Thursday, February 10, 2011

Proactive Detection of Client-Side Exploits

Hackers are taking advantage of client software’s vulnerabilities to control and infect systems, even the systems that are protected by firewalls. Once they are compromised, the attacker can use client side exploits for several malicious activities. For example; they can steal people’s online banking credentials. Even worth, they can use victims’ computer as part of their distributed denial of service (DDoS) attack or a spam delivery system. It is interesting to know; how an attacker utilizes vulnerabilities? Both client and server would be exploited by contagion worm. First attacker needs to upload malicious code to typical web server security flaws, then this code will be downloaded whenever users’ browser visits the website.
Attackers target client systems because not too many of client software are developed by expert people. Even most technical people are trained and just follow through with updating the server software. Most users are not trained to create secure software or run the most recent signatures antivirus product or even worth, they don’t update their operating system software.
Honeyclinets: Security depends on the knowledge of existing exploits and vulnerabilities. This knowledge can use to proactively patch vulnerable or create intrusion detection system.  Honeypot is a popular tool which is used to acquire advanced knowledge. Honeypot is a passive device and limited to detect server software attacks. The vulnerabilities are growing in client side (like mail or web browser). A new technology was needed to discover exploits for these vulnerabilities. Honeypot could not detect malicious behavior until the attacker happens upon them.
 Honeyclient is a concept which instruments client software and drives it to detect new exploits. It drives vulnerable client software (like web browser) to malicious websites and then monitors system behavior to indicate compromise. honeyclient emulates the client side and acts as a bot or spider, it monitors client behavior to see whether it falls outside of normal operational bounds.  
The first generation honeyclient: the author started designing honeyclient in 2004. The first honeyclient was open source prototype code. In order to detect exploits, the author used comprehensive check for changes on the client. Windows as an operation system and IE as a web browser were chosen because the largest populations of users were using them.  The idea was to let a real browser visit each suspected website. If honeyclient software becomes compromised when it encountered a malicious website, then that website can be presented as a bad websites and potential consequences of infections.
The second Generation honeyclients: the idea was to keep parts of the original prototype, but add new features such as running the honeyclient in virtual machines. Also they wanted to retain honeyclient quickly the compromised operating systems for later attack forensics analysis. The author wanted ease of use, speed and scalability.
The change in honeyclient architecture was to add plug-ins to enabled or disabled honeyclient. The second decision was client-server model. The server controls higher level operations for the honeyclient. These controls were:
·        Cloning and suspending virtual machines
·        Detecting changes to the honeyclent system
·        Communicating whit an external honeyclient database
·        Logging full packet captures

Reference:

Oram, Andy, Viega, John (2009). “Beautiful Security, Leading Security Experts Explain How They Think”, Copyright 2009 O’reilly Media, Inc.

Thursday, February 3, 2011

Psychological Security Traps

There are 3 influencing factors in security which warns us of potential security danger.
1. The first fact is called “learned helplessness”: New technologies are constantly being discovered and developed. These new technologies need to be compatible with existing solutions. This is the “backward compatibility” problem of technology deployments. New technologies are developed to meet the need for greater security. The question is what happens to the old technology? Will they still be supported?  Achieving backward compatibility is important. Developers need to focus on new technology and combine the legacy technology to the new one with minimal attention to the legacy’s effects. The most direct solution allows the modern and legacy technology to be achieved simultaneously by compromising the robustness and security strength of the new technology to match that of the legacy solution. From a security stand point, what is important is how backward compatibility will be accomplished without degrading security of the new systems.
What Microsoft did was force their new system to talk to both legacy and current protocol without considering the legacy security issues. What Microsoft could do was to have required the legacy systems to patch the functions required to support logging a final end of life upgrade to the legacy systems.

2. The other issue with security of products is how they are tested to see if there are any flows in those products and how often they go belly up when they are confronted with fuzzed input. For example Microsoft considers a good users experience but they don’t consider adversarial users. They don’t consider that their application would be deployed in hostile environments. And this makes it easy for attackers to exploit “confirmation traps”.

3. The other fact is “functional fixation.” When we talk about security, the concept of functional fixation helps us to understand what is beyond the security. For example, many people think security products increase the security of their system or organization. But this security software might include all sorts of common programming vulnerabilities, such as; unchecked execution, local buffer overflows and lack of authentication in auto update activities which might allow them to be used by attackers.





Reference:

Oram, Andy, Viega, John (2009). “Beautiful Security, Leading Security Experts Explain How They Think”, Copyright 2009 O’reilly Media, Inc.