Terlepas dari insiden yang dialami HBGarry beberapa bulan yang lalu, tidak bisa di pungkiri bahwa mereka expert dalam hal “backdoor” dan “rootkit”. Gw baru liat blog nya beberapa hari yang lalu, http://www.hbgary.com/hbgary-blog. Dan baru inget tadi klo dalam blog tersebut ada hal menarik ttg “hiding backdoor” bahkan untuk open source apps.
Archive deh, siapa tau blog mereka di habisin lagi oleh anonymous :p.
Plausibly Deniable Exploitation and Sabotage
My suggestion is people should distrust most “black boxes” – and open source may as well be a black box as well – the apparent security offered by the “thousand eyes on the code” is obviously cast into question with the recent OpenBSD IPSEC allegation. Yes, if IRC sourcecode is backdoored, yawn. But if OpenSSL sourcecode is backdoored, pay attention. While it’s commonplace for malware developers to backdoor each other’s work and offer it up for “re-download” (typically with a claim of “FUD!”), there is a long history of subverted security tools (remember Dsniff & Fragroute?) and infrastructure products (ProFTPD, TCPWrapper) , even routers (Cisco’s hidden backdoor admin accounts). Ever wonder why a certain firewall (manufactured overseas) was never deployed in the government?
Backdoors are commonplace. Wysopal at Veracode states “We find that hard-coded admin accounts and passwords are the most common security issue.”
Let me suggest one of the more insidious ways a backdoor can be placed. It’s the insertion of a software coding error that results in a reliably exploitable bug. Considering how hard it is to develop reliable exploits, consider then how easy it would be to bake a few in. It would escape detection by the open source community potentially for years (as the IPSEC case may suggest) and may even be difficult to attribute.
If you want some fun with backdoors, check out the Backdoor Hiding Contest sponsored by the good people at Core Security – hopefully they will sponsor another contest next year.
HBGary dikenal dekat dengan .gov melalui beragam project rahasia mereka, jadi rasanya informasi “hidden backdoor” tersebut terutama bagian “tainting opensource developer” untuk menanam high-class backdoor dalam bentuk “extremely difficult of bug to discover / exploit” memang valid.