Re: Evolution of security threats and exploits...

[Dan Crowley <dcrowley () coresecurity com>]

On 12/1/2010 7:10 AM, cribbar wrote:
> I’ve seen some of you post that server side vulnerabilities are becoming a
> less favourable and fruitful exploit – any particular reason why, and you
> tell us the majority of exploits now targeted by the bad guys are “client
> side”, which I suspect you mean unpatched client apps like Adobe
Reader etc?
> Any reason for the switch from focusing primarily on the server side, and
> now focusing on client side exploits more?

This is true. People are starting to understand that you can't run all
the services you can possibly fit onto a box exposed to the Internet
24/7 and not have some issues. Firewalls and IDS/IPS are more common all
the time, and people writing network-accessible applications are more
aware of the danger involved. Nowadays, remote vulns that allow for
compromise of a fully patched Windows workstation running only default
services over the network comes about once every two years. Lots of
organizations also have a process for patching their systems on a
regular basis, preventing this sort of issue.

On the other hand, few people writing client-side software care much
about writing securely. (At least, sometimes it seems that way.) Plus,
humans are naturally curious, desire to be helpful, and are prone to bad
decisions when emotions get involved. For these reasons and more, it's
often much easier to trick someone at the target organization to run
some bit of code or trigger a client-side vulnerability than it is to
find an exploitable vulnerability accessible from the Internet.

Then again, everyone these days wants to have a website accessible to
the Internet all the time without any lapse in availability. They want
interactivity and pizazz, and neglect security for its sake. In order to
pay less, they'll often hire in-house or low-end developers who might
not have a clue about security. There's also lots of interdependent
layers. If you have a website, an attacker can try to attack your web
applications, your database, your web application framework, your web
server, and your operating system. If one or more of these layers are
inconsiderate of each other in the right way (as in the case of poison
NULL byte issues) there can be severe security issues.

Also, the internal network of most companies aren't well protected. Data
often flies about in the clear, and getting onto that internal network
usually means you can redirect somebody inside it to route sensitive
data to you. If it's a wireless network, it can be even easier. Some
people set up rogue access points at work to make their job easier. For
an attacker, this means a pre-configured remote foothold on the internal
network. It may be enough to set up shop near the physical location and
sniff traffic, hoping for juicy data.

And speaking of physical security, remember that no amount of
firewalling, application whitelisting, IPS, AV, etc will protect you
from a data breach if a machine is physically stolen.

So, does it make sense for the attackers to move away from network-based
attacks? Sure does. Are they?

Operation Aurora? Client side attacks.
Heartland Payment? SQL injection and sniffing.
Stuxnet attacks? Delivered via flash drive.
TJX? Attacked via in-store wireless network.

Food for thought, isn't it?
--
Daniel Crowley, CICP, GCIH
Technical Specialist
Core Security Technologies

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------