Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/14/2007
01:30 AM
50%
50%

The Ultimate Insider

Flaws in applications can lead to the compromise of your enterprise - from inside out

The dirty little secret of computer security is that protection against insiders mostly amounts to squeezing your eyes shut very tightly and crossing your fingers.

The insider has always been a major computer security threat, but as the software applications we use every day become massively distributed via technologies such as Service Oriented Architecture and Web 2.0 technologies, the risk of an insider attack grows larger. With the advent of modern software architectures, distinguishing an insider from an outsider is becoming more difficult.

Insider attacks are the bugaboo of computer security. A majority of computer security technology is designed to keep malicious hackers out of our networks and off our personal computers (mostly by putting network gear between us and them, and by keeping an eye out for possible intrusions).

Unfortunately, firewalls and intrusion detection systems do almost nothing to address insider attacks. In fact, despite the seriousness of the insider threat, very little has been done to stop it.

Defending against insiders is a hard problem, because insiders have legitimate access to a variety of resources. Of course, they can also misuse and abuse these resources, especially if they have a fair measure of privilege. Let's look at a couple of examples.

Exploiting Online Games
In our new book Exploiting Online Games, Greg Hoglund and I describe a number of successful attacks that allow cheating in massively multiplayer online role playing games (MMORPGs), such as Blizzard Entertainment’s World of Warcraft (WOW). The kinds of attacks we describe in the book have become wildly popular among black hats, mainly due to the fact that a successful attack can be leveraged into lots of money. (See Online Games to Cause Software Security Issues.)

The most successful exploits against MMORPGs work by abusing the game client software in some way or another. If you think about it carefully, you can construe the kinds of attacks that we describe as insider attacks. Here’s why.

MMORPG architecture usually follows a classic client-server model. However, a popular game like WOW doesn’t involve a handful of clients and a server or two. What makes MMORPGs "massive" is their sheer numbers.

At any given time, about 400,000 people are playing WOW. That means 400,000 client PCs attaching over the Internet to a large number of servers in a load-balanced server farm. Each of the 400,000 or more clients runs the client game software on an Internet-connected PC. The game client software itself is part of a sophisticated, massively distributed game architecture.

When the architects of WOW and other MMORPGs were building their game, they gave very little thought to the notion of an insider attack. Many of their design decisions involve sharing a huge amount of "state" with the game client software.

Astute readers will see the problem immediately. How can the game client software be trusted to produce valid and meaningful game play if the player sets out to cheat? What if the gamer is a cheating skunk who sets out to manipulate the game through the client software on his or her own PC?

Therein lies the big "insider issue" in the sky. In a normal model, insiders are trusted, and outsiders are not. But when insiders and outsiders blend in a big pool of possible users, trouble ensues.

Deep down, the real problem is trust. In the old days, trust was easy to assign. Insiders were trusted and outsiders were not. But in the modern era, trust models are much more complex, and security architecture has a long way to go to catch up.

To give you a flavor of what I mean, consider the following "insider" attacks (all of which are described in gory detail with lots of code in the book): Build yourself a "bot" program to play the game automatically for you; abuse the client’s "state" to manipulate the game; change the logic of the game client entirely, but fool the server into thinking that everything is fine.

Bots can be as simple as scripts in the macro language supplied with the game, or as complex as debuggers that attach to the game process and splay it wide open for the attacker. The game client software is an "insider" in the game architecture, and the server-side functionality is not set up to expect insider attacks coming from the game client itself. Note that no remote-exploit or network security hacking is required to exploit online games, which creates some legal issues as well.

This entire online game hacking phenomenon could be no more than an interesting little aside for computer security – except for the fact that MMORPG security is a harbinger of software issues to come. Because these games push the limits of software technology – especially when it comes to state, time, and user participation, they are the forerunners of highly interactive applications to come in other arenas.

In the future, all kinds of software will evolve to be massively distributed, with servers interacting with and providing services for thousands of users at once. The move to Web services and SOA – built on technologies like Ajax and Ruby – is only the beginning. Let's look at a real-world example in the world of Google.

Exploiting Google Desktop Search
In February of 2007, the software security firm Watchfire (since acquired by IBM) discovered an attack methodology against Google Desktop that provides evidence of the "insider" problem in modern software architecture. The attack that Watchfire describes works by misusing the trust model set up between Google’s Website and Google Desktop.

As in the gaming exploits, the attack on Google Desktop requires no malicious hacking or binary payload injection. The problem results from an architectural misunderstanding in the trust relationships. Take a closer look at the paper to see what I mean.

These are the kinds of security problems that result from modern software architectures, where trust model boundaries are confused. As long as software designers don’t explicitly consider the case of the "insider gone bad" in their design, we’re in for a whole lot of hurt – and not just in the virtual world of gaming, but in the real world as well.

— Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).