"Isaac Asimov's remark that in science 'Eureka!' is less exciting than 'That's funny...' applies equally to security vulnerabilities."
That should be on a poster in every security engineer's view. I cannot count the number of times a really big problem was uncovered by a very small, yet unexpected, anomaly. It was also the core of Cliff Stoll's quest to find the hacker who hit UC Berkeley. Bottom line, never let that sort of observation go until you fully understand why it happened.
Many years ago, that's how I found a vendor-managed (but not vendor-patched) system had been compromised; I went from "why the hell is that multi-pipe command segfaulting?"to "why the hell aren't the system binaries stripped?" to "how long has this thing been compromised?"
My favorite incident was back when ISP's gave you Unix shell accounts to get Internet access. I logged into mine, searched back through command history to find the name of an ftp site I had previously connected to, and saw a bunch of "ps -fe" commands. Now I always type in "ps -ef". So I new my account was compromised. (Boring compromise really -- someone sniffed my password, and used my shell account to run an Eggdrop IRC bot).
Exactly. In this case -- working from antique memory here -- Solaris binaries were normally stripped, while the compromised versions placed by the hacker weren't, which was an immediate red flag. The system was compromised as part of a very large-scale, probably North Korean, attack that exploited an OpenWindows buffer overflow bug that was fixed many patch-revs ago by the time I saw the system (and shouldn't have been exploitable over the Internet anyway, but the firewall was also not properly set up at the time of compromise). Drive-by hacking, in other words. Luckily their compromised binaries -- specifically a 'ps' that filtered out the hackers' background attack processes -- weren't particularly robust to arbitrary input.
I saw that one item on a website was not displaying comments when it should have, and decided to see why. It turns out someone posted a comment ending with at :\ smiley, and the comments were passed in JSON with backslashes not being escaped. So the \ escaped the ending " causing it to fail. I quickly used the unescaped backslashes to insert < and got an XSS.
There's a word for incidences where you hear something once, and then see it everywhere. I just looked him up[1] the other day because someone linked to this article[2] elsewhere, and I happened to decide to look up the author of the article.
"Isaac Asimov's remark that in science 'Eureka!' is less exciting than 'That's funny...' applies equally to security vulnerabilities."
That should be on a poster in every security engineer's view. I cannot count the number of times a really big problem was uncovered by a very small, yet unexpected, anomaly. It was also the core of Cliff Stoll's quest to find the hacker who hit UC Berkeley. Bottom line, never let that sort of observation go until you fully understand why it happened.