Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, December 17, 2007

New Service Detects Backdoors in Software

Here’s something else to keep you up at night: Most of today’s scanning tools can’t detect software backdoor programs that can be inserted during the development process.  Researchers at Veracode have identified several different forms of these backdoor programs, which are sometimes inserted purposely by the developer for debugging reasons and can inadvertently put the app at risk—as well as those that can be easily sneaked into applications by malicious coders or attackers.  Fortify Software researchers dub the malicious form of this threat as “cross-build injection”—where vulnerabilities and malware such as backdoors are tucked into code during the software development process.  Veracode today also announced that it has added new features to its SecurityReview application security scanning service that detect some of these backdoor programs, which can sit quietly and invisibly in an application without your knowledge, leaving the door unlocked for an attacker to take over your machines.

“People doing manual code review look for vulnerabilities, but not typically for backdoors,” says Chris Wysopal, CTO and co-founder of Veracode.  “We built a metal detector for this.”  Wysopal says several of Veracode’s financial services customers had approached the company with concerns about this potential threat in the third-party software products they purchase and that their developers write.

In a recent report by the Defense Science Board on the risks of the Department of Defense’s dependence on software manufactured outside of the U.S., the DSB discusses the need for assuring the software purchased by the DOD isn’t sabotaged in any way.  He found that 23 software packages that government employees might download for tools or for developing apps for their agencies, had backdoors within them.

Special credential backdoors are when a developer or attacker hard-codes passwords or keys into the program code, including username and password, for instance.  Hidden functionality backdoors are special commands inserted into the code that lets an attacker issue commands or authenticate without going through the app’s standard application procedure.  Still, that’s a dangerous practice, Wysopal says: “I don’t care if a feature was put in on purpose by the developer for debugging, or maliciously by an attacker.  “The big tell-tale sign of a rootkit is the software is doing something it’s not supposed to do,” Wyospal says.

Posted on 12/17