Thursday, February 23, 2012

Security 101: Attack Vectors Take Advantage of User Interaction

Welcome back to Security 101. Our New Year’s recess is over, and it’s time to offer another lesson.
So far we have discussed vulnerabilities and some types of low-interaction attack vectors. In this lesson we shall continue with attack vectors that require medium or high levels of user interaction to succeed.

These attack vectors are more dangerous because their success relies on the victims, which means that they can work in multiple “buildings” in parallel. (Recall our analogy of comparing a system to a building.) An attacker who uses these vectors also has an advantage that does not depend on technology: the human factor. Humans are curious by nature and, even when we don’t care to admit it, gullible. Almost anyone, no matter how cautious, can be tricked into being a victim of an attack or helping an attacker.

But we’ll delve into the topic of social engineering another time. For now we’ll focus on the vectors themselves. These vectors may require as much work from attackers as the low-interaction ones. Most of the time goes into assembling a malicious website or something similar.

Medium Interaction

Website/mail elements: Visiting a website is usually only a click away, especially if you just happen to be “in the neighborhood.” Think of all the advertisements you see while navigating the web. How many times have you been tempted to click an interesting ad, or follow a mail with a convenient offer? Any of these sites could host an attack or a piece of malware. The whole site need not be malicious, just one hidden element or image will suffice. When you enter a site, your browser tries to load all of the page’s elements; when it reaches the malicious part, the attack executes. Attackers can use this vector to exploit almost every kind of vulnerability because the attack happens online. The disadvantage for the attacker is that this vector requires a vulnerability in your browser to work.

High Interaction

Corrupted files: This broadly works in the same way as website vulnerabilities. An attacker places a file that contains an exploit on some part of the web. It can be a peer-to-peer network, FTP site, art gallery, free software site, you name it, or the attacker can send the file directly to you by mail. You download the file, open it, and Wham!: The exploit runs. The most visible difference is that the victim actually needs to find the file and open it. And that’s why this vector is usually disguised as tempting celebrity photos, work documents, or even free tickets to a concert. These attacks are often widely advertised (social networks anyone?). Because this vector employs the victim’s computer, it is mostly used for exploiting denial of service or remote code execution vulnerabilities. In the latter case, inside the file there’s a small piece of code that communicates with the attacker’s computer or server, allowing access to the victim’s machine.

So next time you see a “OMG, awesome video of <celebrity name> here!” link, don’t just think twice. Don’t open it at all. The most probable outcome is that you’ll open the doors of your “building” to complete strangers and you’ll never know it. Next time we’ll see how the human factor fits into attacks, with a post about social engineering.

By Francisca Moreno