Friday, March 17, 2006

Threat evolution

It's interesting to watch the evolution of vulnerability research and exploit development.

In the beginning we used to see vulnerabilities in basic network protocols implementations, like ICMP, IP, TCP. It was the time of TCP Spoofing, Fragmentation attacks, Ping of Death.

Later, those protocol implementations started to be more solid, and the hackers (both white and black hats) changed their focus to the daemons, like HTTP (Apache, IIS), SMTP (sendmail!), etc. I think that this was the most fertile terrain for them until now, mainly because of the diversity of versions and configurations of all those daemons.

But even daemons became more solid. So, where to look for more vulnerabilities? Initially we thought it would be the web applications. But to find web applications vulnerabilities wasn't so cool for those who were searching. It wouldn't bring the desired publicity to the researchers (one thing is finding a vulnerability that can impact all Windows users, another is to find something that is related to a specific website shopping cart), and for the black hats, less profit. So, what did become the next target?

Something very natural happened. They climbed the layers! We departed from downstairs, from layers 3 and 4, directly to layer 6. Yes, people started to find quite interesting things in the presentation layer (that is so strange that only few people understand what it does really mean). There are lots of standards for representing data like images, audio and video. People started to verify how the applications were dealing with data manipulation. That's when vulnerabilities related to the use of ASN.1, several image type files (JPG, TIFF, and the latest WMF), video (WMV) and many others. And they'll still probably find more, as these data handling functions were never considered risky by the developers. There must be a lot of bad code in there. But what it brings in terms of security is what really matters.

First, there isn't anymore that link between the service and the vulnerability. You can't view the problem as "I don't have this port open in my firewall so I'm secure" anymore. The vulnerable file types can be transferred in several ways, by different applications and services, mainly HTTP (ops..isn't AJAX making everything HTTP?) and e-mail protocols. It's hard to understand the impact of a vulnerability in a big network. The attacks doesn't need to be targeted to the servers, as many applications dealing with the files run in the workstations. The target now is the user, the workstation. And that will be a real problem, because everybody was busy thinking about putting the public servers in DMZs and buying another IPS, trying to keep the perimeter safe. Hehe, sometimes I feel like saying "I told you! I told you", but it's not very productive. :-)

An important step is trying to reduce the impact of having a compromised workstation in the network. Today's networks are too "all or nothing", it won't help with this new reality. Another important thing is trying to build better ways to protect the workstations. Today the main protection tool for them is the antivirus, reactive and signature based. These tools need to evolve, improving their ability to deal with "0 days" and being more preventive. Isn't anybody selling a "workstation IPS"? Gee, it would be a good "revolutionary new product category" :-)

This threat evolution is changing the way that we need to build our defenses. Just that is enough to make our jobs interesting. It's certainly bad in terms of business risk, but yeah, it's really cool.

1 comment: