Secure Coding mailing list archives
Insider threats and software
From: gem at cigital.com (Gary McGraw)
Date: Thu, 16 Aug 2007 15:54:03 -0400
Hi, The point here is NOT to pull a person-in-the-middle attack against the protocol, but rather to subvert the client completely and have the subverted client do all of your talking for you. The most advanced (game)bot techniques that we describe in EOG work by shimming (in an almost invisible way) the game client, then setting up a communication channel with another processor after a hardware interrupt in the main game thread is thrown. For those of you with the book, see pages 228-230. A less hairy approach is to attach to the game client as a debugger and just call methods like there's no tomorrow. The only problem with that approach is it is like stomping around in the mud puddle and you are likely to be detected. Effectively then, you ARE the client. That's why I think it's more of an "insider" attack than your standard BO sploit. gem p.s. I added a little bit of data on the justice league blog about this: http://www.cigital.com/justiceleague/2007/08/16/software-the-new-insider-threat/ -----Original Message----- From: silky [mailto:michaelslists at gmail.com] Sent: Tuesday, August 14, 2007 7:44 PM To: Gary McGraw Cc: SC-L at securecoding.org Subject: Re: [SC-L] Insider threats and software i really don't see how this is at all an 'insider' attack; given that it is the common attack vector for almost every single remote exploit strategy; look into the inner protocol of the specific app and form your own messages to exploit it. On 8/15/07, Gary McGraw <gem at cigital.com> wrote:
Hi sc-l, My darkreading column this month is devoted to insiders, but with a twist. In this article, I argue that software components which run on untrusted clients (AJAX anyone? WoW clients?) are an interesting new flavor of insider attack. Check it out: http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1_1 What do you think? Is this a logical stretch or something obvious? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-- mike http://lets.coozi.com.au/
Current thread:
- Insider threats and software Gary McGraw (Aug 14)
- Insider threats and software silky (Aug 14)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 16)
- Insider threats and software Paco Hope (Aug 17)
- Insider threats and software Crispin Cowan (Aug 28)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 14)
- <Possible follow-ups>
- Insider threats and software Pierre Parrend (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)
- Insider threats and software {EOG} Gary McGraw (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)