Bug Game Hunters day three: Oldies but goodies

What do top bug hunters think will be the security threats of the future? Oldies but goodies, they say, will never go away or lose their power

Yesterday: Bug Game Hunters target web applications

Bug Hunter Chris Spencer says last year's WMF vulnerability was an excellent example of undocumented functionality being exploited for nefarious purposes. "I think most vulnerability researchers figure the chances of finding a memory corruption bug in binary are much better then finding an undocumented feature which would usually require an exhaustive search," he says. "Many researchers simply fuzz test vulnerabilities, this technique is unlikely to uncover undocumented features."

Unlike memory corruption bugs, discovering undocumented features requires a good understanding of how the application functions, Spencer says.

Greg Shipley says hackery has never gone away. "I'm not sure traditional hacking ever went away. I mean, look at everyone modding things ranging from Tivos to Xboxes to iPods these days," he says. "Those efforts are very much alive and well. The art of hacking things to expand features and functionality never really left."

"The most impact I've seen in this area is simply the use of undocumented, embedded passwords. I thought most commercial development teams realised that this was a bad idea back in the 90s...but I've been proven wrong once again," Shipley adds. "The last embedded password issue I heard about was in a Cisco product, for example, and that was only earlier this year."

Famed ethical hacker Peiter "mudge" Zatko, who works for BBN Technologies in the United States, a company which contracts to "various US Government agencies," says we're headed for a Cold War of sorts in the data security arms race.

The way he sees it, virtual Reaganomics could help to defeat the bad guys in the cyber realm. "The really interesting aspect comes when you change the perceived asymmetric advantage that attackers have over to the defender. By doing so one can cause the attacker to have to spend more resources in their entire lifecycle than is worthwhile... while doing so with minimal costs to the defender," he says. "Think of this as the US versus USSR where the goal is to have the adversary cripple themselves by expending too much effort in areas where the reward or result is not cost appropriate."

Until the industry comes up with its own answer to a lasers in space concept, however, we'll have to wait and see.

Zatko argues buffer overflow type attacks are not fading into history. "Buffer overflows will still be around for some time to come. One simply need look at how they have progressed. From the early days when I was one of the pioneers in buffer overflows the focus was almost entirely stack based. Then came heap based overflow, (then others). Each of these subsequent forms of attack usually started to flourish, at least publicly, after various defensive mechanisms were put in place," he says. "So, while overflows will continue in the arms race against overflow protection mechanisms... these mechanisms are primarily being deployed on only specific platforms. What about all of the embedded systems out there?"

Like Zatko, Manzuik also cites embedded device security as an area of concern. "We have already seen some of this in 2007 and I am sure we will start to see more," he says.

Both Zatko and Manzuik pointed to a paper written by a Juniper staff researcher, Barnaby Jack, on attacks affecting ARM and XScale CPU architectures. Both say the research, found here, is a sign of things to come.

The continued onslaught of vulnerabilities and new attack classes has Shipley doubting a quick fix is around the corner. "I'd love a to have a teleporter but unfortunately I'm still stuck travelling in planes, trains, and automobiles like everyone else. Sometimes there is no quick-fix; sometimes the cure is simply an evolutionary step," he says. "That step might be a little uncomfortable...but we need to take it."

The modern enterprise needs to stop expecting solutions to security problems -- which are product defects -- to come from a cure-all technology, Shipley argues. "People keep looking for some uber-technology to help address what amounts to product defects," he says "First it was anti-virus software, then it was firewalls, then it was intrusion detection systems, then it was better vulnerability scanning and better patch-management. Then we got into intrusion 'prevention' -- what a great piece of marketing that was -- and now we're headed down the path of code and application scanners."

While Shipley acknowledges these technologies will all play a part, none of them will be a quick fix.

Read more on Security policy and user awareness