Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: On classifying attacks

from [Black, Michael] Network Security [Permanent Link]
Subject: RE: On classifying attacks
Date: Tue, 19 Jul 2005 09:11:00 -0400 
You might try re-using the rather large effort that went into the CERT
taxonomy:
http://www.cert.org/research/taxonomy_988667.pdf

You'll note the complete lack of "local" and "remote" in the taxonomy.

The email example of "rm -r /*" being executed would be:
Attack:
        Tool: Information Exchange
        Vulnerability: Design
        Action: Delete
        Target: Data
        Unauthorized Result: Corruption of Information

Remote exploit of Bind (causing "rm -r /*" to be executed):
Attack:
        Tool: User Command
        Vulnerability: Design
        Action: Delete
        Target: Data
        Unauthorized Result: Corruption of Information  

Remote exploit of Bind (causing a shell to be opened):
Attack:
        Tool: User Command
        Vulnerability: Design
        Action: Bypass
        Target: Account
        Unauthorized Result: Increased Access


If you really want to stick with "remote" and "local" I think you can
define them thusly:
Remote -- control/access of resources occurs from outside the
machine/network
Local -- control/access of resources occurs on the local machine (i.e.
no network connection required)

Using this definition the email example is local and both bind examples
are remote.  The bind vulnerabilities are completely solved by
unplugging the machines from the network whereas the email machine may
still be vulnerable after being disconnected.

        
_______________________________
Michael D. Black, MSIA, CISSP, IAM
Information Systems Security Officer
Essex Corporation
black@essexcorp.com
-----Original Message-----
From: Crispin Cowan [mailto:crispin@novell.com] 
Sent: Sunday, July 17, 2005 4:59 AM
To: James Longstreet
Cc: Derek Martin; bugtraq@securityfocus.com
Subject: Re: On classifying attacks

James Longstreet wrote:

On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:


This kind of attack has a name already: it is a trojan horse.

<snip>

But is this a remote exploit?


No, it's not an exploit at all.  Systems are not vulnerable to it 
unless a local user runs an executable.  The only thing it exploits 
is trust of email (or similar vector).

But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.

Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.

So what we have is a very complicated space full of adjectives:

    * Attack: doing bad stuff to someone else's stuff.
    * Vulnerability: an unfortunate software flaw or configuration that
      enables an attack. It might be very specific, such as a buffer
      overflow vulnerability in a particular program, or it might be
      very general, such as "running Outlook with administrator
privilege".
    * Exploit: software that automates attacking a vulnerability.
          o *Note:* by this definition, an e-mail virus that leverages
            the common fact that many users run Outlook as administrator
            is in fact an "exploit", even if it is a weak one.
    * Remote: attacker is over there somewhere, usually across some kind
      of network.
    * Local: attacker and victim are connected to the same computer.
          o *Note:* in common parlance, this usually means that the
            attacker must compose a local vulnerability with some other
            vulnerability that will get them a login shell on the
            machine to be attacked, or must be granted legitimate access
            to the machine.

These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.

Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are
"asynchronous".

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Oracle Security Advisory: Run any OS Command via unauthorized Oracle Reports, ak
Next by Date:  Oracle Security Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Reports, ak
Previous by Thread:  Re: On classifying attacks, Dustin D. Trammell
Next by Thread:  Re: On classifying attacks, Crispin Cowan
Indexes:  [Date] [Thread] [Top] [All Lists]