Georg Lukas, 2016-12-22 18:25

It is this time of the year again, and so we are proud to present a special revelation for Christmas!

The Brothers Grimm were not only academics, linguists, cultural researchers, lexicographers and authors, but also the world's first IT Security analysts. They wrote their so called fairy tales to document different kinds of security vulnerabilities, attacks and even some countermeasures. This article analyzes select examples and emphasizes the relevant lessons. Basic knowledge of the referenced stories is required to follow the analysis.

Rumpelstiltskin - A Badly Implemented Crypto Locker

Rumpelstiltskin, a typical script kiddie, lures the miller's daughter to install a crypto locker Trojan. Once she becomes the queen, the crypto locker makes her firstborn child inaccessible, providing a three-day unlock period.

Fortunately for the royal family, the implementation is flawed in two ways. Not only does it lack protection against brute force attacks, it also has a very weak password hard-coded into it.

The queen organizes for a massively parallel brute force attack, employing all of the kingdom's available system resources. Finally, she manages to guess the right password and is able to regain access to her firstborn.

Lessons:

  • Never install software from untrusted sources.
  • Do not use your username as your password.
  • Properly protect your system against brute-force attacks.

The Wolf and the Seven Young Goats - Outsourced Biometric Access Control Systems

The Big Bad Wolf is an obvious black-hat actor who wants to gain access to the goats' house. The mother goat, who needs to leave the home, has put into place a biometric access control system based on two factors: optical paw recognition and voice identification.

However, instead of deploying an implementation with known failure rate characteristics, she creates an insufficient requirements specification ("you will know him at once by his rough voice and his black feet.") and outsources the implementation to her kids, who do not have prior experience or formal education in the domain.

Besides of creating an implementation that uses too few biometric features to allow for a robust identification and authentication, the presented solution also exposes the exact cause of the authentication failure to the attacker ("[Our mother] has a soft, pleasant voice, but your voice is rough, you are the wolf." and "our mother has not black feet like you, you are the wolf."). This exposure of internal error causes allows the attacker to improve his approach and to succeed at the third attempt.

Lessons:

  • Take the time to properly specify security system requirements.
  • Do not outsource the development of mission-critical systems.
  • Only use biometrics as a supplementary mechanism to another access control system.
  • Do not expose internal error messages to potential attackers.
  • Properly protect your system against brute-force attacks.

Snow White - Social Media and Identity Theft

After hunting the young Snow White out of the family home, the queen stepmother is watching social media for signs of beautiful people (using a monitoring application called the "wonderful looking-glass"). She deploys a self-written face recognition algorithm that scans pictures tagged as #beautiful and returns a beauty index value (unfortunately, this detail is lost in the English translation. The German original reads "Aber Schneewittchen ist tausendmal schöner als Ihr." - "Snow White is a thousand times as beautiful as you are.").

Meanwhile Snow White, who is living in a safe house operated by the Seven Dwarfs charity organization, ignores the instructions to leave behind her social media presence, and posts geo-tagged selfies without properly scrubbing the metadata.

The queen's monitoring application notifies her of the newly analyzed pictures. Alerted by this, she obtains Snow White's geo-location from the pictures and performs a series of social engineering attacks. She uses stolen identity information from different sales representatives to successfully gain access to the safe house and to eventually poison Snow White.

Lessosn:

  • Stop using your social media when going undercover, no matter how hard it is.
  • Social engineering is very effective, and in most cases it is not sufficient to teach employees about it. Additional safeguards like double checking are needed.

Sleeping Beauty - Exploiting an Off-by-One Remote Vulnerability

The kingdom in question has thirteen IT security experts (which due to the lack of better wording in 1857 were called "the wise women"). One of them was not invited to the release party, so instead she performs an unsolicited penetration test. During her testing, she creates a specially-crafted message ("The king's daughter shall in her fifteenth year prick herself with a spindle, and fall down dead.") that exploits an off-by-one vulnerability in the dining service implementation.

Initially, the message was designed to crash the newly-forked child thread, but due to sand-boxing and ASLR techniques deployed by the twelfth' wise woman, the whole application gets suspended into the interactive debugging console instead. This event triggers an automatic firewall rule temporarily blocking all external access to the application.

Due to the lack of a monitoring system, the production service is down for a noticeable time ("asleep for a hundred years"), but eventually, a rock-star developer is found and hired (the "king's son"). He is able to circumvent the firewall and to access the server console. From there, he reconstructs the stack and is able to continue application execution, and they live contented to the end of their days.

Lessons:

  • Bug bounties are a good way to focus curiosity and to learn about vulnerabilities.
  • Production services should be properly monitored to detect downtime.

Have a nice holiday season and a merry new year!

Comments on HN