Secure Coding mailing list archives
Insider threats and software
From: michaelslists at gmail.com (silky)
Date: Fri, 17 Aug 2007 09:44:47 +1000
On 8/17/07, Gary McGraw <gem at cigital.com> wrote:
Hi, The point here is NOT to pull a person-in-the-middle attack against the protocol, but rather to subvert the client completely and have the subverted client do all of your talking for you. The most advanced (game)bot techniques that we describe in EOG work by shimming (in an almost invisible way) the game client, then setting up a communication channel with another processor after a hardware interrupt in the main game thread is thrown. For those of you with the book, see pages 228-230. A less hairy approach is to attach to the game client as a debugger and just call methods like there's no tomorrow. The only problem with that approach is it is like stomping around in the mud puddle and you are likely to be detected. Effectively then, you ARE the client. That's why I think it's more of an "insider" attack than your standard BO sploit.
how is this different then sending malformed packets to an rpc interface? the rpc would normally take it's protocol from some app; but what you, as the smart attacker, have done is to review the app, exploit it's weakness's in client-side protocol assumptions (client will always send correctly formed packets) and profit. seems like the classic remote exploit development strategy. you are also 'mixing in' a "bot" as an "exploit". it's not an exploit of the game in terms of compromising it, what you're actually compromising if the in-game protocols (not out-of-game-and-operating-system protocols). for example, there is a korean game for which you can buy a physical device that you attach to your mouse that plays the game for you. what sort of attack is this? it isn't any sort of classical attack. it's a automation of the game. which is a problem; granted, but not an 'insider attack'. why blur the line on what insider attack means? it will only make life worse/easier for CTO's to fob it off as too hard. if you specifically define it it can be acted on and solved. expanding the definition will only complicate matters, imho.
gem p.s. I added a little bit of data on the justice league blog about this: http://www.cigital.com/justiceleague/2007/08/16/software-the-new-insider-threat/ -----Original Message----- From: silky [mailto:michaelslists at gmail.com] Sent: Tuesday, August 14, 2007 7:44 PM To: Gary McGraw Cc: SC-L at securecoding.org Subject: Re: [SC-L] Insider threats and software i really don't see how this is at all an 'insider' attack; given that it is the common attack vector for almost every single remote exploit strategy; look into the inner protocol of the specific app and form your own messages to exploit it. On 8/15/07, Gary McGraw <gem at cigital.com> wrote:Hi sc-l, My darkreading column this month is devoted to insiders, but with a twist. In this article, I argue that software components which run on untrusted clients (AJAX anyone? WoW clients?) are an interesting new flavor of insider attack. Check it out: http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1_1 What do you think? Is this a logical stretch or something obvious? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________-- mike http://lets.coozi.com.au/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-- mike http://lets.coozi.com.au/
Current thread:
- Insider threats and software Gary McGraw (Aug 14)
- Insider threats and software silky (Aug 14)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 16)
- Insider threats and software Paco Hope (Aug 17)
- Insider threats and software Crispin Cowan (Aug 28)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 14)
- <Possible follow-ups>
- Insider threats and software Pierre Parrend (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)
- Insider threats and software {EOG} Gary McGraw (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)