Gallery

Security by numbers

Posted on 16 Jun 2008 at 11:06

This month, Davey Winder sets the security standard, reveals how humans can be hacked and doesn't get caught on video naked...

Unfortunately, if you up the bribe to a chance of winning a trip to Paris then the men become hooked, too, as 60% gave up their co-workers' names and telephone numbers when offered this incentive. Both sexes fail to understand the importance of your date of birth in the overall scheme of things, with 61% giving it up on request to a complete stranger in the street. When it comes to being generally password savvy the sexes also merge into one big mess, with 31% using a single password for everything and the same percentage using only two. Guess what? 43% of them never or "only rarely" change that password as well.

Buffer overflows are so passé

I know that buffer overflows remain one of the major routes for security exploits, and that they worry the average IT security person to their boots, but that could all soon be about to change and not for any reason that would be a cause to celebrate. The chances are that buffer overflows will soon be rendered obsolete by a class of defects just as nasty, namely "null pointer" security flaws. To be specific, null pointer de-referencing, and to be even more specific, exploits that work through the ActionScript virtual machine.

Google this topic and you should find an in-depth paper or three describing exactly what happens and why with regard to this ActionScript problem, and even a complete framework that enables you to exploit this de-referencing flaw if you're so inclined. I don't intend to delve that deep here, although I will just explain that buffer overflows and null pointer exploits have a lot in common - you can think of a null pointer de-reference as an event that happens when an application attempts to access memory at an address that's been declared to contain a null value and which therefore should have nothing there. This ought to cause a fatal program error and halt execution, but as with buffer overflows some poorly-coded applications don't do the decent thing by dropping dead (either quietly or kicking and screaming), but instead meekly permit clever rogues to access and execute code at arbitrary locations.

With that ActionScript framework paper in circulation, and no doubt being absorbed by all the bad guys as we speak, there's now a simple route to the probing of applications to uncover any null pointer de-reference loopholes across multiple platforms. That's why I suspect this kind of vulnerability will soon kick off and hit the big time, and I'm not alone in this feeling: Geoff Sweeney, CTO at security outfit Tier-3 shared his concern with me, confirming that: "Null pointer security flaws are exploitable and could quickly replace buffer overflows as the next big threat. Null pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant."

Not least because many well-known and widely used applications resemble Swiss cheese in terms of the number of such holes there are in them. Don't just take my word for it, either - that's the conclusion of some 75% of the people who took part in another of those pre-InfoSecurity research surveys. Apparently, three-quarters of the companies questioned during the survey admitted that the applications they use probably have security holes in them large enough to be exploited by cybercriminals. The former cybersecurity advisor to the White House (yes, that White House) Professor Howard A Schmidt, who is now a director at Fortify Software, said at the time that "this figure of three quarters of organisations having security holes based on application vulnerabilities, while dramatic, is unfortunately not that surprising".

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site