Security Staffs Must Beware as Hackers Knock on the Backdoor


Kelly Jackson Higgins posted an interesting and unsettling story at Dark Reading that focuses on back doors which, as the name implies, are programs that provide easy or special access into software products. There are legitimate reasons for backdoors, such as shortcuts for testing. There also are a good number of malicious uses.


The story defines three types of backdoors: Special credential backdoors are hard-coded passwords or keys that provide immediate access; hidden functionality backdoors let a hacker issue commands automatically; and rootkit backdoors hide activity from system administrators.


Though the story is, for the most part, frightening, it is predicated on a bit of good news: Veracode has added features to its SecurityReview application scanning service that Higgins says can detect "some of these backdoor programs." This, we guess, is somewhat reassuring.


There has been a lot of discussion about the need for programmers to work carefully, especially since the advent of Web 2.0. Most of it is predicated on the idea that coders are an honest bunch who sometimes are too rushed or a bit lazy. The idea that some may be building flaws into the DNA of an application on purpose is, to say the least, unwelcome.


The problem is not just conceptual or academic. Last month, HP announced a backdoor critical flaw on 23 laptop models that can enable a hacker to infect the machine if it uses Internet Explorer 6 or 7 to visit malicious sites. The problem, the writer says, is in the ActiveX controls used by the HP Info Center. The story, which goes into a good deal of detail, says that a similar problem occurred at the beginning of the year on Acer laptops.


Chris Wysopal, the CTO and co-founder of Veracode and one of the sources of the Unstrung story, provides a good deal of background on backdoors in this Q & A at CSO Online. The first part of the piece nails down the definition of the various types of backdoors. Nomenclature and taxonomy, it seems, are very important because this type of vulnerability has a long history.


Wysopal says that purposely planted backdoors are becoming more common. He added that a recent Department of Defense paper says that once a piece of software becomes "a high-value target," the odds of criminals bribing a developer to plant a backdoor rise "dramatically." The problem is exacerbated by the fact that the work of many different companies -- and, hence, many developers -- may go into one finished product.


This entry at Computer Bots, written by a programmer, does an adequate job of describing the dangers of backdoors. Where the piece excels, however, is in its explanation of how backdoors can benefit an organization. For instance, a backdoor can be used to save data when the system is in danger of crashing or could allow a company to wrest its server back from a hacker who has seized control.


The introduction to the CSO Online story makes the point that backdoors have been around for a long time. As security folks adjust to a particular attack vector, hackers tend to revisit things that are familiar and dream up new ways to exploit them. That seems to be the case in the world of backdoors. IT and security staffs are well advised to make sure their code is locked up tight.