Insider threats and software

[pierre.parrend at insa-lyon.fr (Pierre Parrend)]

Hello all,

 I do not agree with Mike's point of view. Of course the unique way to cheat a
system is to understand how it is working, and to abuse it. But the main
difference is that you can hardly talk about protocol in the case of
applications: if you have a given protocol, you 'just' need to build a firewall
that checks that the protocol is properly working. In the case of software level
insider attack, you would therefore need a dedicated firewall for every
application you provide, which seem difficult both in term of development and
performance cost.

The differences I see between the two cases are the following:

- attacks are now performed at the applicative level. And no simple interface
between the user and the application can be identified, since a heavy client is
involved (the interface is no longer a single protocol, but a whole
application).

- the matter becomes even worse if the systems are dynamic (such as with MIDP,
or OSGi, or any plug-in mechanism), which does not yet occurs with online
games, but soon could.

last case make a shift in the potential attacks quite likely: it is sufficient
to make malicious components freely available to perform attacks, even without
illegally modifying existing code. The problem of client-based attack is bound
with the one of integration of off-the-shelf components: how is it possible to
control the execution process for every self-developed of third party, local or
remote, piece of code ? Both involve application level 'protocols' to perform
insider attacks, which are not so easy to tackle,

I.e what Gary is describing is (to my view) not the ultimate insider, but a
step
toward a worsening of the security state of systems.

regards,

Pierre P.


Quoting silky <michaelslists at gmail.com>:

> i really don't see how this is at all an 'insider' attack; given that
> it is the common attack vector for almost every single remote exploit
> strategy; look into the inner protocol of the specific app and form
> your own messages to exploit it.
>
>
>
> On 8/15/07, Gary McGraw <gem at cigital.com> wrote:
> > Hi sc-l,
> >
> > My darkreading column this month is devoted to insiders, but with a twist. 
> In this article, I argue that software components which run on untrusted
> clients (AJAX anyone?  WoW clients?) are an interesting new flavor of insider
> attack.
> > Check it out:
> > http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1_1
> >
> > What do you think?  Is this a logical stretch or something obvious?
> >
> > gem
> >
> > company www.cigital.com
> > podcast www.cigital.com/silverbullet
> > blog www.cigital.com/justiceleague
> > book www.swsec.com
> >
> > _______________________________________________
>
>
> -- 



-- 
Pierre Parrend
Ph.D. Student, Teaching Assistant
INRIA-INSA Lyon, France
pierre.parrend at insa-lyon
web : http://www.rzo.free.fr