Re: [SC-L] State Department break-in last summer
Ed Reed wrote: > http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department > > This article describes a Trojan horse attack introduced via MS Office > (Word) documents that provided remote access by adversaries to > compromised systems. It doesn't say if the exploit - "design flaw" - > was intentionally introduced (a product of deliberate subversion) or > not. ... Well, odds are not, given the source of the software in question (and, no, I don't mean that I think MS has much better security screening of its employees... 8-) ). > ... While the article may provide "comfort" to the "defense in depth" > crowd (the State department THINKS the issue was discovered immediately > - but then again, after they were made aware of it - so they knew what > to watch for - they found numerous other compromised systems, so I > wonder how many haven't (yet) been caught). Indeed... > This isn't terribly surprising, but it brings to mind a new insight (for > me, anyway) into the issue that government and commercial customers are > facing. > > We've (Aesec) been saying that subversion (deliberately introduced > design and implementation defects into a customer's IT supply chain) is > the preferred avenue of attack of professional adversaries, and I agree > that it is. > > We've (Aesec) also noted that the commercial security industry is > largely focused, instead, on discovering and patching software defects > that can be easily discovered (via fuzzing and testing) and exploited to > gain access to systems. > > Both those two avenues can lead to serious security breeches. > > But it's not necessary to plant an operative into a vendor's shop in a > position to introduce flaws into software to gain advantage. Simply > knowing enough about the internal design and implementation of the > system is likely to provide the adversary with the knowledge and > opportunity to discover paths of attack that can be researched at their > leisure, held until needed as what would be considered a private "zero > day exploit". > > So at one end of the spectrum of malicious attacks are pure opportunists > (including amateurs and script kiddies) using defects discovered through > fuzzing interfaces and related black box testing techniques. At the > other end of the scale are paid professional operatives infiltrating > vendor development and delivery supply chains to introduce defects > intentionally. And in the middle are those with "gray box" knowledge of > products involved, who are in a better position than the public to > identify attack vectors worth investigating. > > This middle ground would seem to significantly increase the threat - > there are many more jobs in vendor organizations (and their supply and > support chains) that provide privileged insight to product design, > development, implementation and delivery than there are with direct code > modification roles in the product. So I think you'd have to assume that > the pool of unreported zero day exploits may be much larger than > generally expected. I agree with all this, but... You -- and all journalistic and other commentaries I've seen/heard on the increasingly common use of these targetted Office exploits -- miss one very important option, I think; the attacker has access to (partial) source of the closed, supposedly closely-held, proprietary software in question. Recall the rumours and stories from a few years back of the MS source- code thefts? From memory, reputedly (most of) Win2K, some of WinXP (?) and (parts of) Office were stolen. Parts of these thefts were clearly confirmed with (parts of) Windows OS source becoming downloadable from various "underground" sources sometime later. Further, and more speculative, was the suggestion that the reputed (earlier) MS break-in (as opposed to the third-party licensee from which the OS source code was reputedly "clearly" obtained) was a Russian or Chinese hacker/hacking group. Some say that there were multiple break-ins at MS around that time and that both Russian and Chinese groups were involved. Nowadays most of the publicly discussed/disclosed targetted Office exploits have been attributed to Chinese-based "attackers". Also of some interest might be the fact that it seems (at least to me) if there are version specificities in the exploits used in these targetted attacks, these more commonly restrict the applicability of the exploit to the older Office product versions. Now, this may be indicative of overall improvements in MS code standards due to SDLC (are newer versions of Office distilled through SDLC?) and compiler "security" improvements, but it might also be indic
Re: [SC-L] JavaScript Hijacking
