Review of KIISC (정보보호학회지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지

상용 및 공개 소프트웨어 의도적 보안약점 동향

  • 이현호 (한국항공대학교 항공전자정보공학부) ;
  • 이은영 (동덕여자대학교 컴퓨터과학과) ;
  • 안준선 (한국항공대학교 항공전자정보공학부)
  • Published : 2016.02.29
Download PDF
⟨ Previous Next ⟩

Abstract

프로그램 개발단계에서 개발자의 실수로 인한 소스코드 내의 보안약점을 제거하여 정보시스템의 안전성을 강화하려는 노력이 이루어지고 있는 가운데, 의도적으로 삽입된 악의적인 보안 약점에 대한 대응의 필요성이 증가하고 있다. 본 논문에서는 상용 및 공개 소프트웨어의 의도적 보안약점에 의한 침해 사례 및 관련 취약점의 주요 형태와 모바일 앱의 의도적 보안약점 개요 및 관련 사례를 기술한다. 이를 통하여 의도적 보안약점에 대한 개괄적 내용을 제시하고 이에 대한 대응방안을 모색하고자 한다.

Keywords

References

  1. Seth RosenBlatt, "Lenovo's Superfish screwup highlights biggest problem in software", CNet, Feburary 27, 2015, http://www.cnet.com/news/ lenovos-superfish-screwup-highlights-biggest-pro blem-in-software/
  2. United States Computer Emergency Readiness Team, "Alert: Lenovo "Superfish" Adware Vulnerable to HTTPS Spoofing", February 20, 2015. Retrieved February 20, 2015.
  3. Filippo Valsorda, "KOMODIA/SUPERFISH SSL VALIDATION IS BROKEN", Feb 20, 2015, https://blog.filippo.io/komodia-superfish-ssl- vali dation-is-broken/
  4. Robert Graham, "Extracting the Superfish certificate", Erata Security, http://blog.erratase c.com/2015/02/extracting-superfish-certificate.ht ml#.Vax-BRvtlBc,
  5. Jeremy Hsu, "U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks", IEEE Spectrum, May 25, 2014, http://spectrum.ieee.org/tech-talk/computing/hard ware/us-suspicions-of-chinas-huawei-based-partl y-on-nsas-own-spy-tricks
  6. Elinor Mills, "Expert: Huawei routers are riddled with vulnerabilities", Cnet, July 30, 2012, http://www.cnet.com/news/expert-huaweirouters- are-riddled-with-vulnerabilities/
  7. Jeremy Hsu, "U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks", IEEE Spectrum. Mar 26, 2014
  8. "Exclusive: Secret contract tied NSA and security industry pioneer", Reuters, Dec 20, 2013, http://www.reuters.com/article/2013/12/2 0/us-usa-security-rsa-idUSBRE9BJ1C220131220
  9. "Security firm RSA took millions from NSA: report", CNet, Dec 20, 2013, http://www.cnet.co m/news/security-firm-rsa-took-millions-from-nsareport/
  10. Vulnerability Note VU#247371, Vunerablility Note Database, "Borland/Inprise Interbase SQL databa se server contains backdoor superuser account with known password", CERT, https://www.kb.cert.org/vuls/id/247371
  11. Stephen Shankland, "Borland InterBase backdoor detected", January 12, 2001
  12. ZDNet, http://www.zdnet.com/article/borland-int erbase-backdoor- detected/
  13. JC, JC CREW, "RuggedCom -Backdoor Accounts in my SCADA network? You don't say...",Seclists.org, April 23, 2012, http://seclists.org/fulldisclosure/2012/Apr/277
  14. Backdoor (computing), Wikipedia, https://en.wik ipedia.org/wiki/Backdoor_(computing)
  15. Yaniv Simsolo, "The OWASP Top Ten Backdoors", Application Security Consultant, Comsec Consulting, 1st OWASP IL mini conference, Herzliya, May 21th 2007
  16. Chris Wysopal, Chris Eng, "Static Detection of Application Backdoors", Veracode. Black Hat, 2007
  17. Thompson, Ken, "Reflections on Trusting Trust", Communication of the ACM Vol. 27, No. 8, http://www.acm.org/classics/sep95/, Sep,1995.
  18. A. Young, M. Yung, "The Dark Side of Black-Box Cryptography, or: Should we trust Capstone?" In Proceedings of Crypto '96, Neal Koblitz (Ed.), Springer
  19. C Wysopal, C Eng, T Shields, "Static detection of application backdoors", Datenschutz und Datensicherheit - DuD, March 2010, Volume 34, Issue 3, pp 149-155 https://doi.org/10.1007/s11623-010-0024-4
  20. David Dede, "WordPress plugins hacked-Und erstanding the backdoor", June 22, 2011, https://blog.sucuri.net/2011/06/ wordpress-plugins-hack ed-understanding-the-backdoor.html
  21. The Rise of Malicious Mobile Applications, http://www.veracode.com/products/mobile-application-security/rise-malicious-mobile-applications
  22. Current Android Malware, http://forensics.spreitzenbarth.de/android-malware/
  23. OWASP Mobile Security Project - Top Ten Mobile Risks, https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_To p_Ten_Mobile_Risks
  24. Mobile App Top 10 List, http://www.veracode.com/blog/2010/12/mobile-app-top-l0-list/
  25. Android.Ackposts-Symantec, http://www.symant ec.com/security_response/writeup.jsp?docid=201 2-072302-3943-99
  26. Secret SMS Replicator, http://www.complex.com /pop-culture/2013/01/10-controversial-apps-remo ved-from-google-play/secret-sms-replicator
  27. Symbian signing is no protection from spyware, http://www.theregister.co.uk/2007/05/23/symbian _signed_spyware/
  28. Detailed Analysis of Android.FakeRegSMS.B, http://forensics.spreitzenbarth.de/2012/02/03/deta iled-analysis-of-android-fakeregsms-b/
  29. Detailed Analysis of Android.Arspam, http://fore nsics.spreitzenbarth.de/2011/12/22/detailed-analy sis-of-android-arspam/
  30. The most sophisticated Android Trojan, https://securelist.com/blog/research/35929/the-most-sophisticated-android-trojan/
  31. Detailed Analysis of Android.Bmaster, http://forensics.spreitzenbarth.de/2012/02/12/detailed-anal ysis-of-android-bmaster/
  32. Fraud hits the Android apps market, http://www.theinquirer.net/inquirer/news/1585716/fraud-hitsandroid- apps-market