Vendor Threat Model

Vendor Threat Model

by Ed Norris


This paper will describe why vendors should be considered a threat to their customers and users of their products. It will describe who they are, although the vendors sited are just examples. Any vendor profile, as long as they sell products integrated into information systems, would be an appropriate description. A vendor with two employees and a few thousand dollars in assets can be a threat as easily as a vendor with a very large employee population and billions in assets. The paper will also describe the vendor's capabilities, their funding levels, their tactics, and whom the vendor targets.

The paper will also introduce the chaining and compounding of threat elements. A chain will move from one threat element to another, not removing the vendor from being a threat but adding to the complexity of the overall threat to an information system. Some of the threat elements need to work in concert with one another. Not all of the threat elements may be willing partners in this chaining of threats to information systems.

Definition - Vendor

The definition of vendor used for this paper is a commercial enterprise that exchanges software, hardware, and/or related products for something of value.

To understand the complexities of the threat we must first understand why some definitions of a vendor are insufficient for this analysis. Starting with its simplest definition: one that vends, and the definition of vend, from the same source, is: 1a: to sell especially as a hawker or peddler, b: to sell by means of vending machines, 2: to utter publicly. [1] The definition of "to sell" is much too broad; people can sell apples, boxes, cars, donuts, etc., all which have no impact on an information system. The "hawker or peddler" portion of the definition usually applies to street vendors in most people's minds, thus definition 1a is discounted. We can discount the selling by vending machine definition, has anyone purchased a component of an information system from a vending machine? And only if someone utters confidential information publicly would that definition of vendor apply, but it is also discounted for this threat model.

Another definition is: People who sell things to you. [2] But that definition could imply many others whom may or may not have the same threat complexities described below. A short list of people who sell things to you includes your friends, your relatives, and your neighbors. While all may sell things to you from time to time, no one really considers them vendors, unless that is also their profession. This definition could also apply to a consultant, who sells you his or her services, as seen in the next definition.

The definition: someone who exchanges goods or services for money [3] takes us beyond the definition, which will be used in this paper. The sale of services is covered by the threat model for non-vendors. As shown above, the term goods could imply just about anything and most of the goods would have nothing to do with information systems.

For the paper's definition, we have to get beyond our friends and family by adding the professional aspect, and to get beyond our goods problem we needed to limit it to products that directly effect information systems. The word enterprise is used to cover all of the types of sellers, such as sole proprietors, partnerships, corporations, resellers, retailers, etc. The term related is included to cover things such as UPS systems, air conditioning systems, surveillance equipment, etc., things required by an information system in order for it to function properly. Something of value can be money or barter. Thus, we have the definition that is used for the threat analysis.


A non-vendor is a threat element that would have the same basic definition as a vendor with one exception; a non-vendor sells services, not products. The best known threat in this category would be consultants; people who work under their own control to provide contract services to others. Consultants often have insider access but are not controlled, as are insiders. Technical consultants who use client information technology present a technical threat, while management consultants who often have access to more of the more sensitive information in a company presents a human threat. [4]

Another non-vendor group would be contract service providers. This threat element could include; cleaning or janitorial services, maintenance services (painters, plumbers, electricians, etc.), security services (security guards), and cafeteria services. Many companies will treat this group of people as insiders, often giving them permanent badges and the same access to the facilities as an employee.


Dr. Fredrick Cohen defines the threat from vendors as they are often in competition with each other over sales and with you over pricing and terms. They tend to be in long-term relationships and often work closely with your people. Their economic motives are often not aligned with yours and in some cases, they take advantage of information in order to gain an economic advantage in negotiations. [5]

While the above is true, the most common documented attack is errors and omissions, which are unintentional vulnerabilities being introduced into a customer's environment. In this case, the vendor is not trying to gain an economic advantage, and may actually cause a negative financial impact upon themselves. Scott Stratman stated, "All distributors know that doing something wrong or making mistakes costs them a great deal of money." [6] The same applies to all vendors, it is not limited to distributors.

In the following sections, the paper will describe who these vendors are, what are their capabilities, what is their funding level, what are their tactics, and who are their targets. The sections will be broken down by the attacks the vendors have used on a customer's information systems.

Attack: Errors and Omissions

Errors and omissions are erroneous entries or missed entries by designers, implementers, maintainers, administrators, and/or users that create vulnerabilities exploited by attackers. Examples include forgetting to eliminate default accounts and passwords when installing a system, incorrectly setting protections on network services, and a wide range of other minor mistakes that can lead to disaster. There appear to be an unlimited (finite but unbounded) number of possible errors and omissions in general purpose systems. Special-purpose systems may be more constrained. [7]

Many things such as poor up-front design, poor programming techniques, and inadequate program or system testing (quality management) can cause errors and omissions. All of this items are usually a result of a company not keeping current with the past mistakes of others (non-duplication) or trying to cut corners in order to reduce costs and time to market (suspect quality).

