Secure Coding mailing list archives
Insider threats and software
From: paco at cigital.com (Paco Hope)
Date: Fri, 17 Aug 2007 10:24:02 -0400
On 8/16/07 7:44 PM, "silky" <michaelslists at gmail.com> wrote: how is this different then sending malformed packets to an rpc interface? That is the key question. It's different because nothing in the packets is malformed! They were correctly assembled by the client, sent at the right time in game play, and are semantically legal in every way. The vital distinction is that programmers assume only their own code will call a certain API, and therefore issue a certain message from the client to the server. When you hijack the client, you make the client correctly form messages for you. You just supply unexpected parameters, or send messages in an order that would never normally occur. Furthermore, if there's a little back and forth between the server and the client as a result of your messages, the client handles it automatically for you because it is operating normally (albeit under the influence). Now I'll gently disagree with Gary, who is my boss, so you know I'll hear about it in the hallways... I think this feels more like "privilege escalation" than "insider threat." The distinction being that these attacks allow an authorized user who has liimited privileges to escalate their privileges and do things that they shouldn't be able to do. An insider (to me) is a person who already had that privilege and status when they started their attack. (Read Kevin Wall's follow-up on darkreading.com he has good things to say on who are insiders and outsiders). Where we are prone to confusion, I think, is that outsiders or limited authorized users can have the same IMPACT as an insider, when the privilege escalation is sufficiently bad. So we might say they became an insider by virtue of their attack. I think that's playing a bit fast and loose with language. We could say they became the EQUIVALENT of an insider (possibly in a very narrow scenario) and that might be a bit more accurate. Let me go out on a limb and say the following: the designation of "insider" is almost always due to contractual relationships. I.e. you've been hired, you've been subcontracted, assigned, or somehow formally granted access to something. You can't hack your way to insider status (unless you hack HR and make yourself an employee. :). You can hack your way to the equivalent of an insider, but you're still an outsider whose privileges have been escalated. Thoughts? Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.404.5769 Software Confidence. Achieved.
Current thread:
- Insider threats and software Gary McGraw (Aug 14)
- Insider threats and software silky (Aug 14)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 16)
- Insider threats and software Paco Hope (Aug 17)
- Insider threats and software Crispin Cowan (Aug 28)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 14)
- <Possible follow-ups>
- Insider threats and software Pierre Parrend (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)
- Insider threats and software {EOG} Gary McGraw (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)