Hiding the backdoor

Terlepas dari insiden yang dialami HBGarry beberapa bulan yang lalu, tidak bisa di pungkiri bahwa mereka expert dalam hal “backdoor” dan “rootkit”. Gw baru liat blog nya beberapa hari yang lalu, http://www.hbgary.com/hbgary-blog. Dan baru inget tadi klo dalam blog tersebut ada hal menarik ttg “hiding backdoor” bahkan untuk open source apps.

Archive deh, siapa tau blog mereka di habisin lagi oleh anonymous :p.

Plausibly Deniable Exploitation and Sabotage
My suggestion is people should distrust most “black boxes” – and open source may as well be a black box as well – the apparent security offered by the “thousand eyes on the code” is obviously cast into question with the recent OpenBSD IPSEC allegation. Yes, if IRC sourcecode is backdoored, yawn. But if OpenSSL sourcecode is backdoored, pay attention. While it’s commonplace for malware developers to backdoor each other’s work and offer it up for “re-download” (typically with a claim of “FUD!”), there is a long history of subverted security tools (remember Dsniff & Fragroute?) and infrastructure products (ProFTPD, TCPWrapper) , even routers (Cisco’s hidden backdoor admin accounts). Ever wonder why a certain firewall (manufactured overseas) was never deployed in the government?

Backdoors are commonplace. Wysopal at Veracode states “We find that hard-coded admin accounts and passwords are the most common security issue.”

Let me suggest one of the more insidious ways a backdoor can be placed. It’s the insertion of a software coding error that results in a reliably exploitable bug. Considering how hard it is to develop reliable exploits, consider then how easy it would be to bake a few in. It would escape detection by the open source community potentially for years (as the IPSEC case may suggest) and may even be difficult to attribute.

If you want some fun with backdoors, check out the Backdoor Hiding Contest sponsored by the good people at Core Security – hopefully they will sponsor another contest next year.
–Greg Hoglund

HBGary dikenal dekat dengan .gov melalui beragam project rahasia mereka, jadi rasanya informasi “hidden backdoor” tersebut terutama bagian “tainting opensource developer” untuk menanam high-class backdoor dalam bentuk “extremely difficult of bug to discover / exploit” memang valid.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s