Sound practices throughout the entire development process will provide for a more secure and reliable product. Although human errors made in the early stages of development can sometimes be caught in later review stages, those errors that are not caught are typically the most insidious. [8]

In the case of unintentional coding or design flaws, the vendor is not going after a particular target. All customers installing the vendor's product have become a target by accident. The vendor is not financing their activities as a threat in this case, as usually the discovery of vulnerabilities in their product causes a negative impact to their net income and market share. The vendor has to spend money on fixes, notification, and distribution of the patch or new code to the customer. The vendor may also suffer a negative impact on their intangible assets, customer confidence and goodwill.

The vendor is usually not the one who compromises the security of its customer's information systems, but is an unwilling accomplice with other threat elements. The vendor is the start of a threat chain, where there is a linkage from one threat element to another. To illustrate this effect with an example: the vendor "attacks" its customer with an error or omission to the ftp daemon. The vulnerability is discovered and the vendor releases a patch, which is sent to the customer but the patch is not installed. Therefore, the customer "attacks" its self with an error or omission. A cracker reads about the vulnerability and compromises the customer's information systems through a direct attack, using an imperfect daemon exploit attack. The cracker is successful because two prior threats have introduced vulnerabilities into the system.

Therefore, while the vendor is still a threat to information systems in this case, the vendor is not acting to the tradition way individuals or corporations categorize a threat. As an industry, security professionals need to understand why vendors are a threat under these circumstances and adjust their protection decisions to incorporate this fact.

There are many examples supporting vendors being a threat under these circumstances. All one needs to do is view the security advisories posted on Carnegie Mellon University's CERT (Computer Emergency Response Team) web site ( or the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) web site ( to understand the common discovery and occurrences of these vulnerabilities. Between 1995 and 1999, 1,508 vulnerabilities were reported by CERT. [9] Someone can also follow the bugtraq mailing lists to understand the almost daily discovery of security vulnerabilities that vendors have, for the most part, unintentionally coded or designed into their products.

Below are some examples of the various ways vendors are a threat under these circumstances. The first example will not be a particular vendor, but a number of vendors will be used to illustrate how they handle a series of vulnerabilities in the BIND program.

Multiple Vulnerabilities in BIND

CERT released the following security advisory on November 10, 1999:

Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers.

Vulnerability #1: the "nxt bug" - Some versions of BIND fail to properly validate NXT records. This improper validation could allow an intruder to overflow a buffer and execute arbitrary code with the privileges of the name server.


Vulnerability #6: the "naptr bug" - Some versions of BIND fail to validate zone information loaded from disk files. In environments with unusual combinations of permissions and protections, this could allow an intruder to crash named. [10]

These vulnerabilities have a threat chain, the Internet Software Consortium introduced a series of unintentional vulnerabilities. Multiple vendors have adopted the code into their products. These vendors have relied on the Internet Software Consortium to design, coding, and quality test the bind software. The vendors at the least should have also quality tested the software from both an individual component and system integration perspective. Thus, we have a compounded error or omission attack.

Nine vendors (Caldera, Compaq Computer Corporation, Data General, Hewlett-Packard Company, IBM Corporation, The Internet Software Consortium, OpenBSD, Santa Cruz Operation Inc, and Sun Microsystems) responded to the CERT security advisory. Below is how four responded (these are the four different response types, some responded the same) and a statement about the vendor's threat complexity. No verification about the vendor directly contacting its registered customers or not concerning the vulnerability and its current fix status has been made, therefore that aspect of the complexity is not addressed.


Response: See [11]

Caldera has recognized the problem and released patches on the web and ftp sites. They have not added to their threat complexity nor the severity of the vulnerabilities. Links to the threat chain (system and network administrators, and for example, crackers) are added because of required action to close the vulnerabilities.

The system and network administrators are added to the threat chain because they typically do not respond properly (another error or omission) and thus become another threat to customer (themselves). These usually fail to deal with the operational aspects of security, make a few fixes, and then do not allow the follow through necessary to ensure the problems stay fixed. [12]

Compaq Computer Corporation

Response: At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's BIND release(s). As further information becomes available Compaq will provide notice of the completion/availability of any necessary patches through AES services (DIA, DSNlink FLASH and posted to the Services WEB page) and be available from your normal Compaq Services Support channel. [13]

Compaq Computer Corporation has added to their complexity as a threat. The company is still investigating the vulnerability in their operating system and did not have a patch available at the time of the security advisory's release. This allows addition threat elements time to exploit the vulnerability and potentially compromise the customer's information systems. It leaves the system and network administrators to work on their own protection scheme for the vulnerability. The result is an authorized reactive, short-term fix, in which problems re-emerge rapidly. [14] They could further "attack" their systems with an error or omission, thus compounding the vulnerability or introducing new vulnerabilities.

