Get Paid to Find 'Back Doors'

A security research and training group is offering up to $20,000 in grants to anyone with computer programming chops who can help locate and close hidden "back doors" in commercial hardware and software.

According to the Bethesda, Md.-based SANS Institute -- the group offering the grants, hundreds of millions of devices -- from printers to Internet routers and storage systems -- are being placed on networks with built-in back doors. Software and hardware makers have for years quietly built these remote administration tools into their products, mainly to help customers troubleshoot the devices.

In some cases, the back doors are documented by the vendor or known to technicians and security experts. But Alan Paller, director of research at SANS, said in far too many cases these back doors are never disclosed or are included and forgotten, only to be discovered later and exploited by hackers.

"The manufacturers of these systems never told you how vulnerable you are," Paller said.

In many cases, Paller said, these back doors provide remote access to the fully functioning processors with network connections, operating systems and memory.

The goal of the SANS project, Paller said, is to make sure these back doors aren't included in systems purchased by the government and, by extension, businesses. "Ultimately, we want to be able to specify these things in procurement language so that when [a vendor] ships you a printer, for example, these things aren't built-in."

Anyone who's ever seen the classic 1983 movie "War Games" knows back doors have been around for a long time and aren't a huge secret (think "Mister Potatohead, MISTER POTATOHEAD!!!). No doubt these back doors have been useful over the years to those individuals and entities charged by our government with spying on corporations and nations around the world. But as nearly everything about security is a double-edged sword, I suspect that these same back doors are now becoming more of a liability for our own government.

I'm not much of a coder myself, but I think I've come up with a fairly easy money-making idea for an enterprising programmer who wants to snag some of SANS's grant money. That idea is to build a tool that will systematically scan a Windows machine for all of the ActiveX plug-ins that are installed on the machine.

Why ActiveX? Because it's probably one of the most prevalent software-based back doors in existence today. ActiveX is a powerful Microsoft creation that is designed to interact with the Internet Explorer Web browser and allow Web sites to develop interactive, multimedia-rich pages. Plenty of hardware and software vendors ship various ActiveX controls with their products that are designed to either enhance the user experience or help with remote troubleshooting.

The trouble is that in Windows XP computers with Service Pack 2 installed, for example, Internet Explorer allows Web sites to download software to the user's machine via ActiveX controls that are marked "safe for scripting." This means that any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code. And in case after case, vendors ship ActiveX controls that are set in that vulnerable state.

In its latest Internet Security Threat Report, Symantec documented some 239 new vulnerabilities in Web browser plug-ins. Plug-ins for Adobe Acrobat, Flash, Java, Mozilla Firefox, QuickTime and Windows media player made up 21 percent of those, while the rest were all ActiveX related vulnerabilities.

From that report:

"In the last six months of 2007, Symantec has also detected zero-day exploitation of many ActiveX vulnerabilities in the wild, including vulnerabilities in GlobalLink, Real Networks RealPlayer, and SSReader Ultra Star Reader. A significant ActiveX vulnerability was also discovered in December 2007 that affected many HP laptops."

Interestingly, Symantec itself just this week pushed out updates to fix two critical ActiveX flaws present in its Norton Internet Security 2008 software suite (both were marked safe for scripting).

The bundle of eight security patches Microsoft released on Tuesday addressed three critical ActiveX vulnerabilities, including two faulty ActiveX controls in Yahoo! Jukebox (at Yahoo's request).

An excellent software tool I've recommended on numerous occasions -- HijackThis! -- can help users find and deactive many ActiveX controls. But HijackThis! appears to only show ActiveX controls that have been downloaded from Web pages and not ActiveX controls that may have been installed as part of software package or pre-installed by the computer manufacturer.

So, any takers for the SANS challenge? If so, contact Alan Paller via e-mail.

Update, 4:55 p.m. ET: A reader just alerted me to this Computerworld story from today, which quotes Microsoft as saying they'll happily nix any third-party ActiveX controls as part of their monthly patch release for vendors who request it, as did Yahoo! in yesterday's patch batch from Redmond.

By Brian Krebs |  April 9, 2008; 12:55 PM ET From the Bunker , U.S. Government
Previous: Microsoft Fixes 10 Security Vulnerabilities | Next: Online Banking: Do You Know Your Rights?

Posted by: Jim Sting | April 9, 2008 4:26 PM

Posted by: Bk | April 9, 2008 4:29 PM

Posted by: Mark Odell | April 9, 2008 4:49 PM

Posted by: GTexas | April 9, 2008 6:23 PM

Posted by: Singing Senator | April 9, 2008 6:39 PM

Posted by: umm | April 9, 2008 6:46 PM

Posted by: TJ | April 9, 2008 9:32 PM

Name:

Comments: