In the world of security, as in other areas, it’s extremely important to plan carefully before starting a new project. In fact, this is even more important in our field, because we have to deal with continuous attempts to find holes in the system.
When it comes to critical applications or systems, this is crucial. A design error can be more serious than other, more complex "technical" errors.
Let’s see a few examples:
- A hypothetical brand wants to protect its own applications by setting an execution time limit. In order to do this, the brand uses a new packer that adds a new protection layer based on the maximum length of time that can be used to evaluate a program. To this end, it uses a base program with the protected program embedded. The latter will be unpacked in runtime, launched, killed and removed from disk after finishing execution.
- Yes, removed! All these applications were vulnerable to copy&paste while executed.
Creation of temporary file
- Another example, a tad more subtle, can be found in on-line banking. A Trojan wants to get the codes on the card. The most common attack – simply asking for these codes – is too obvious. Now, what happens if someone enters wrongly one of the numbers? Was it just a mistake of the client? Or maybe it’s not the client? The easiest solution is to ask again, up to three times - to counter brute-force attacks.
- However, our sharp friends in charge of InfoStealer use a much more subtle technique: after stealing the code, they show an error message - page not found, etc - to the client. This way, they get some time to access the account. If the same access code is asked again in a new session, then the card code has been reduced to a simple PIN number.
So, before starting writing your fingers off, sit back, relax, have a coffee… and think ;)