Friday, December 4, 2009

Tactics

Each vulnerability has a unique location of where the attacker must be in order for the attack to take place, in network relative terms. Each of these positions is relative in terms of access point location. The possible tactics are:

• Physical Access

• Internal Access

• Client

• Server

• Man-in-the-Middle

Physical Access

Victim's Server

A person has physical access when they are in the proximity of the computer. If a person can sit down at the console to perform a command then that user has slightly elevated access than even a regular user, even if they do not

have an account on the computer already. It could be argued (and with good reason) that a person at the console, even without an account, has more power over the computer than the supervisor of the machine from a network location.

Most physical access vulnerabilities are, for the sake of cataloging, ignored unless the vulnerability is actually circumnavigating security put in place of stopping an attack. For example, smashing the computer with a hammer is not catalogued, while knowing a backdoor to the BIOS password would be listed.

Local Access

When a person has access to execute arbitrary commands on the host directly, they are considered to have "local" access. Some examples of this would be access a computer through the "telnet", "remote shell", or "secure remote

shell" daemons. File servers are considered to have local access if the user can navigate the file structure.

Server Access

Computers attacked to networks (of any sort, TCP/IP, Telephone, etc.) can often times be compromised because of a service that is run on the host that outsiders may connect to. By sending this service commands in a certain way, they may gain access to other resources. Often times this is considered "remote" access, and is particularly dangerous and watched for carefully in the security industry. Vulnerabilities of this nature are given highest priority.

Client Side

When a user access a server on the network, it exposes itself to the ability to take hostile commands from the server. In general, client should not trust servers too much, but unfortunately they are required to operate with some faith. World Wide Web browser software is one of the most susceptible clients that exist, but virtually all clients have some weaknesses that can be exploited. Because most of the security seems to be focused on the server side, many cases the client side may be vulnerable.

Man-in-the-Middle

Victim's Server

Victim's Workstation

When a person is in a location where they can observe or intercept and control information between two hosts, they are considered to have a "Man-in-the-Middle" perspective. Often times useful security information (as well as information which people would want to steal) are transferred between computers in "cleartext" (meaning "unencrypted") so that they can be easily used to break into other computers. Some implementations of public-key encryption can be circumnavigated by an attacker who can intercept and replace keys by masquerading as the individuals between two points in the network. Basically, any attempt to exploit the network topography at the data level would be considered a Man-in-the-Middle attack.

Intruder

Cumulative Tactics

Tactics don't have be to limited to a single approach per exploit, some exploits require combinations of tactics to be used to reach a single goal.

Sample Vulnerability [DNS Race Condition, Rik Farrow]

A vulnerability exists in DNS Bind that can allow an attacker to spoof their identity.    If the attacker connects to a server with a name that is not already cached by the site's DNS server, the DNS server will connect to its primary DNS server to receive the name for the host.    If the attacker sends a reply back to the victim's DNS server containing a forged packet with a falsified DNS entry that arrives before the primary DNS server's reply, the victim's computer will accept the falsified DNS packet as true.

Lets break this clever attack into tactics:

The initial tactic is clearly a server attack, because the client initiated it. However, just connecting to the host was enough to cause it to make a check on identity but not enough to actually cause an exploit. The actual security breach occurred when the second tactic was added, that was a man-in-the-middle interjection of a forged packet. So the tactics look like this:

No comments:

Post a Comment