Most security threats that I’ve heard of have arisen due to a bug in the software (e.g. all input is not properly sanity checked, stack overflows, etc.). So if we exclude all social hacking, are all security threats due to bugs? In other words, if there were no bugs, would there be no security threats (again, excluding the faults of humans such as disclosing passwords and such)? Or can systems be exploited in ways not caused by bugs?
6
A bug is defined as software not operating up to specs. Now if specs are faulty, it’s not a software bug. If a dumb customer demands all passwords must be three-digit codes with no grace period between faulty entries, it’s not the software that is to be blamed.
Many systems have “service mode” that can override the security, and while access to it should be secure, the codes often leak to the public.
Advances in mathematics compromise old cryptography methods. Something that was viable security 30 years ago becomes weak nowadays.
There are various methods of data theft that are often overlooked. A wireless keyboard has about 2m range, due to tiny antennas, and the code sent is unencrypted. Reading it out from across the street with a good antenna is a well-known method.
Sometimes security trade-offs are made with full awareness of consequences – crypto systems take power and CPU time. Embedded monitoring applications often send their data in a way clearly readable to the public because first, the value of compromising the data is negligible, and then the extra cost of implementing the security is unnecessary.
All security is based on trust. It takes no social engineering for the appointed admin to go rogue and read your mail.
And in the end, can one consider applying baseball bat to a knee a social technique?
6
There can be situations where hardware bugs cause security issues, too. Just consider a faulty RAM chip that spontanously flips the “isAdmin” bit.
Or consider a hypothetical hardware bug where the memory protection doesn’t work as expected and one process can overwrite another process’ memory without triggering an interrupt.
For your reading pleasure: Computer security compromised by hardware failure
5
Lots of security threats arise from software features, not bugs. Lots of very useful software features turn out to have uses for good or evil, depending only on the user’s
intent.
1
Consider a distributed denial of service attack (DDOS). That can be a security risk, but it’s not caused by a software bug but rather by an attacker going over the limits of what the system was designed for. And every system has a limit.
So the answer to your question is: no, not all security threats are triggered by software bugs.
2
Social engineering.
Hello, I’m XX from the IT department. Your computer is currently spreading viruses to other office computers. I need your username and
password to be able to remove it.
When the hacker have got the username/password he can safely install trojans etc.
Social engineering can be applied in several ways and using it to circumvent security is one.
2
How about something like Firesheep, the Firefox addon that steals cookies being transmitted on a shared wireless network?
You could argue that vulnerability to such attacks is a bug, but you could also argue against it as well. There’s not much a website can do to avoid users being compromised other than just running all communications over HTTPS – can you say that it’s a bug to accept HTTP communications on your website?
7
Yes, insofar as a failure in the software’s security is—whatever the proximate cause—a failure by the software to fulfil its requirements.
I accept that this is just a tautology, but that’s the measure of it.
2