Operation n

Attacks involving remote exploitation of servers and networks have been greatly mitigated by the advent of Firewalling technology. They are the network sentries. Statefully inspected firewalls understand network and application protocols (we hope). They can pass, reject, deny, log or modify passing traffic.

A typical network configuration will include a router(s), firewall(s), DMZ or demilitarised-zone, and LAN(s) (Local Area Network). This is typical three-tier architecture. In firewall configurations, less is always better. Less rules means less configuration, which means less potential for human error. Less services or restricted services means less surface area, which ultimately means less for an attacker to play with. Firewalls have become critical in securing our perimiters.

The most common Internet facing services are, “Mail (SMTP, POP3 etc), DNS and HTTP(s)”. Usually, an administrator will allow remote access via a VPN type solution. This mostly includes, “IKE, SSL or SSH”. As a potential attacker, this leaves very little to work with, which is why firewalling has become so popular. In short, as said before, it reduces the external attack surface.

As we think about the above-mentioned, we begin painting a picture as to why client-side hacking (which has been around for ages, usually in the form of Malware) is becoming so popular. Why play in a limited world, a firewalled world, a server-side world when we can go straight to the source, the client-side frontier.

Internal users are often in a relationship of trust with their surrounding network. Client-side hacking involves expanding the functionality of a service in the environment with which the user is already involved. We present “valid” code and the user executes it for us, effectively utilising the user’s circle of trust.

It is interesting to see all these zero-day MS Word vulnerabilities being found “all of a sudden”. How long have these vulnerabilities been around? Are they only being released now because MS Word 2007 is coming out along with Windows Vista so attackers are trying to infect as many systems as possible before the upgrade?

Security has developed and moved forward and made tremendous strides in many areas. However, I agree with Ed Skoudis who mentions in his “Malware” book that very little work has done in relation to Malware prevention. Both myself and pdp (arcitect) have recently found or reported serious malware potential in Quicktime, MP3, PDF, Flash and RSS to name a few.

I know some work has been done in these areas with regards to testing. For example, I know of security testers who have tested what files will be permitted through our mail filters, or what encoding types will bypass our anti-virus applications, but how often have you heard of this type of work actually being performed?

I quoted David Maynor in my previous post and I do it again: “The OS vendors have been hardening the operating system a lot, so now attackers have two choices. They can go up to the application level, or they can go lower to the device driver level..”. This is where attackers are going, but are we as the security community moving with these trends?

– David Kierznowski 09 Sep 2006