Tuesday, 5 April 2016

The Old Ones are the Best Ones

perfectcobalt

The Low Hanging Fruit

Whilst vulnerabilities such as Shellshock, Heartbleed and DROWN are undoubtedly nasty, they aren't very easy to exploit, at least until they are identified. The thing with zero-day vulnerabilities like these is that it's generally quite difficult to identify them in the first place. It usually requires crafting malicious packets, probing for buffer over-runs, attempting large-scale denial of service attacks, or seeing if protocol flaws can be exploited. Or some combination of the above. All of these take skill and patience.

If you are the developer of a widely used encryption library, or a ubiquitous runtime library, then you do indeed need to care about these things. "Widely used" in this sense means having millions of users. And that's what makes such things attractive to attackers, and worthwhile concentrating their effort on finding those vulnerabilities.

However, it's not always the zero-day exploits that catch people out.

If your software is sending customer passwords in plaintext back to the MotherShip, or fails to correctly validate user-input from a form, then attackers aren't going to bother looking for more subtle exploits. They already found the low hanging fruit.

And this can happen to software that is widely used:

https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753#.bzelzn2vv

This isn't even low hanging fruit, it's fruit that's already fallen off the tree and is just lying there, waiting to be picked up. In this instance, the "attacker" had the best of intentions: to highlight a flaw in Valve's process. When they were notified, Valve immediately engaged with the perpertrator to get the problem fixed.

Not everyone takes their security so seriously, even after they've been exploited. The moral is this: it's better to find out if you have vulnerable systems before you're attacked by someone who almost certainly will not tell you they've done it!

perfectcobalt.com
info@perfectcobalt.com
@PerfectCobalt

No comments:

Post a comment