Logic Bombs

1
Logic Bombs

• Douglas Smith
• David Palmisano

2
What is a Logic Bomb?

• A logic bomb is a piece of code intentionally
  inserted into a software system that will set off
  a malicious function when specified conditions
  are met.

3
More on Logic Bombs

• Criteria for Logic Bombs
• For code to be considered a logic bomb the
  effects of the code should be unwanted and
  unknown to the software operator.
• Trial software that expires after a certain time
  is generally not considered a logic bomb.
• Piggybacking
• Many viruses, worms, and other code that are
  malicious in nature, often carry a logic bomb
  that detonates under given conditions. This may
  help the code on its journey as it worms through
  your system undetected.

4
A New Age of Crime

• Robbery at gunpoint has become obsolete. Welcome
  to the new generation of crime.
• Logic bombs for profit (monetary or otherwise)
• Remote
• No get-a-way car
• Low fatality rate
• Wile E. Coyote syndrome a thing of the past

5
Emergence of the Logic Bomb

• Technology is directly proportional to the need
  for security.
• The home computer was one of the greatest
  technological advancements since the wheel.
• Word Processing
• Pong
• The Virus

6
Emergence contd

• Time Bombs
• Detonates at a given time.
• Most well-known version of the logic bomb.
• Many of the first viruses released were time
  bombs.
• Debuted in the 1980s (Friday the 13th virus)
• Michelangelo virus brought public focus to
  viruses due to media coverage.

7
Attackers

• Most of the time Logic bombs are placed in the
  system by insiders.
• Such as
• Disgruntled employees
• Corporate Spies
• Also planted by remote users/systems

8
Possible Triggers for Logic Bombs?

• Lapses in time.
• Specific dates.
• Specific Commands
• Specific Actions in Programs
• Still there logic bombs
• Remain in the system with compromising effects.
• Will run as instructed by its creator unless the
  creator deactivates it.
• Payroll example.

9
Historic Attacks

• In June 1992, a defense contractor General
  Dynamics employee, Michael Lauffenburger, was
  arrested for inserting a logic bomb that would
  delete vital rocket project data. It was alleged
  that his plan was to return as a highly-paid
  consultant to fix the problem once it triggered.
  The bomb was stumbled on by another employee of
  the company. Lauffenburger was charged with
  computer tampering and attempted fraud and faced
  potential fines of 500,000 and jail-time ).

10
Historic Attacks

• In February 2000, Tony Xiaotong was indicted
  before a grand jury accused of planting a logic
  bomb during his employment as a programmer and
  securities trader at Deutche Morgan Grenfell. The
  bomb had a trigger date of July 2000, and was
  discovered by other programmers in the company.
  Removing and cleaning up after the bomb allegedly
  took several months.

11
Victimization Prevention

• Do not allow any one person universal access to
  your system.
• Separation of duties
• Always practice safe computing. Always use
  protection. AntiVirus software can significantly
  reduce the risk of contracting a virus which may
  contain a logic bomb.
• New strains of logic bomb and virus programs are
  constantly being created.
• Remember, if you believe your system may be
  compromised by another entity (programmer,
  software or other system). Get tested to prevent
  the transmission of dangerous code operations.

12
Defenses for Bombs

• Segregate operations from programming and
  testing.
• Institute a carefully controlled process for
  moving code into production.
• Give only operations staff write-access to
  production code.
• Lock down your production code - source and
  executable making it close to impossible for
  unauthorized people to modify programs.
• Assign responsibility for specific production
  programs to named positions in operations.
• Develop and maintain a list of authorized
  programmers who are allowed to request
  implementation of changes to production programs.
• Require authorization from the authorized quality
  assurance officer before accepting changes to
  production.
• Keep records of exactly which modifications were
  installed when, and at whose request.

13
Defenses for Bombs

• Use hash functions on entire files in the
  production library.
• Recompute all hashes against a secure table to
  ensure that no one has altered production files
  without authorization and documentation.
• Keep audit trails running at all times so that
  you can determine exactly which user modified
  which file and when.
• If possible, ensure that audit trails include
  chained hash functions. That is, the checksum on
  each record (which must include a timestamp) is
  calculated not only on the basis of the record
  itself but also using as input the checksum from
  the previous record. Modifying such an audit
  trail is much more complicated than simply using
  a disk editor to alter data in one or two
  records.
• Back up your audit files and keep them under high
  security.

14
Bibliography

• Kabay, M. E.. Network World Security Newsletter,
  August 21, 2002. http//www.networkworld.com/newsl
  etters/sec/2002/01514405.html
• Walder, Justin. Press Release, December 17, 2002.
  http//www.usdoj.gov/criminal/cybercrime/duronioIn
  dict.htm
• Answers.com. Logic bombsDefinition and Much More
  from Answers.com. http//www.answers.com/topic/log
  ic-bomb