The Internet Software Consortium

Response: ISC has published an advisory regarding these problems, available at: The ISC advisory also includes a table summarizing which versions of BIND are susceptible to the vulnerabilities described in this advisory. [15]

The Internet Software Consortium has added to its complexity as a threat. The consortium has recognized the vulnerabilities and has published some workarounds. For some of the vulnerabilities there is no workaround and they have noted that "At this time, ISC is unaware of any active exploits of this vulnerability." [16] The vendor is assuming that because there is no known active exploit, that the vulnerability is lessened. Other threat elements might very well have exploit scripts, and the compounding factor kicks in. The vendors that used their software need to work on their own protection scheme for the vulnerability. They could further "attack" their customers' systems with an error or omission, thus compounding the vulnerability or introducing new vulnerabilities. System and network administrators need to do the same, thus further compounding the vulnerability further.


Response: As far as we know, we don't ship with any of those vulnerabilities.

OpenBSD may not be a threat in this instance. The company has not declared themselves free from the vulnerability nor did they definitively say they are not a threat in this case. A wise customer should still consider them a threat under this particular situation.

As shown above, with the four companies, a single (or this case multiple) vulnerability when introduced by the vendor can branch the threat chain and compounded the complexity into different directions.

Apple Computer

In this case of an error or omission, Apple Computer [17] has a design flaw, which causes their customers to become a threat to other hosts on a network. The vulnerability compromises the availability of remote information systems.

MacOS 9 can be abused by an intruder to generate a large volume of traffic directed at a victim in response to a small amount of traffic produced by an intruder. This allows an intruder to use MacOS 9 as a "traffic amplifier," and flood victims with traffic. An intruder can use this asymmetry to "amplify" traffic by a factor of approximately 37.5, thus enabling an intruder with limited bandwidth to flood a much larger connection. This is similar in effect and structure to a "smurf" attack, but unlike a smurf attack, however, it is not necessary to use a directed broadcast to achieve traffic amplification. [18]

This attack shows the chaining of threat elements. The vendor, customer, and intruder (cracker or other threat element) are involved. The chain moves from the vendor to the customer to the cracker. Neither the vendor nor the customer were willing threat elements in this attack (by error or omission), only the cracker would be considered a willing participant in exploit the vulnerability.

The Computer Emergency Response Team issued this suggestion: Managers, system administrators, Internet Service Providers (ISPs) and Computer Security Incident Response Teams (CSIRTs) are encouraged to read this document to gain a broader understanding of the problem. [19] This statement also illustrates the point that system and network administrators responsible for the security of information systems can become part of the threat chain if they do no stay current with security advisories.

SSH Daemon and RSAREF2 Library

In this situation two different vendors, having chained and compounded the complexity, have demonstrated why they are a threat=2E The first is the vendor who has supplied the SSH code to its customer=2E There are many vendors who ship a version of SSH compiled against RSAREF2 from RSA Security Inc [20], which is the second threat element.

Some versions of sshd are vulnerable to a buffer overflow that can allow an intruder to influence certain variables internal to the program. This vulnerability alone does not allow an intruder to execute code. However, the vulnerability in RSAREF2, which was discovered and researched by Core SDI, can be used in conjunction with the vulnerability in sshd to allow a remote intruder to execute arbitrary code. [21]

This attack is an unintentional error or omission by the vendors. Neither has deliberately attacked their customers, but are still a threat. RSA Security is the start of the threat chain; its customers, the vendors who purchased RSAREF2 and used it with SSH become the second unwilling threat. It would be one of the other threat elements (example: cyber-terrorists) who would attempt to compromise the confidentiality, integrity, and availability of these vendors customers.

Attack: Viruses

This attack involves vendors either intentionally or unintentionally releasing viruses (programs that reproduce and possibly evolve) into their customers environments. If the vendor does this unintentionally, it is a variation of the errors and omissions attack. Examples include the 11,000 or so known viruses, custom file viruses designed to act against specific targets, and process viruses that cause denial of service or thrashing within a single system. [22]

This was a very common event in the early 1990s, and still occurs today. Some examples of vendors shipping their product with viruses, in this case the Michelangelo virus, include:

Intel Corp. ceases shipment of its LANSpool program after discovering 839 packages carried Michelangelo. "Basically, we were using anti-virus software that could not detect the latest generation of the virus," says spokesman Mark Christensen. [23]

Newswire reports say Leading Edge shipped up to 500 computers in December with the Michelangelo virus. It apparently came from a third-party subcontractor; an alert customer detected it. [24]

Newswire reports say Da Vinci Systems distributed about 900 disks infected with the Michelangelo virus during January. [25]

In these cases, the vendor committed an unintentional virus attack. In the case of Intel, they actually suffered a negative impact. "Reuters reports Intel stock has dropped $0.50 below its $65.75 close from the day before. While Intel is to unveil new versions of its most powerful computer chips later today -- the 486 DX2 microprocessor -- dealers said the shares eased on news Intel had ceased shipment of its LANSpool 3.01 print server utility because some units were found to be infected with the `Michelangelo' virus." [26] Thus the vendor becomes a threat unto himself or herself due to an error and omission attack.

