Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Soap Boxing - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Soap Boxing
As we round out yet another year, I thought that I would take the opportunity to climb up on a soapbox and rant about something that has been bothering me for a bit:

We're ending 2006 much as it began: with an in-the-wild, un-patched live-data vulnerability in a widely used Windows application (for those of you with short memories, it was the WMF flaw in IE at the end of 2005, and we have three -- count 'em three -- un-patched Word flaws hanging over our heads now).

But, if you're expecting me to launch into an anti-Microsoft screed, you're about to be sorely disappointed.  Redmond represents far too easy a target at this point, and besides, I've really been trying to make it onto Uncle Bill's "Nice" list before the 25th rolls around.  The dude has over a billion dollars, so you know he's gotta give some primo stocking stuffers?

Back in my days as a True BOFH for a mid-range electronics company, I was constantly amazed at the whacky stuff that would come winging into my company via email.  And no, I'm not talking about spam, chain-emails, or dozens of copies of Mrs. Field's cookie recipes? I'm talking about legitimate business communication that was sent in the stupidest possible format.

We had one supplier who sent out a bi-weekly commodity price level update as an Excel spreadsheet? a header row with a single data row, eight columns wide, 39k.  Eight frickin' numbers!  Another supplier sent in a letter detailing their holiday shutdown as a 675k+ Word file just to communicate two paragraphs of text.

The following is a rough transcript of a phone conversation that I had with the IT department for one of our customers:

Me: "We've suddenly started receiving Excel files from your company"
Them:  "Oh, yes.  Those are part of our new ERP system.  We're quite excited about it."
Me: "Really?  Well, have you taken a close look at the files you're sending out?"
Them: "What do you mean?"
Me: "I think that you're probably sending out a bit more information than you probably should."
Them: "Well, the ERP system generates and emails out the files for us."
Me: "Ok... I'm sure that's handy, but... you see? the Excel file that we received was 3.7 MB? and it only contained one visible line."
Them: "Yes.  That's the information for your company.  You need to fill in the forecast data and send it back."
Me: "But did anyone there ever wonder why it takes 3.7 MB for one line of data?"
Them: "What do you mean?"
Me: "Well? while there is only one VISIBLE line, all of the data for all of your other vendors is still in the file.  Part numbers, prices, contact information? everything."
Them: "No, that's impossible.  The ERP system generates those files."

Their buyer often wondered how we were able to send him proposals barely undercutting our competition on several other parts.  I would have explained it to him, but? well? how it happened was "impossible".

The point?

Business on the whole has gotten sloppy about how we choose to transport data.  We've become so enamored with logos and company letterhead, ERP systems and dancing gerbils in our emails that we've forgotten that networks are about communicating, not about glitz.  If I see one more Excel spreadsheet used to transport photos and text, I'll scream.

There's a reason that the email system was designed to transport text? email is about TEXT.  Granted, there are times that you need to send binary stuff, but on the whole, that should be the exception, rather than the rule? and we certainly shouldn't be going out of our way to make up whole new ways of formatting the data we transport just so we can shove our company logo out on every message we generate.

Binary formatted data carries with it the possibility that a flaw in the associated application can be used as an avenue for compromise.  Using formatted files for the likes of Word, Excel, Powerpoint, etc... when they aren't necessary, increases our vulnerability to attack.  Educating users to be cautious about the dangers of "0-day" Word flaws is far more difficult when every other email you get contains a Word document.  Additionally, binary formatted data often carries with it far more "other" information than you might think... deleted sections, comments, user information, etc...

Start the New Year off right: take a look around your organization and see if your users are doing stupid stuff.  In a time when we should all be looking closely at any Word documents that we get, how many of the .DOC files that your company sends or receives could simply be communicated as text? 

I strongly believe that 2006 will be seen as a turning point in security: the year when application-based, live-data attacks began to flourish.  Get ahead of the game and take a cold, hard look at the avenues for data-borne attacks against your organization.  Wean your users from un-necessary reliance on formatted data when plain-old text will do.

Remember: when Moses came down off the mountain, it was with text chiseled into stone; not DHTML, JavaScript, and animated GIFs. 

If text is good enough for God, then it's good enough for you.  ;-)



Tom Liston - Intelguardians
Handler on Duty
Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!