Skip to content

Secure Cloud Development

Musings on the Art and Craft of Creating Secure Software in the Cloud Era

  • Home
  • About
    • Books
  • Cloud
    • Definition
      • Broad Network Access
      • Cloud Computing Standards
      • Deployment, Hosting, and Management Models
      • Measured Service
      • On-Demand Self-Service
      • Rapid Elasticity
      • Resource Pooling
      • Service Models
      • Virtualization
    • IaaS
    • PaaS
    • SaaS
      • Agile
        • Katas
        • Requirements Gathering
        • Swarming
        • Pair Programming
        • Test Driven Development
      • REST
  • Security
    • Confidentiality
    • Integrity
    • Availability
    • InfoSec
    • Authentication
    • Authorization
      • XACML
        • XACML Products
    • Auditing
    • AppSec
      • DAST
      • SAST
      • Threat Model

atrun

A Detailed Look At Persistent Threats

2012-10-082012-10-07 ~ Ray Sinnema ~ 1 Comment

Advanced Persistent Threats (APTs) are sophisticated cyber attacks that have moved from the realm of the military to the mainstream.

Since we are now potentially all under attack, it’s imperative that we understand this phenomenon.

The book The Cuckoo’s Egg helps us understand APTs a bit better. It describes one of the first documented persistent attacks, in 1986/1987.

Although the techniques used by the attacker are not what we would now consider advanced, this book does give us valuable insight into the persistent part of the equation.

The Cuckoo’s Egg

The hero in The Cuckoo’s Egg is astronomer Clifford Stoll, then at the University of Berkeley. His project looses funding, but instead of being laid off, he’s moved to the computer department. As a newcomer, he’s given the interesting assignment to track down a $0.75 accounting error.

He checks the accounting software and discovers that one account’s computer time is not paid for.

It turns out that the owner of this account has moved away from Berkeley and isn’t using it anymore. The account is hijacked!

Instead of closing down the account, our hero decides to follow the intruder. He sets up an ever more elaborate system to track the attacker without giving away that he’s doing so.

When following every move of the intruder, our hero finds out that he abuses other systems as well. The attacker seems especially interested in military systems. Our hero contacts a bunch of organizations like the CIA, FBI, and NSA, but none of those seem able or willing to help him, so he keeps following the attacker himself.

As an astronomer, our hero has learned the value of documentation. He carefully logs everything in his log book, and over time that helps him see patterns as data accumulates.

In the end, we find out that the attacker is from Germany and gives information to the KGB. Our hero’s efforts help put this spy in prison.

Attacks

The title of the book refers to one of the two main techniques the attacker uses.

The first is simply guessing passwords. In the eighties, people were a lot less careful with their passwords than they are today. (Although even now there are still many problems with passwords.)

The other technique is an exploit for a simple vulnerability in GNU Emacs: this program could save mail files, but forgot to check permissions at the destination. Since it ran as root, you could copy files anywhere.

The attacker used this to install his own copy of the atrun utility. The Unix system executes this program every five minutes, and does so with full system privileges. So the Unix system was the nest that hatched the cuckoo’s egg, the attacker’s phony atrun program.

Once the attacker acquired system privileges, he copied the password file. He used that file to launch an dictionary attack to hijack yet more accounts.

Persistence

The attacks described are very simple compared to today’s landscape.

The value of the book is in showing us in detail the kind of persistence attackers display. It really drives home how much time and energy attackers are willing to spend to break into our systems.

To have any chance of withstanding these attacks, we’re going to need the same kind of persistence in our defenses.

Advertisement

Subscribe

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC nor does it constitute any official communication of EMC.

Top Posts & Pages

  • Practicing TDD using the Roman Numerals kata
  • REST Messages And Data Transfer Objects
  • Measured Service
  • How to manage dependencies in a Gradle multi-project build
  • Data Flow Diagrams and Threat Models

abuse case Agile Ant automation availability BDD Cloud9 cloud computing code retreat continuous integration cryptography design pattern DevOps digital signature DRY Eclipse eXtreme Programming factory FDE friction Git GNU/Linux Gradle Groovy GWT HTML HTTP input validation Java JavaFX JavaScript JAX-RS JSON kata Lean learning link relation log Mason Maven media type metrics open source OSGi pair programming PDP Perforce performance plug-in RAdAC refactoring reflection representation REST Roman numerals SCM SDL security service Siren state diagram STRIDE Subversion TDD test-first programming threat modeling Uber ubiquitous language unit tests user story Visitor Pattern vulnerability webapp XACML XML
Java Code Geeks
Some of the links contained within this site have my Amazon referral ID, which provides me with a small commission for each sale. Thank you for your support.
Create a free website or blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • Secure Cloud Development
    • Join 45 other followers
    • Already have a WordPress.com account? Log in now.
    • Secure Cloud Development
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

You must be logged in to post a comment.