I worked on this sort of attack technology many years ago (they're binary systems--one comes in as a trusted, non-threatening app, and waits for the second element; macro viruses are the same gimmick); this is one of the reasons why I developed a fairly elaborate security metaphor using crypto message authentication coding (DES MAC at the time was state of the art)--you could 'validate' the trusted app, but you had to also start MACing data files, tracking the memory map, watching the execution stack and referencing it against the trust map, etc. I mention it in more detail for those interested in my paper on Defense-In-Depth (on http://www.7pillars.com/ ), but as more and more of this technology gets reinvented/discovered in the threat community, it increases the pressure to fix the problems at the hardware level (yes, including putting crypto services on the motherboard or drive controller). MW Planning for the Applet Threat by Chris Oakes 6:31pm 30.Jun.98.PDT The latest security threat to corporate networks and computers on the Internet has been identified and, on Tuesday, an industry consortium came into being to combat it. The threat? Small software programs, or applets -- distributed via the Internet mainly as Java and ActiveX programs -- that steal or damage electronic data. Over the next few months the new group, calling itself the Malicious Mobile Code Consortium, plans to set up a Web site detailing its findings and proposing policies and guidelines for defeating the threat. The consortium was formed by the International Computer Security Association (ICSA), and charter members include Advanced Computer Research, Computer Associates (CA), Dr. Solomon's Software, eSafe Technologies, Finjan, Quarterdeck Corp. (QDEK), and Symantec (SYMC). The consortium's name is derived from the generic term it uses for hostile Java applets and other "malicious mobile code." The code is defined as any Internet-delivered auto-executable program, delivered in the form of ActiveX, Java, or other HTML-based plugins, that employ so-called helper programs on a user's hard disk to access unauthorized files and deliver them to the applet's author. "Numerous attacks have already been publicly reported," said consortium manager Dave Harper at a Tuesday press conference. He cited a computer club's demonstration of an ActiveX control that could electronically transfer funds without a user's knowledge and another program capable of working through America Online software to steal account information and delete local files. The functions that mobile code can perform are potent, added Bill Lyons, CEO of Finjan, a company offering detection software. "They're all legitimate functions. They can open network connections, read a file, write a file, destroy a file. But typically this isn't destruction. It's more espionage and copying files." Lyons says there is no doubt about the arrival of the "mobile code" threat. "It's not something you can prevent or stop. It's coming, so what you want to do is manage it. And you're not going to manage it by denial." Security expert Peter Neumann says the ICSA is probably performing a useful function in pulling together the consortium. However, he warns that, as with any risk, companies should beware of easy answers. "There are many weak links," he wrote in an email. "Efforts to close up just a few holes are not satisfactory." For now, the threat posed by these next-generation electronic demons is largely hypothetical. "You can't get around the fact that there are not any known threats today," said Ted Julian, analyst for Forrester Research. Still, Julian is convinced of the threat posed by applets, and the demonstration applets he's seen have shown impressive capabilities. "They're pretty scary demos," he said. "They'll shut down your system, erase your hard drive, take password files.... It's a big issue." He says Forrester is convinced that these kinds of attacks will definitely become more real than hypothetical. Forrester's research shows that over 90 percent of security managers in corporations are concerned about Java and ActiveX security, but 72 percent are allowing them in without a defense strategy. Truly effective defense, Julian said, will come from building code-monitoring detection utilities into currently installed antivirus software. Companies working on such technology include Finjan, eSafe, and Security Seven. "Given the absence of known threats, we don't think it makes sense to buy a separate product," he said. "Our advice is that [security managers] wait until antivirus providers include code monitoring protection." Vendors are currently showing inadequate interest in addressing the threat of malicious mobile code, Julian said. Yet he thinks that the smaller companies now offering stand-alone monitoring products are only likely to see great success through acquisition by antivirus software companies.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:26 PDT