultimate Insider

Flaws in applications can lead to the compromise of your enterprise - from inside out

The dirty little secret of computer security is that protection against insiders mostly amounts to squeezing your eyes shut very tightly and crossing your fingers.

The insider has always been a major computer security threat, but as the software applications we use every day become massively distributed via technologies such as Service Oriented Architecture and Web 2.0 technologies, the risk of an insider attack grows larger. With the advent of modern software architectures, distinguishing an insider from an outsider is becoming more difficult.

Insider attacks are the bugaboo of computer security. A majority of computer security technology is designed to keep malicious hackers out of our networks and off our personal computers (mostly by putting network gear between us and them, and by keeping an eye out for possible intrusions).

Unfortunately, firewalls and intrusion detection systems do almost nothing to address insider attacks. In fact, despite the seriousness of the insider threat, very little has been done to stop it.

Defending against insiders is a hard problem, because insiders have legitimate access to a variety of resources. Of course, they can also misuse and abuse these resources, especially if they have a fair measure of privilege. Let's look at a couple of examples.

Exploiting Online Games
In our new book Exploiting Online Games, Greg Hoglund and I describe a number of successful attacks that allow cheating in massively multiplayer online role playing games (MMORPGs), such as Blizzard Entertainment’s World of Warcraft (WOW). The kinds of attacks we describe in the book have become wildly popular among black hats, mainly due to the fact that a successful attack can be leveraged into lots of money. (See Online Games to Cause Software Security Issues.)

The most successful exploits against MMORPGs work by abusing the game client software in some way or another. If you think about it carefully, you can construe the kinds of attacks that we describe as insider attacks. Here’s why.

MMORPG architecture usually follows a classic client-server model. However, a popular game like WOW doesn’t involve a handful of clients and a server or two. What makes MMORPGs "massive" is their sheer numbers.

At any given time, about 400,000 people are playing WOW. That means 400,000 client PCs attaching over the Internet to a large number of servers in a load-balanced server farm. Each of the 400,000 or more clients runs the client game software on an Internet-connected PC. The game client software itself is part of a sophisticated, massively distributed game architecture.

When the architects of WOW and other MMORPGs were building their game, they gave very little thought to the notion of an insider attack. Many of their design decisions involve sharing a huge amount of "state" with the game client software.

Astute readers will see the problem immediately. How can the game client software be trusted to produce valid and meaningful game play if the player sets out to cheat? What if the gamer is a cheating skunk who sets out to manipulate the game through the client software on his or her own PC?

Therein lies the big "insider issue" in the sky. In a normal model, insiders are trusted, and outsiders are not. But when insiders and outsiders blend in a big pool of possible users, trouble ensues.

Deep down, the real problem is trust. In the old days, trust was easy to assign. Insiders were trusted and outsiders were not. But in the modern era, trust models are much more complex, and security architecture has a long way to go to catch up.

To give you a flavor of what I mean, consider the following "insider" attacks (all of which are described in gory detail with lots of code in the book): Build yourself a "bot" program to play the game automatically for you; abuse the client’s "state" to manipulate the game; change the logic of the game client entirely, but fool the server into thinking that everything is fine.

Bots can be as simple as scripts in the macro language supplied with the game, or as complex as debuggers that attach to the game process and splay it wide open for the attacker. The game client software is an "insider" in the game architecture, and the server-side functionality is not set up to expect insider attacks coming from the game client itself. Note that no remote-exploit or network security hacking is required to exploit online games, which creates some legal issues as well.

This entire online game hacking phenomenon could be no more than an interesting little aside for computer security – except for the fact that MMORPG security is a harbinger of software issues to come. Because these games push the limits of software technology – especially when it comes to state, time, and user participation, they are the forerunners of highly interactive applications to come in other arenas.

In the future, all kinds of software will evolve to be massively distributed, with servers interacting with and providing services for thousands of users at once. The move to Web services and SOA – built on technologies like Ajax and Ruby – is only the beginning. Let's look at a real-world example in the world of Google.

Exploiting Google Desktop Search
In February of 2007, the software security firm Watchfire (since acquired by IBM) discovered an attack methodology against Google Desktop that provides evidence of the "insider" problem in modern software architecture. The attack that Watchfire describes works by misusing the trust model set up between Google’s Website and Google Desktop.

As in the gaming exploits, the attack on Google Desktop requires no malicious hacking or binary payload injection. The problem results from an architectural misunderstanding in the trust relationships. Take a closer look at the paper to see what I mean.

These are the kinds of security problems that result from modern software architectures, where trust model boundaries are confused. As long as software designers don’t explicitly consider the case of the "insider gone bad" in their design, we’re in for a whole lot of hurt – and not just in the virtual world of gaming, but in the real world as well.

— Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27743
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
CVE-2020-1915
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
CVE-2020-26878
PUBLISHED: 2020-10-26
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
CVE-2020-26879
PUBLISHED: 2020-10-26
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
CVE-2020-15272
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...