Trap doors Method of bypassing normal authentication methods Remains hidden to casual inspection Can be a new program to be installed Can modify an existing program Also known as Back Doors
Logic Bombs Piece of code that executes itself when pre- defined conditions are met Logic Bombs that execute on certain days are known as Time Bombs Code performs some payload not expected by the user. Shareware that deactivates itself are not logic bombs.
Backdoor History Made famous in the movie War games 2003, an attempt was made to create a backdoor in the Linux Kernel Early versions of the Sobig Virus in 2003 installed backdoors to send its spam. MyDoom virus in early 2004 created a backdoor on port 3127 to send spam
Backdoor History No one really knows often backdoors are inserted into software Some people speculate it is a prevalent practice in the industry Most backdoors are obvious and clumsy
Backdoor History The attempted Linux backdoor is more sophisticated if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; Under casual inspection looks like it is just checking two flags, but actually setting the UID to root Required good knowledge of Linux Kernel Only caught because the part of code this line is contained in was modified manually rather than automatically as the section it was in was. Caught during a file integrity check near release
Logic Bomb History Some of the very first viruses had logic bombs Friday the 13 th Virus duplicated itself every Friday of the month and on the 13 th causing slowdown on networks Michelangelo Virus, one of the first viruses to get news coverage, execute itself on March 6 th and tried to damage hard-disks
Logic Bomb History 1985 a programmer at a insurance firm in Texas wrote a logic bomb that modified a data retrieval function to rewrite part of main memory, rename itself, relocate itself, then power down the computer. 1992 a programmer at General Dynamics was fined $5,000 Dollars that he was going to come back later and charge to remove.
Logic Bomb History Win32.Kriz.3862 virus in 1999 executed itself on Christmas Day and causes serious damage by overwriting massive amounts of data on the hard disk and rewriting the BIOS In 2000, a Deutsche Morgan Grenfell a securities trader who had initially been hired as a programmer was charged with inserting a logic bomb.
Protection Difficult to prevent truly determined hackers Requires thorough commitment to quality assurance, strict separation of programming duties, and strict security practices after deployment.
Protection Continued Segregate operations from programming and testing Have a carefully controlled process from for moving code into production Give only operations staff write-access to production code Lock down production code so that is as close to impossible for unauthorized people to modify programs Assign responsibility for specific production programs to named positions in operations Maintain a list of authorized programmers for authorized quality assurance officer before accepting changes to production Keep records of exactly which modifications were installed when and at whose request Keep audit trails running at all times and have them include a checksum not only be based on the record but the record that comes before it.
Protection Continued Some of these seem more obvious than others Not all of these practices are used Many companies are not willing or are not able to commit the resources needed for quality assurance and extensive security measures.
Hacking in Media Hackers are often glorified by the press and in the media Hackers that get caught are often young and written off as misguided youth Anti-Hacking Laws have been enacted that dramatically increase the penalties for anyone caught
Ethical Questions Should software producers be allowed to include Logic Bombs to ensure final payment? According to the government…no. But how many do? Probably a lot.
Legitimate Logic Bombs Software openly time-limited Problems arise if company stops supporting this product Problems arise if a company goes out of business
Summary Trap Doors can provide access to a system for unauthorized procedures Logic Bombs execute malicious code at certain time Total Security is difficult How unethical are these practices, should they ever be legal?
Resources Protecting against program threats http://www.unix.org.ua/orelly/networking/puis/ch11_01.htm http://www.unix.org.ua/orelly/networking/puis/ch11_01.htm Conway, Richard. 2 Code hacking : a developer's guide to network security 2004. A guide to protecting your computer systems from hackers. http://www.securitymanagement.com/library/Harden0201.html http://www.securitymanagement.com/library/Harden0201.html Logic Bombs. http://www.nwfusion.com/newsletters/sec/2002/01514405.htmlhttp://www.nwfusion.com/newsletters/sec/2002/01514405.html Thwarted Linux backdoor hints at smarter hackers. http://www.securityfocus.com/news/7388 http://www.securityfocus.com/news/7388 Backdoor – Wikipedia, the Free Encyclopedia.