In a different variation of the unintentional virus attack, there have been cases of a vendor's field service employee loading in diagnostic software that contained a virus during a repair. The vendor did not know their software was compromised. [27] The vendor became the unwilling participant of a threat chain.

Intentional Virus Attack

In the intentional virus attack, the vendor knowingly places a virus in their product, which is released when the customer installs the product.

An example of this type of attack started with this question: What motive would the owners of Brain Computer Services have for the writing of a virus? One story is that they sold pirated software, a practice that is legal in Pakistan, but not in the United States. Therefore, the infected disks were sold to Americans in punishment for their use of pirated software. Another story is that Brain Computer Services wrote some software of their own, and were incensed when others pirated their software. [28] Robert Slade believes both of these story versions are unlikely, but many other sources don't question these versions.

In this case, the vendor, a two-brother operation, had limited resources yet were able to effect a wide number of users and corporations. The attack extended beyond their customers. It reached into the environments of the relationships Brain Computer Services' customers had with others.

Attack: Undocumented or Unknown Function Exploitation

In the undocumented or unknown function exploitation attack, the vendor attacks their customers by adding functions not included in the documentation or unknown to the system owners or operators are exploited to perform undesirable actions. Examples include back doors placed in systems to facilitate maintenance, undocumented system calls commonly inserted by vendors to enable special functions resulting in economic or other market advantages, and program sequences accessible in unusual ways as a result of improperly terminated conditionals. [29]

This analysis will cover two results of this attack, the first resulting in an economic or market advantage and the second being back doors used for the vendor's own purpose.

Economic or Market Advantage

Which vendor does not require information to be successful? The answer is one that does not want to sell product. It does not matter the vendor's size in terms of number of employees, gross sales, net income, or market share, all vendors need customer data. Information on the usage of resources and behavior of individuals and corporations is a very valuable asset. A vendor to leverage sales, formulate engineering direction, and adjust marketing strategies can use the information. The information can also be sold to other organizations wanting to the same type of data.

As with most of the documented attacks in this paper, the vendor's funding level does not play a direct role in this threat. A very small company with a 1% market share could just as easily be a threat as could a very large multi-national company with a 60% market share. Someone might argue that the funding level plays an indirect role. A corporation which has more to spend on marketing, sales, engineering, etc., those things that help increase market penetration, can reach more consumers, thus the vendor has the ability to increase the likelihood that they are gathering statistical meaningful information.

A vendor that desires this information can design functions within their products that will search, gather, and send or retrieve the information back to their databases. The vendor in this case is an intentional threat, targeting its own customers or potential customers, those that install trial, demo, or beta versions of the software.

Let's look at few examples, the first vendor is RealNetworks.


RealNetworks [30] has a tremendous installed base of approximately 13.5 million. [31] The corporation was able to gather, without their customer's knowledge, very valuable marketing information: number and format of songs and type of music preferred. The company also gathered other information, which could be used in their engineering designs.

This news story came to light after an independent Internet security consultant disassembled and analyzed RealNetworks' Real Jukebox music software. Richard Smith discovered the program was assigning each person a globally unique identifier (GUID) when they registered the software and reported back to company headquarters with each user's personal information every day. Before the New York Times article hit the stands, the software would report, among other things, the number and format of songs on the person's computer, the type of music the person preferred, the type of audio player the person used, and the quality level of his or her recordings. [32]

Embedding unique serial numbers into the music and audio players allow the vendor to collect and monitor personal information for purposes such as marketing or perceived protection against piracy. But this brave new world of entertainment devices that track each person's listening habits and viewing tastes enables the profiling of individuals by revealing personal lifestyle choices. An individual's audio choices, from music preferences to speeches or sermons, are very personal and revealing. [33]

The vendor in this case has compromised the privacy of its customer.


As with the case of RealNetworks, Microsoft [34] provided the means to track customer activity. This was discovered when a security consultant was performing forensic analysis on a Microsoft Word virus.

"I think that everybody was astonished that Microsoft would have the audacity to brand people's private documents with a serial number that they are recording in their databases," he said. But Microsoft's Rob Bennett emphatically denies that the software company is using the number to track users or their habits. "It doesn't store any information about the user and is not used by Microsoft at all in any marketing or tracking, etc.," he said. The serial number, called a GUID or Globally Unique Identifier, is extremely useful in Internet software. It helps the software track versions of a document through links to earlier versions. "The intent was, if you took a document and moved that document somewhere, (to) be able to clean up those links," Bennett said. "So a specific number called a GUID, a globally unique identifier, is generated so that ..=2E the software knows (how) the document was stored originally and it can go and clean up the link." But the identifier traces all of its documents back to a certain software copy on a certain computer. [35]

As shown above, the vendor has intentionally open the door for a compromise of a user's or a business' privacy. This potential compromise became a reality when a virus writer released a Word Macro Virus. Although Microsoft claimed that the usage wasn't for tracking purposes, the news wires picked up the Melissa story and reported: A controversial Microsoft document identification technology -- the Global Unique Identifier, or GUID, also appears to have played at least a minor role in the Melissa manhunt. [36]

But unlike RealNetworks, there is no proof that Microsoft was tracking this information in order to gather customer data. Therefore, while they weren't directly attacking the confidentiality of its customers, it allowed other threat elements to do so. In the virus writer's situation, the security consultant was a threat to his privacy. This illustrates the basics in threat chaining, the moving of the threat from one element to another.


