[IWAR] TECH applet threat

From: 7Pillars Partners (partnersat_private)
Date: Tue Jun 30 1998 - 22:30:22 PDT


I worked on this sort of attack technology many years ago (they're binary
systems--one comes in as a trusted, non-threatening app, and waits for the
second element; macro viruses are the same gimmick); this is one of the reasons
why I developed a fairly elaborate security metaphor using crypto message
authentication coding (DES MAC at the time was state of the art)--you could
'validate' the trusted app, but you had to also start MACing data files,
tracking the memory map, watching the execution stack and referencing it
against the trust map, etc.  I mention it in more detail for those interested
in my paper on Defense-In-Depth (on http://www.7pillars.com/ ), but as more and
more of this technology gets reinvented/discovered in the threat community, it
increases the pressure to fix the problems at the hardware level (yes,
including putting crypto services on the motherboard or drive controller).  MW

Planning for the Applet Threat
 by Chris Oakes 

 6:31pm 30.Jun.98.PDT
 The latest security threat to corporate networks
 and computers on the Internet has been identified
 and, on Tuesday, an industry consortium came
 into being to combat it. 

 The threat? Small software programs, or applets --
 distributed via the Internet mainly as Java and
 ActiveX programs -- that steal or damage
 electronic data. 

 Over the next few months the new group, calling
 itself the Malicious Mobile Code Consortium,
 plans to set up a Web site detailing its findings
 and proposing policies and guidelines for defeating
 the threat. The consortium was formed by the
 International Computer Security Association
 (ICSA), and charter members include Advanced
 Computer Research, Computer Associates (CA),
 Dr. Solomon's Software, eSafe Technologies,
 Finjan, Quarterdeck Corp. (QDEK), and Symantec
 (SYMC). 

 The consortium's name is derived from the generic
 term it uses for hostile Java applets and other
 "malicious mobile code." The code is defined as
 any Internet-delivered auto-executable program,
 delivered in the form of ActiveX, Java, or other
 HTML-based plugins, that employ so-called helper
 programs on a user's hard disk to access
 unauthorized files and deliver them to the applet's
 author. 

 "Numerous attacks have already been publicly
 reported," said consortium manager Dave Harper
 at a Tuesday press conference. He cited a
 computer club's demonstration of an ActiveX
 control that could electronically transfer funds
 without a user's knowledge and another program
 capable of working through America Online
 software to steal account information and delete
 local files. 

 The functions that mobile code can perform are
 potent, added Bill Lyons, CEO of Finjan, a
 company offering detection software. "They're all
 legitimate functions. They can open network
 connections, read a file, write a file, destroy a file.
 But typically this isn't destruction. It's more
 espionage and copying files." 

 Lyons says there is no doubt about the arrival of
 the "mobile code" threat. "It's not something you
 can prevent or stop. It's coming, so what you want
 to do is manage it. And you're not going to
 manage it by denial." 

 Security expert Peter Neumann says the ICSA is
 probably performing a useful function in pulling
 together the consortium. However, he warns that,
 as with any risk, companies should beware of
 easy answers. "There are many weak links," he
 wrote in an email. "Efforts to close up just a few
 holes are not satisfactory." 

 For now, the threat posed by these
 next-generation electronic demons is largely
 hypothetical. "You can't get around the fact that
 there are not any known threats today," said Ted
 Julian, analyst for Forrester Research. 

 Still, Julian is convinced of the threat posed by
 applets, and the demonstration applets he's seen
 have shown impressive capabilities. 

 "They're pretty scary demos," he said. "They'll
 shut down your system, erase your hard drive,
 take password files.... It's a big issue." He says
 Forrester is convinced that these kinds of attacks
 will definitely become more real than hypothetical. 

 Forrester's research shows that over 90 percent of
 security managers in corporations are concerned
 about Java and ActiveX security, but 72 percent
 are allowing them in without a defense strategy. 

 Truly effective defense, Julian said, will come from
 building code-monitoring detection utilities into
 currently installed antivirus software. Companies
 working on such technology include Finjan, eSafe,
 and Security Seven. 

 "Given the absence of known threats, we don't
 think it makes sense to buy a separate product,"
 he said. "Our advice is that [security managers]
 wait until antivirus providers include code
 monitoring protection." 

 Vendors are currently showing inadequate interest
 in addressing the threat of malicious mobile code,
 Julian said. Yet he thinks that the smaller
 companies now offering stand-alone monitoring
 products are only likely to see great success
 through acquisition by antivirus software
 companies. 



This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:26 PDT