With Chris Wysopal, co-founder and CTO of Veracode. The company just released software that looks for backdoors.
Question: What kinds of backdoors are there?
Wysopal: We differentiate system backdoors, which are installed on computers by malicious persons or somebody who is tricked into installing them, as opposed to application backdoors, which are legitimate software paid for or [downloaded free through] open source.
Question: Which is more dangerous?
Wysopal: Application backdoors are a worse problem. They are more insidious. You can't find them, as opposed to system backdoors, which antivirus and IDS software can find. System backdoors are more common, and there are good defenses against them. Application backdoors have no defense, and that is why I see them as more of a problem. The government issued a document that especially called out high-value targets in the government, military and financial services as worried about application backdoors. Lump in technology companies, big software companies, and there are a lot of intellectual property people who [are potential victims]. Application doors have people more worried. Organizations have a good handle on the infrastructure. They do a good job of keeping out system backdoors. Application backdoor comes in with software.
Question: Which are more prevalent, system or application backdoors?
Wysopal: There are more system backdoors. People are writing those for home users or small businesses that don't have much security and software that is not up to date. So that allows them to be tricked into installing software.
Question: Within the application backdoor category, what are some of the subgroups?
Wysopal: We came up with a taxonomy at Veracode Research Group. We came up with four different kinds of backdoors. One is special credential, in which hidden functionality adds special commands that weren't intended. [Another is] unintended network activity. That is when they put in code to mail out sensitive information [perhaps] on a daily basis, something like that. [Another] is rootkits. It [takes code] and hides it from the owner of the system or the system administrator. It cloaks itself. They can then perform the same type of behavior found in [other] application backdoors.
Question: Which of these is most common?
Wysopal: The special credential backdoor is the most common. It is simple and people don't need to be experts to slip them in.
Question: And which is the worst?
Wysopal: I guess the hidden functionality is a little bit worse. It takes over the whole system. Special credential just lets you log into that application.
Question: Are these always intentional?
Wysopal: I think pretty much all of it is malicious. I guess a percentage of application backdoors could be unintentional, code left in for debugging or maintenance. System backdoors probably all are malicious. I think that it doesn't matter if it is malicious. It ends up being a risk. If stuff that developers didn't intent to get into code gets in, it's a risk.
Question: Is this new?
Wysopal: They've been around for almost as long as software has been around. The thing that changes over time is that the threat model changes. Things that previously were lower threats now are higher because other things change. In the past, backdoors were not as popular because it was easier to get into a system. There were not good firewalls, intrusion detection and other things. Network security was weak. There was no reason to plant backdoors. What changes over time is that as we get better or worse at security, the weak link moves around. Currently, we are seeing more attacks at the application layer because businesses are getting good at firewalls and patching. Now applications become the weakness.
Question: How do you find backdoors?
Wysopal: What you need to do is statically scan the application. You [find] if there is an embedded secret password. Our security review product scans an application for different vulnerabilities. We added specific scans that look for special credential backdoors and rootkits and plan to have one for unintended network activity.
Question: Could you say how quickly this is growing?
Wysopal: I think this is a general overall trend. It is hard to give any kind of growth rate. As time progresses and you scan more software, you start to find metrics on each category. At this point, it is too early to have a good idea on what the growth will look like.
Question: Why did Veracode develop this functionality?
Wysopal: We were asked for this feature. Some financial service companies found backdoors in software they [wrote] or got from outsourcers. They wanted a more reliable way of finding it. They also were concerned about software they purchased off the shelf. Our software as a service [system] uploads to our Web portal for scanning in our data center. We give results back. The nice thing about that is that it gives a third-party analysis. It's not necessarily the person who wrote the software telling you it's okay.
Question: What else did you find that is interesting about backdoors?
Wysopal: One of the interesting things we found - and it may sound self-serving, but it is not intended that way - is when we counted the lifetime of backdoors. That's the time from when they are inserted and when they are found and published. We found the lifetime of a backdoor of open source was typically measured in a few weeks. Backdoors in which no source code was available, only the binaries, typically lasted a few years. With open source, a human can look at it. In binary form, it is very, very difficult for a human to peruse it and for it to make sense.