Intel [37] had designed its Pentium III to incorporate a personal serial number (PSN) which could be exploited like Microsoft's GUID. "At its core, the Pentium III PSN establishes a system that supports the wide spread tracking and monitoring of individuals' online behavior," says Jerry Berman, Executive Director at the Center for Democracy and Technology. "It stands to undermine consumers' efforts to control the use of their information. Our experience warns that without real consumer control and policies limiting their use, unique identifiers threaten privacy." As originally set up by Intel, the PSN was always "on." That's the equivalent of the telephone company publishing everyone's name and phone umber, of not allowing unlisted telephone numbers in the phone book. [38]

Intel, at a preview event for its Pentium III processor in San Francisco last week, trotted out a host of security companies with plans to use the controversial Processor Serial ID Number on the chip=2E The list included Network Associates, RPK Security, iLumin, Aliroo, Rainbow Technologies, SSE, and Brokat, all of which announced plans to use the Processor ID for encryption, firewall, and other security products. Network Associates said its Gauntlet Active Firewall software uses the identification number stamped into the Pentium III's circuitry to recognize networked devices and trigger alerts to network managers if there is a problem. Computer Associates announced that it will offer Unicenter TNG with a toolkit to support the processor's serial number feature. Rainbow Technologies introduced its i-Guard Client Security Framework, which is developed specifically to use the Processor ID to authenticate users. [39]

To demonstrate the compounded effort of threats, below is an example of when you add in the threat from crackers, cyber-gangs, competitors, etc. In this case, Zero-Knowledge Systems is not compromising someone's security, but demonstrating how it could be done. This illustrates the chaining and compounding of threats, which could lead to an information system compromise.

The Internet privacy-company Zero-Knowledge Systems demonstrated an ActiveX exploit that bypasses the PSN Control Utility. The Zero-Knowledge exploit places the serial number in a cookie file to demonstrate how easily a malicious attacker could activate or steal a user's serial number. Zero-Knowledge claims that the exploit will expose the serial number even after the user has turned the feature off using the PSN Control Utility. The attacker could then track users on the Internet or impersonates them at Web sites that authenticate based on that number. [40]

Attack Subcategory: Back Doors

Vendors are also a threat because of intentional coding or design in the case back door functions. A back door is an entry point into a system, which the vendor has designed into their product, but has not told their customers about it. These attack points can potentially lead to information systems that are compromised. As with the economic or market advantage, the vendor's funding level does not play a direct role in this threat.

No examples of deliberate attacks on the vendors' customers could be found. All examples appear to be coded or designed for the vendor's convenience for testing or support purposes. Therefore the vendors did not target their customers, but other threat elements have. This illustrates the chaining effect of threats that people who design and protect information systems must account for.

Below are three examples of vendors who have left behind back doors that could be exploited by others.


In this case, the 3Com [41] has left behind a back door function, which could be exploited by the vendor or another threat element. If this function was exploited, a compromise of the privacy, integrity, or availability, or a combination of two or all three, could occur.

This design flaw was discovered and publicly made known: There appears to be a backdoor/undocumented "access level" in current (and possibly previous) versions of 3Com's "intelligent" and "extended" switching software for LanPlex/Corebuilder switches. In addition to the "admin", "read", and "write" accounts, there is a "debug" account with a password of "synnet" on shipped images (including those available for download from The versions of firmware this was tested under include 7.0.1 and 8.1.1. The debug account appears to have all the privileges of the admin account plus some "debug" commands not available to any other ID. [42]

Because of public releases of this type of information, system and network administrators who do not follow or maintain current security information, they themselves become threats to information systems. The chaining from vendor to hacker (or some other threat element) to administrator is demonstrated.

id Software

As with the example of 3Com, id Software [43] has left a back door function in one of their most popular titles. The Quake server has a feature where it allows administrators to remotely send commands to the Quake console with a password. However, it is possible to remotely bypass authentication. In order for this to be exploited, the attacker (another of the threat elements) would have to create a handcrafted udp packet with a header containing the rcon command and the password "tms" with a source IP coming from ID Software's Subnet. (192.246.40) The Quake server does not require an open connection for sending the rcon packet. When this is exploited, no logs are reported of the rcon command being used. [44]

The example above uses both an intentional coding flaw, the fixed password "tms", and an unintentional design flaw, the ability to handcraft a udp packet. In combination, an information system could be compromised. The unintentional actions from a vendor will be further illustrated in the next section. Zielinski points out that the threat is a hacker, or more likely a cracker but media has adopted the term hacker to mean cracker. Again, this shows that many attacks are successful because of a chaining and compounding of threats, rather then a single threat.


