Thinking like a security paranoid: an example

July 22, 2009

There's been a bunch of commotion lately over OpenSSH and how perhaps there's a 0-day exploit in an older version of it, and so on. Given this, clearly the thing to do is upgrade to a current version just in case, right?

If you think this, you're not thinking like a security paranoid. Allow me to illustrate.

Imagine that you are an attacker. You've found a vulnerability in the very latest and most recent version of OpenSSH, and you want to exploit it. However, the problem is that sysadmins are lackadaisical about updating things, especially things like OpenSSH, so there aren't many people running the new version yet. Now, you could wait for the vulnerable version to slowly spread around, but the longer you wait the greater the chance that an OpenSSH developer will spot their mistake and fix the problem. Besides, you're impatient.

(You can see where this is going.)

So you go out and make some noise to stir up doubts about the older versions, to get sysadmins and distributions thinking 'we'd better update, just in case'. Fear of a security vulnerability makes a great driver of updates, and the more publicity the better. By updating, all of these people play into your hands, because they're installing the version that's vulnerable to your exploit, and better yet they're probably doing it without a serious inspection because they feel it's semi-urgent (and thus lowering the chance that anyone else will spot the vulnerability, especially since many of the people who do such inspections will be busy looking over old versions just in case).

Now, this is a hypothetical example; I don't particularly believe that it's what is going on with the recent OpenSSH 0-day claims. But it makes a good illustration of how security people have to think; every time something peculiar happens, you look at it and ask yourself 'who benefits? if I was evil, how could I benefit from this and why would I be doing it?'

(And I think it probably also makes a good example of how unnatural it is to think like a security paranoid. If you found this example totally over the top, well, you're normal, and that's the gap between normality and serious security.)

Written on 22 July 2009.
« A peculiar change in Linux flock() and fcntl() behavior
The usefulness of a syndication feed of your blog's comments »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jul 22 23:21:00 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.