Frederik De Keukelaere <[EMAIL PROTECTED]> writes: > Would you mind sharing the different data formats you came across for > exchanging data in mashups/Web 2.0? Considering the challenges you > recently discovered, it might be good to have such an overview to look at > it from a security point of view. Oops, sorry for taking so long to respond. In addition to JSON, I've seen two other uses of JavaScript as a data transport format. 1) JavaScript arrays Example: [ "a", "b", "c" ] Technically speaking, this is a subset of JSON, but in these systems there is no notion of an object, only an array. These systems are more vulnerable than systems using JSON because they're guaranteed to always use array syntax. 2) Function calls Example: addRecord("a", "b", "c"); This format is even easier to hijack, just define the named function. This is the worst of the bunch from a confidentiality standpoint. Regards, Brian ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] State Department break-in last summer
http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department This article describes a Trojan horse attack introduced via MS Office (Word) documents that provided remote access by adversaries to compromised systems. It doesn't say if the exploit - "design flaw" - was intentionally introduced (a product of deliberate subversion) or not. While the article may provide "comfort" to the "defense in depth" crowd (the State department THINKS the issue was discovered immediately - but then again, after they were made aware of it - so they knew what to watch for - they found numerous other compromised systems, so I wonder how many haven't (yet) been caught). This isn't terribly surprising, but it brings to mind a new insight (for me, anyway) into the issue that government and commercial customers are facing. We've (Aesec) been saying that subversion (deliberately introduced design and implementation defects into a customer's IT supply chain) is the preferred avenue of attack of professional adversaries, and I agree that it is. We've (Aesec) also noted that the commercial security industry is largely focused, instead, on discovering and patching software defects that can be easily discovered (via fuzzing and testing) and exploited to gain access to systems. Both those two avenues can lead to serious security breeches. But it's not necessary to plant an operative into a vendor's shop in a position to introduce flaws into software to gain advantage. Simply knowing enough about the internal design and implementation of the system is likely to provide the adversary with the knowledge and opportunity to discover paths of attack that can be researched at their leisure, held until needed as what would be considered a private "zero day exploit". So at one end of the spectrum of malicious attacks are pure opportunists (including amateurs and script kiddies) using defects discovered through fuzzing interfaces and related black box testing techniques. At the other end of the scale are paid professional operatives infiltrating vendor development and delivery supply chains to introduce defects intentionally. And in the middle are those with "gray box" knowledge of products involved, who are in a better position than the public to identify attack vectors worth investigating. This middle ground would seem to significantly increase the threat - there are many more jobs in vendor organizations (and their supply and support chains) that provide privileged insight to product design, development, implementation and delivery than there are with direct code modification roles in the product. So I think you'd have to assume that the pool of unreported zero day exploits may be much larger than generally expected. Just a thought. This doesn't reduce the challenge or need to deal with subversion by the professional adversary - it just expands my appreciation for the size of the threat customers face. Ed State Department got mail _ and hackers By TED BRIDIS, Associated Press Writer/Wed Apr 18, 8:29 PM ET/ A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government's network. *In the first public account revealing details about the intrusion and the government's hurried behind-the-scenes response, a senior State Department official described an elaborate ploy by sophisticated international hackers. They used a secret break-in technique that exploited a design flaw in Microsoft software.* Consumers using the same software remained vulnerable until months afterward. Donald R. Reid, the senior security coordinator for the Bureau of Diplomatic Security, also confirmed that a limited amount of U.S. government data was stolen by the hackers until tripwires severed all the State Department's Internet connections throughout eastern Asia. The shut-off left U.S. government offices without Internet access in the tense weeks preceding missile tests by North Korea. Reid was scheduled to testify Thursday at a cybersecurity hearing for a House Homeland Security subcommittee. He was expected to tell lawmakers an employee in the State Department's Bureau of East Asian and Pacific Affairs --- which coordinates diplomacy in countries including China, the Koreas and Japan --- opened a rigged e-mail message in late May giving hackers access to the government's network. *The chairman of the Homeland Security Committee, Rep. Bennie Thompson (news, bio, voting record), D-Miss., said hackers are no longer considered harmless, bored teenagers. "These are experienced, sophisticated people who are trying to exploit our vulnerabilities and gain access to our information," Thompson said.* Reid was not expected to disclose the identities or nationalities of the ha