As with the others companies in this section, Hewlett-Packard [45] designed a back door function into their software. HP/UX's remote administration program, SAM, adds a user 'sam_exec' with UID 0 and a standard password. You login and press control-C for a shell. Sometimes you have to mess with TERM to get it to allow you in. The password for HP/UX v9.x is "Yosemite" and the password for HP/UX v10.x is "x7vpa5jh". [46]

In this case, either the vendor or one of the other threat elements could compromise the security of this information system, as this vulnerability has become public knowledge. This example again illustrates the chaining effect, vendor to cracker, or other threat element. There is no real compounding effect in the case, anyone with a little knowledge on how to login could exploit the vulnerability, which could lead to the compromise of the confidentiality, integrity, and availability of the information system. It, as most of the cases, points to the fact that a customer could become a threat unto themselves if the people responsible for maintaining the security of the information systems do not keep abreast of what is happening in the security world.

Attack: Collaborative Misuse

This attack is the collaboration of several parties or identities in order to misuse a system. Examples include creation of a false identity by one party and entry of that identity into a computer database by a second party, provision of attack software by an outsider to an insider who is participating in an information theft, partitioning of elements of an attack into multiple parts for coordinated execution so as to conceal the fact of or source of an attack, and the providing of alibis by one party to another when the collaborated in a crime. [47]

This case of vendor collaborative misuse involved the Crypto AG [48] and the German Federal Intelligence Service (BND) using a post box company in Vaduz, Liechtenstein named Establishment European Trading Company. There is also speculation that the United States' NSA has been planting Trojan horses in to the Crypto AG product. [49]

In this case a vendor and two government security agencies have collaborated on introducing the vulnerability into the Crypto AG product. The threat in this case has practically unlimited resources (in both time and personal) to carry out this attack. Some of Crypto AG's customers identified were Libya, Syria, Iraq, and Iran.

In the same report the author states: There is some speculation that NSA has exacted similar agreements to retrofit the encryption products of other manufacturers of crypto products, especially companies based in small NATO and neutral European nations. [50]

While not proof, the above statement shows that collaborative misuse is an effective method of attack. The NSA could not be a vendor directly to foreign nations, as most nations would never by their product.

Ernst Polzer summed up the threat: "In the industry everybody knows how such affairs will be dealed with," said Polzer, "Of course such devices protect against interception by unauthorized third parties, as stated in the prospectus. But the interesting question is: Who is the authorized fourth?" [51]

The above example also illustrates the combination of attacks, which can be used to exploit a customer. Not only did the vendor use a collaborative misuse attack, the vendor used a Trojan horse attack, which is described in the next section.

Attack: Trojan Horses

With this attack the vendor places an unintended component or operation are placed in hardware, firmware, software, or wetware causing unintended and/or inappropriate behavior. Examples include time bombs, use or condition bombs, flawed integrated circuits, additional components on boards, additional instructions in memory, operating system modifications, name overloaded programs placed in an execution path, added or modified circuitry, mechanical components, false connectors, false panels, radios placed in network connectors, displays, wires, or other similar components. [52]

The above example is incorporated a trojan horse attack. AG Crypto has placed an unintended operation in their product causing inappropriate behavior for a product that is suppose to maintain confidentiality. In more delicate cases the specialists reached deeper into the cryptographic trick box: The machines prepared in this way enriched the encrypted text with "auxiliary information" that allowed all who knew this addition to reconstruct the original key. The result was the same: What looked like unpenetrateable secret code to the users of the Crypto-machines, who acted in good faith, was readable with not more than a finger exercise for the informed listener. [53]

Attack: False Claims

This attack is not described in Dr. Fredrick Cohen's New Security Database. The vendor will attack its customers by making false claims about the capabilities of their products, promising to deliver more than they are capable of producing, or overselling the customer by overstating the customer's requirements.

In the first example the Gartner Group has stated that IT Security Companies are ripping-off their customers. Security firms were promising more than they could deliver, overcharging, and failing to meet the customer's needs. Helen Flynn stated, "The high cost of products and lack of skills to develop better solutions mean users are at the mercy of certain individuals who are cashing in on the situation." Flynn goes on to say, "There are too many individual products. It is too expensive for users to buy every one; they need more integrated solutions." All these factors were increasing the customers' vulnerability to what Flynn called "grey hackers". [54]

The above attack can compromise the availability of information systems for the customer by putting unneeded barriers between the users and the computing resources. The attack could also cause the customer to have a false sense of security. The vendor states that the product will protect against some form of attack or eliminate some vulnerability, when in actuality it doesn't provide this function.

