Preface
Target the Desktop
In the information economy, data is the coin of the realm. Nations rise and
fail based on tlie integrity and accuracy of tlie data their leaders can access.
Just ask any investinent banker, senator, journalist, four-star general, or spy.�
Given the primacy of valuable data, one might naively assume that foiling at¬
tackers v��ould simply be a matter of "protecting the data." In other vi�ords, put
your eggs in a basket, and then watch the basket.
Security professionals like Richard Bejtlich have addressed this mindset.'� As
Richard notes, the problem w�ith just protecting the data is that data doesn't
stand still in a container; it floats around the network from machine to ma¬
chine as people access it and update it. Furthermore, if an authorized user can
access data, then so can an unauthorized intruder. All an attacker has to do is
find a way to pass himself off as a legitimate user (e.g., steal credentials, cre¬
ate a new user account, or piggyback on an existing session).
Bejtlich's polemic against the "protect the data" train of thought raises an in¬
teresting point: Why attack a heavily fortified database server, which is being
carefully monitored and maintained, when you could probably get at the same
information by compromising the desktop machine of a privileged user? Why
not go for the low-hanging fruit?
In many settings, the people who access sensitive data aren't necessarily
careful about security. I'm talking about high-level executives who get local
admin rights by virtue of their political clout or corporate rainmakers who
are granted universal read-write privileges on the customer accounts data¬
base, ostensibly so they can do their jobs, These people tend to wreck Iheir
machines as a matter of course. They install all sorts of browser add-ins and
toy gadgets. They surf with reckless abandon. They turn their machines into
a morass of third-party binaries and random network sessions, just the sort of
place where an attacker could blend in with the background noise.
In short, the desktop is a soft target. In addition, as far as the desktop is con¬
cerned, Microsoft owns more than 90 percent of the market. Hence, through¬
out this book, practical examples will target the Windows operating system
running on 32-bit Intel hardware,
3. Michael Riippert, Crossing the Rubicon, New Society Publishers, 2004,
4. hltp:/AaosecLirily.blogspot.com/2009/10/prolecl-dala-idiot.html.
xxiv