Security Staffs Must Beware as Hackers Knock on the Backdoor

Carl Weinschenk

Kelly Jackson Higgins posted an interesting and unsettling story at Dark Reading that focuses on back doors which, as the name implies, are programs that provide easy or special access into software products. There are legitimate reasons for backdoors, such as shortcuts for testing. There also are a good number of malicious uses.


The story defines three types of backdoors: Special credential backdoors are hard-coded passwords or keys that provide immediate access; hidden functionality backdoors let a hacker issue commands automatically; and rootkit backdoors hide activity from system administrators.


Though the story is, for the most part, frightening, it is predicated on a bit of good news: Veracode has added features to its SecurityReview application scanning service that Higgins says can detect "some of these backdoor programs." This, we guess, is somewhat reassuring.


There has been a lot of discussion about the need for programmers to work carefully, especially since the advent of Web 2.0. Most of it is predicated on the idea that coders are an honest bunch who sometimes are too rushed or a bit lazy. The idea that some may be building flaws into the DNA of an application on purpose is, to say the least, unwelcome.


The problem is not just conceptual or academic. Last month, HP announced a backdoor critical flaw on 23 laptop models that can enable a hacker to infect the machine if it uses Internet Explorer 6 or 7 to visit malicious sites. The problem, the writer says, is in the ActiveX controls used by the HP Info Center. The story, which goes into a good deal of detail, says that a similar problem occurred at the beginning of the year on Acer laptops.


Chris Wysopal, the CTO and co-founder of Veracode and one of the sources of the Unstrung story, provides a good deal of background on backdoors in this Q & A at CSO Online. The first part of the piece nails down the definition of the various types of backdoors. Nomenclature and taxonomy, it seems, are very important because this type of vulnerability has a long history.


Wysopal says that purposely planted backdoors are becoming more common. He added that a recent Department of Defense paper says that once a piece of software becomes "a high-value target," the odds of criminals bribing a developer to plant a backdoor rise "dramatically." The problem is exacerbated by the fact that the work of many different companies -- and, hence, many developers -- may go into one finished product.


This entry at Computer Bots, written by a programmer, does an adequate job of describing the dangers of backdoors. Where the piece excels, however, is in its explanation of how backdoors can benefit an organization. For instance, a backdoor can be used to save data when the system is in danger of crashing or could allow a company to wrest its server back from a hacker who has seized control.


The introduction to the CSO Online story makes the point that backdoors have been around for a long time. As security folks adjust to a particular attack vector, hackers tend to revisit things that are familiar and dream up new ways to exploit them. That seems to be the case in the world of backdoors. IT and security staffs are well advised to make sure their code is locked up tight.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Dec 20, 2007 4:34 PM Brian Honan Brian Honan  says:
CarlOne area where I see lots of backdoors, intentional or otherwise, is not in code produced by developers, but rather in scripts or utilities developed by network engineers and administrators. These little utilities tend to bypass all internal QA checking that the honest bunch of coders who sometimes are too rushed or a bit lazy are subjected to. The biggest mistake I see is normally the adminsitrator ID and password hardcoded into the script and that script then left in plain sight on the computer for anyone with access to the box to see.So yes, pay attention to the backdoors in the software that you buy or develop inhouse but don't forget to look at what your network admins are doing.Brian Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.