Steel Mill

In another form of the false claim attack, in the late 1970s, a large steel mill contracted with a vendor to produce a much needed memory management software package. The customer was to pay the vendor on a three-payment system based upon milestones. The customer paid the vendor 1/3 when they signed the contract and were to pay another 1/3 when the vendor delivered the software. The vendor knowingly delivered a software package that would not install. But, the vendor was entitled to their second payment. [55]

In this case, the customer was left vulnerable to their competition, as they did not have the systems in place to compete at the next level. The vendor's economic motives were not aligned with its customers.


In another example of the false claims attack occurred when FoxMeyer (customer) invested $5 million into a SAP [56] R/3 ERP installation that failed to they delivered. FoxMeyer has filed a $500 million lawsuit against the vendor, claiming SAP caused them to go out of business. "As a direct result of the fraud and deceit of SAP America and SAP AG, FoxMeyers sustained damages in an amount exceeding $500 million," stated the court papers. Also stated, "SAP did know, or should have known that the R/3 System 'was inadequate to process FoxMeyer's invoice volume'." [57]

In this case the vendor's attack has caused an availability compromise. The vendor has caused the company to go out of business, which is the extreme for this type of attack. Other attacks of this type would not necessarily cause the same result, but almost all customers would suffer a negative financial impact.

Summary, Conclusions, and Further Work

As has been demonstrated above, vendors should be considered a threat to its customers. The most common is the error and omissions attack, which is unintentionally introduced by the vendor. Other attacks on information systems do happen, but are less common. While vendors are a threat, they are usually indirectly involved with actual exploitation of vulnerabilities. Through threat chaining, other threat elements directly exploit the vulnerabilities introduced by vendors and other threat elements.

There are a large number of attacks, and variations of those attacks, that a vendor can use on their customers, which were not demonstrated. These included: bribes and extortion, content-based attacks, covert channels, data aggregation, dumpster diving, error insertion and analysis, inadequate notice exploitation, infrastructure interference, infrastructure observation, insertion in transit, man-in-the-middle, modification in transit, observation in transit, strategic or tactical deceptions, PBX bugging, password guessing, peer relationship exploitation, perception management a.k.a. human engineering, piggybacking, process bypassing, reflexive control, repair-replace-remove information, replay attacks, repudiation, residual data gathering, resource availability manipulation, salami attacks, shoulder surfing, spoofing and masquerading, system maintenance, testing, and wire closet attacks. [58] These attacks vary in how commonly they occur, but all have take place over the years, although no necessarily by vendors. People designing protection systems need to remember, just because a vendor has not demonstrated a particular attack method in the past, they still have the ability to attempt these attacks in the future.


[1] Merriam-Webster, WWWebster Dictionary, Merriam-Webster, WWWebster Dictionary,

[2] Cohen, Dr. Fredrick - New Security Database, Threat Profiles,, 1999

[3] Princeton University, WordNet 1.6

[4] Cohen, Dr. Fredrick - New Security Database, Threat Profiles,, 1999

[5] Cohen, Dr. Fredrick - New Security Database, Threat Profiles,, 1999

[6] Stratman, Scott - "The Cost Of Errors Costs You Profits",

[7] Cohen, Dr. Fredrick - New Security Database, Attack Methods,, 1999

[8] Neumann, Peter G. - Computer Related Risks, pp 232-233, 1995

[9] Carnegie Mellon University,, 1999

[10] Carnegie Mellon University, "CERT=AE Advisory CA-99-14 Multiple Vulnerabilities in BIND",, November 10, 1999

[11] Ibid.

[12] SANS Institute, "The 7 Top Management Errors that Lead to Computer Security Vulnerabilities", 1999,

[13] Ibid. Carnegie Mellon University, November 10, 1999

[14] Ibid. SANS Institute

[15] Ibid. Carnegie Mellon University, November 10, 1999

[16] Internet Software Consortium, "BIND Vulnerabilities",, November 11, 1999

[17] Apple Computer Inc. is a Cupertino, CA company that designs, manufactures and markets microprocessor-based personal computers and related personal computing and communicating solutions for sale primarily to education, creative, consumer, business and government customers. Last year, Apple Computer had $5,941 million in total revenue. [,]

[18] Carnegie Mellon University, "CERT=AE Advisory CA-99-17 Denial-of-Service Tools",, December 28, 1999

[19] Ibid.

[20] RSA Security Inc., is a leading provider of enterprise network and data security solutions. Provides technologies, products and services that secure access to and protect information in networks, systems, applications and Internet commerce initiatives. It is headquartered in Bedford MA. [,]

[21] Carnegie Mellon University, "CERT=AE Advisory CA-99-15 Buffer Overflows in SSH Daemon and RSAREF2 Library",, December 13, 1999

[22] Cohen, Dr. Fredrick - New Security Database, Attack Methods,, 1999

[23] Rosenberger, Rob - Michelangelo Fiasco: a Historical Timeline, 2000

[24] Ibid.

