On 8/17/07, Gary McGraw <[EMAIL PROTECTED]> wrote: > Hi, > > The point here is NOT to pull a person-in-the-middle attack against the > protocol, but rather to subvert the client completely and have the subverted > client do all of your talking for you. The most advanced (game)bot > techniques that we describe in EOG work by shimming (in an almost invisible > way) the game client, then setting up a communication channel with another > processor after a hardware interrupt in the main game thread is thrown. For > those of you with the book, see pages 228-230. > > A less hairy approach is to attach to the game client as a debugger and just > call methods like there's no tomorrow. The only problem with that approach > is it is like stomping around in the mud puddle and you are likely to be > detected. > > Effectively then, you ARE the client. That's why I think it's more of an > "insider" attack > than your standard BO sploit.
how is this different then sending malformed packets to an rpc interface? the rpc would normally take it's protocol from some app; but what you, as the smart attacker, have done is to review the app, exploit it's weakness's in client-side protocol assumptions (client will always send correctly formed packets) and profit. seems like the classic remote exploit development strategy. you are also 'mixing in' a "bot" as an "exploit". it's not an exploit of the game in terms of compromising it, what you're actually compromising if the in-game protocols (not out-of-game-and-operating-system protocols). for example, there is a korean game for which you can buy a physical device that you attach to your mouse that plays the game for you. what sort of attack is this? it isn't any sort of classical attack. it's a automation of the game. which is a problem; granted, but not an 'insider attack'. why blur the line on what insider attack means? it will only make life worse/easier for CTO's to fob it off as too hard. if you specifically define it it can be acted on and solved. expanding the definition will only complicate matters, imho. > > gem > > p.s. I added a little bit of data on the justice league blog about this: > http://www.cigital.com/justiceleague/2007/08/16/software-the-new-insider-threat/ > > > > -----Original Message----- > From: silky [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 14, 2007 7:44 PM > To: Gary McGraw > Cc: SC-L@securecoding.org > Subject: Re: [SC-L] Insider threats and software > > i really don't see how this is at all an 'insider' attack; given that > it is the common attack vector for almost every single remote exploit > strategy; look into the inner protocol of the specific app and form > your own messages to exploit it. > > > > On 8/15/07, Gary McGraw <[EMAIL PROTECTED]> wrote: > > Hi sc-l, > > > > My darkreading column this month is devoted to insiders, but with a twist. > > In this article, I argue that software components which run on untrusted > > clients (AJAX anyone? WoW clients?) are an interesting new flavor of > > insider attack. > > > > Check it out: > > http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1_1 > > > > What do you think? Is this a logical stretch or something obvious? > > > > gem > > > > company www.cigital.com > > podcast www.cigital.com/silverbullet > > blog www.cigital.com/justiceleague > > book www.swsec.com > > > > _______________________________________________ > > Secure Coding mailing list (SC-L) SC-L@securecoding.org > > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > > List charter available at - http://www.securecoding.org/list/charter.php > > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > > as a free, non-commercial service to the software security community. > > _______________________________________________ > > > > > -- > mike > http://lets.coozi.com.au/ > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- mike http://lets.coozi.com.au/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
