RE: On classifying attacks

From: Black, Michael (black_at_EssexCorp.com)
Date: 07/25/05

  • Next message: Casper.Dik_at_Sun.COM: "Re: Peter Gutmann data deletion theaory?" 
    Date: Mon, 25 Jul 2005 08:28:46 -0400
To: "Crispin Cowan" <crispin@novell.com>, "Technica Forensis" <forensis.technica@gmail.com>

    Perhaps the current popularity of remote/local terms comes from the
    Lincoln Labs studies done in 1998:
    http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh_html/

    Attacks were divided into four categories:
            denial of service
            probing/surveillance
            remote to local
            user to root attacks

    In the email examples given so far (note that nothing of similarity was
    in the LL study) they would all be "remote to local".
    There's no need for trying to define a compound attack -- it serves no
    purpose. Plus the confusion that results from using just "remote" or
    "local" should be more than obvious to anybody reading this thread.

    If you don't want to use a formal taxonomy for talking about these
    things you will always suffer from misunderstanding. Dr Cowan makes
    this point below -- he apparently calls the email portion "local" and
    the social engineering "remote".

    I believe the original intent of the two "remote to local" and "user to
    root" classes was to distinguish the threat level. "user to root"
    implies that you only need worry about those people who have physical
    access to the target, and "remote to local" meant you had to worry about
    the millions of users on the internet. Then end result being you
    worried a heck of a lot more about "remote to local" than "user to root"
    (although both provide root access).
    _______________________________
    Michael D. Black, MSIA, CISSP, IAM
    Information Systems Security Officer
    Essex Corporation
    black@essexcorp.com

    -----Original Message-----
    From: Crispin Cowan [mailto:crispin@novell.com]
    Sent: Sunday, July 24, 2005 7:47 AM
    To: Technica Forensis
    Cc: Black, Michael; James Longstreet; Derek Martin;
    bugtraq@securityfocus.com
    Subject: Re: On classifying attacks

    Technica Forensis wrote:
    > This really depends on the situation. Say I write an exploit that
    > when run as a user spawns a listening ssh service with root priv. I
    > get on the system however I do, download this file and exec it. I
    > think everyone would agree that is a local exploit.
    > I send that same file as an email attachment to some dolt and peer
    > pressure him into running it. Just because I downloaded the file by
    > emailing it to said dolt doesn't change the exploit from local to
    > remote. It potentially changes it from 'exploit' to trojan, but it is
    > still being executed locally.
    >
    That sounds like a compound attack with 2 stages:

        * a social engineering attack to get the victim to run the code
              o can be very simple like "please run this code"
              o can be very sophisticated, like phishing attacks carefully
                crafted to resemble legitimate mail to get the user to click
                on something
        * a local attack that happens when you run the malware

    What makes this compound attack "remote" is that the social engineering
    attack is remote.

    This makes most common viruses compound remote/local attacks with a
    remote social engineering attack to somehow induce the user to run a
    local attack. The exception to this is e-mail viruses that require no
    social engineering because they can exploit some flaw in the preview
    pane or such like so that the user only has to browse the mail to run
    the malware.

    Crispin 

    -- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
  • Next message: Casper.Dik_at_Sun.COM: "Re: Peter Gutmann data deletion theaory?"
    • Quantcast