Testing client-side risks

Normally, I don’t get excited about updates, but the main improvement to Version 6.0 of Core Security's CORE IMPACT penetration-testing tool got my attention: It focuses on client-side attack improvements. Essentially, you can drag and drop client-side attacks on top of one or more e-mail addresses. CORE IMPACT will then send e-mails containing those attacks to the selected e-mail addresses.

At the very least, the client-side e-mail test can include a Web bug that dials “home.” CORE IMPACT installs a Python-based Web server that records the incoming connection, along with any other information collected along the way. You can send real exploits, including executing a client-side agent that allows further exploitation testing. For example, you can use a Windows Media Player bug to inject the client-side process into Internet Explorer, so it can outlive the use of Media Player.

Metasploit, which I’ve also used and recommended, and other testing tools have client-side attacks, but aren’t nearly as user friendly. CORE IMPACT makes it a drag-and-drop process. My only complaint -- if you can call it a complaint -- is that Core Security hasn’t made it a stand-alone testing tool for client-side attacks.

Most companies drastically underestimate their client-side risk in face of overwhelming evidence to the contrary. Nearly all (99.99 percent) of the hacking attacks to any environment are client-side attacks. Long ago are the days when the dedicated human malicious hacker was the primary attacker against our networks. Today, it’s automated, self-replicating, viruses, worms, Trojans, and bots. And they aren’t attacking servers … unless you pick up your e-mail on your file server.

The malware ends up on an end-user’s desktop via e-mail, instant messaging, or Internet browser. The user runs the attached file, clicks on the link, or launches the script. In all cases, the client-side malware installs itself on the user’s desktop and then notifies its originating hacker (or "mothership" Web server, etc.) of its success.

Client-side attacks used to notify their master using IRC or some other non-normal port. Now, they all use port 80 or 443 to scoot out past the host and perimeter firewall. The smarter malware agents use SSL- or SSH-encrypted traffic to connect home, easily escaping network detection. The hackers then have their backdoor program installed, and can pillage and plunder the exploited host and their network at will.

Many of the most famous network exploits have been accomplished using client-side attacks. Have you read about the latest online bank heist or government break-in? Most aren’t being accomplished by malicious hackers beating against hardened servers and perimeter firewalls. Instead, they spam the company’s user base with malicious e-mails. There is always somebody willing to click on anything.

Most companies, even though they are aware of the threat of client-side attacks, aren’t testing for it. Do you have any idea about the percentage of your end-users who can be tricked into running unauthorized code or into clicking on malicious links?