[25] Ibid.

[26] Ibid.

[27] From an investigation of an incident in which the author participated.

[28] Slade, Robert M. - History of Computer Viruses, 1992,

[29] Cohen, Dr. Fredrick - New Security Database, Attack Methods,, 1999

[30] Realnetworks Inc. is a Seattle WA based company and is a provider of branded software products and services that enable the delivery of streaming media content over the Internet and intranets. Last year's revenue was $106.4 million with a total net income of $0.9 million. [GO Money,]

[31] Gross, Robin D. - "The Real Deal: Music Industry in Denial Over Privacy Concerns", The Electronic Frontier Foundation, November 16, 1999

[32] Ibid.

[33] Ibid.

[34] Microsoft Corp. is a Redmond WA based company and it develops, manufactures, licenses and supports a wide range of software products, including scalable operating systems for intelligent devices; server and business and consumer applications; software development tools; and Internet/Intranet products & services. Last year's annual income was $7,785.0 million. [,]

[35] Staff Writer, "Microsoft's GUID sparks fears of privacy invasion", Planet News, September 3, 1999

[36] Dean, Joel - "Melissa manhunt creates precedent", ZDNet News, April 6, 1999

[37] Intel Corp is a Santa Clara CA based company, which designs, develops, manufactures and markets microcomputer components and related products at various levels of integration. Its principal components consist of silicon-based semiconductors etched with complex patterns of transistors. Intel's income for last year was $6,068.0 million. [,]

[38] Wendland, Mike -"Pentium III, Microsoft privacy concerns are overblown", Observer-Eccentric Newspaper, March 14, 1999

[39] Staff Writer, "Security takes front seat at Pentium preview", InfoWorld, February 20, 1999

[40] Security-7, "ActiveX Demonstrates Ease of Stealing Pentium III Serial Number", Security Advisory,

[41] 3Com Corp is based in Santa Clara CA. The company is a provider of broad-based local area network (LAN) and wide area network (WAN) systems. It offers customers a broad range of networking solutions that include switches, hubs, remote access systems, routers, network management software, NICs and modems. Last year it had $5,772.1 million in annual income. [,]

[42] Monti, Eric -"3Com switches - undocumented access level", mail message on BUGTRAQ@NETSPACE.ORG, May 5, 1998

[43] id Software, Inc is the self appointed renown leader in the industry and one of the world's leading developer of best selling software, id Software has forged frenetic titles such as Wolfenstein 3-D, DOOM, DOOM II, QUAKE, and QUAKE II. The company is located in Mesquite, TX. The company portrays a cool image to its customers; In their black glass building, with Ferraris and Porches parked out front and computer toys spilling into the hallways, the wizards that are id have crated one sensational action game after another and have single-handedly raised the standard of excellence in gaming technology. [id Software Inc.,]

[44] Zielinski, Mark - Repent Security Incorporated, RSI, May 1, 1998

[45] Hewlett-Packard Co. designs, manufactures, and services electronic equipment and systems for measurement, computation, and communications. It offers a variety of systems and standalone products, including computer systems, electronic test equipment and medical equipment. Last year, Hewlett-Packard had $47,061 million in total revenues. [,]

[46] bogus technician, "HP/UX sam_exec user vulnerability", Exploit world!, 1996

[47] Cohen, Dr. Fredrick - New Security Database, Attack Methods,, 1999

[48] Since 1952, Crypto AG has been the specialist for information security at the highest cryptological and technical level. More than 130 countries have chosen Crypto AG as their trusted partner. This trust is based on the fact that Crypto AG is a financially and legally independent Swiss company. All shares are owned by one shareholder: a foundation with one goal, the commercial success of our company. Foundation status rules out any third-party influence, and this also guarantees full independence and freedom in the design, production and marketing of our products. []

[49] Staff Writer, "Suspicions Surface About Bugged Swiss Encryption Units", Computer Fraud & Security Bulletin, October 1994

[50] Ibid.

[51] Staff Writer, "Who is the authorized fourth", DER SPIEGEL, issue 36/1996,

[52] Cohen, Dr. Fredrick - New Security Database, Attack Methods,, 1999

[53] Ibid. DER SPIEGEL, issue 36/1996

[54] Staff Writer, "Security firms prey on unsuspecting users", Computer Fraud & Security, June 1998

[55] McKosky, Dr. Robert - Description of attack made during a conversation, January 21, 2000

[56] SAP is the world's largest inter-enterprise software company and the world's fourth-largest independent software supplier, overall. In its most recent fiscal year, ending Dec. 31, 1998, SAP AG reported revenues of DM 8.47 billion. SAP employs over 20,500 people in more than 50 countries who are dedicated to providing high-level customer support and services. []

[57] Sterlicchi, John - "SAP in $500 million lawsuit", Computer Fraud & Security, October 1998

[58] Cohen, Dr. Fredrick - New Security Database, Threat Profiles,, 1999