The dirty little secret of computer security is that protection against insiders mostly amounts to squeezing your eyes shut very tightly and crossing your fingers.
The insider has always been a major computer security threat, but as the software applications we use every day become massively distributed via technologies such as Service Oriented Architecture and Web 2.0 technologies, the risk of an insider attack grows larger. With the advent of modern software architectures, distinguishing an insider from an outsider is becoming more difficult.
Insider attacks are the bugaboo of computer security. A majority of computer security technology is designed to keep malicious hackers out of our networks and off our personal computers (mostly by putting network gear between us and them, and by keeping an eye out for possible intrusions).
Unfortunately, firewalls and intrusion detection systems do almost nothing to address insider attacks. In fact, despite the seriousness of the insider threat, very little has been done to stop it.
Defending against insiders is a hard problem, because insiders have legitimate access to a variety of resources. Of course, they can also misuse and abuse these resources, especially if they have a fair measure of privilege. Let's look at a couple of examples.
Exploiting Online Games
In our new book Exploiting Online Games, Greg Hoglund and I describe a number of successful attacks that allow cheating in massively multiplayer online role playing games (MMORPGs), such as Blizzard Entertainments World of Warcraft (WOW). The kinds of attacks we describe in the book have become wildly popular among black hats, mainly due to the fact that a successful attack can be leveraged into lots of money. (See Online Games to Cause Software Security Issues.)
The most successful exploits against MMORPGs work by abusing the game client software in some way or another. If you think about it carefully, you can construe the kinds of attacks that we describe as insider attacks. Heres why.
MMORPG architecture usually follows a classic client-server model. However, a popular game like WOW doesnt involve a handful of clients and a server or two. What makes MMORPGs "massive" is their sheer numbers.
At any given time, about 400,000 people are playing WOW. That means 400,000 client PCs attaching over the Internet to a large number of servers in a load-balanced server farm. Each of the 400,000 or more clients runs the client game software on an Internet-connected PC. The game client software itself is part of a sophisticated, massively distributed game architecture.
When the architects of WOW and other MMORPGs were building their game, they gave very little thought to the notion of an insider attack. Many of their design decisions involve sharing a huge amount of "state" with the game client software.
Astute readers will see the problem immediately. How can the game client software be trusted to produce valid and meaningful game play if the player sets out to cheat? What if the gamer is a cheating skunk who sets out to manipulate the game through the client software on his or her own PC?
Therein lies the big "insider issue" in the sky. In a normal model, insiders are trusted, and outsiders are not. But when insiders and outsiders blend in a big pool of possible users, trouble ensues.
Deep down, the real problem is trust. In the old days, trust was easy to assign. Insiders were trusted and outsiders were not. But in the modern era, trust models are much more complex, and security architecture has a long way to go to catch up.
To give you a flavor of what I mean, consider the following "insider" attacks (all of which are described in gory detail with lots of code in the book): Build yourself a "bot" program to play the game automatically for you; abuse the clients "state" to manipulate the game; change the logic of the game client entirely, but fool the server into thinking that everything is fine.
Bots can be as simple as scripts in the macro language supplied with the game, or as complex as debuggers that attach to the game process and splay it wide open for the attacker. The game client software is an "insider" in the game architecture, and the server-side functionality is not set up to expect insider attacks coming from the game client itself. Note that no remote-exploit or network security hacking is required to exploit online games, which creates some legal issues as well.
This entire online game hacking phenomenon could be no more than an interesting little aside for computer security except for the fact that MMORPG security is a harbinger of software issues to come. Because these games push the limits of software technology especially when it comes to state, time, and user participation, they are the forerunners of highly interactive applications to come in other arenas.
In the future, all kinds of software will evolve to be massively distributed, with servers interacting with and providing services for thousands of users at once. The move to Web services and SOA built on technologies like Ajax and Ruby is only the beginning. Let's look at a real-world example in the world of Google.Exploiting Google Desktop Search
As in the gaming exploits, the attack on Google Desktop requires no malicious hacking or binary payload injection. The problem results from an architectural misunderstanding in the trust relationships. Take a closer look at the paper to see what I mean.
These are the kinds of security problems that result from modern software architectures, where trust model boundaries are confused. As long as software designers dont explicitly consider the case of the "insider gone bad" in their design, were in for a whole lot of hurt and not just in the virtual world of gaming, but in the real world as well.