Over one million views View stats
DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768 or higher
02
December 2010
After a couple of years only rarely adding new content, I have decided to give this another shot.
Over one million views
View stats
Here is an email I received that seems to be suitable to make a permanent webpage.
Apparently it wouldn't let me send it the first time, so
here's what I sent:
Hey Cribbar,
The evolution of threats is something that has always interested me as well.
As far as attacks that are more prevalent now then 5 years ago, I'd have to say
both "double free"/"use-after-free" and NULL pointer dereferencing are probably
the 2 that stand out in my mind the most. You also have some new social
engineering hybrid attacks thanks to SET and java cert spoofing (tab-nabbing,
click-jacking, etc). Of course all these issues have been exploitable since day
one, but they just recently gained popularity due to it being the path of least
resistance (think the "dll hijacking" retardation).
That's pretty much what it comes down to, resistance. The server-side used to be
more vulnerable because the payoff was bigger, but now-a-days it's mostly
client-side. SSH bruteforcing has a minuscule success rate, but you still see
people doing it on a huge level, because it's easily automated. It goes along
the old adage 'work smart, not hard'.
Since Windows used to be so vulnerable to remote attack, I'm fairly certain that
was generally considered the 'lowest hanging fruit' of any organization (it
still is with XP clients) years ago, but I know that currently the most
vulnerable (that is to say the least clearly regulated) surface is web presence.
The web is a collection of hacked-together RFCs that are somewhat ambiguous with
some conditions (such as http parameter pollution thanks to RFC 3986). It's
getting better, but there's no way to majorly over-haul everything without
breaking the crap out of it first really. The web as an attack vector holds a
lot of advantages though, it's instantaneous (depending on the attack) and due
to it's nature, pretty much universal (depending on what attack we're talking
here).
If you're talking about the evolution of attack vectors, you need to also look
at the mitigation things put in place. Now a days things like your basic
smashing the stack for fun and profit are rendered almost useless thanks to a
few things such as ASLR, DEP, and the NX bit. This has impacted lots of things
dramatically, changed the entire scene-scape of the security community, and is
also why social engineering is really getting huge. There is no patch for human
stupidity, unfortunately.
It also kinda comes down to how far you are from 'the pulse', that is knowing
the second you're vulnerable in any context, and the implications that ensue. My
boss likes to say "If you can't protect - you must detect". You'll never be
able to cover all the security problems with something as complex as Windows
(zero day wise), but the second something is publicly released, you at least
know you're at risk, and can take steps if you need to remain vulnerable to
reduce the impact if it IS weaponized against you.
Policies also have a big role to play in this aspect, unfortunately though with
things like the PCI certification it's making it harder to get funding for
security things that are really needed. It's very hard to justify security
funding to any manager types, because without the depth of knowledge their only
question is 'can I throw money at our company and make us invulnerable?'. The
short answer is of course no, but it's hard to get people to understand why
something like a zero-day exists. Then you have some kind of thing like stuxnet
and it just kinda slaps all your security in the face, but these things happen -
your best bet is to reduce your attack surface, put in decent monitoring, and
hope for the best.
Sometimes though it's some kind of "jack-of-all-trades but master of none" kind
of scenario where you're forced to tap-dance around with your servers/clients,
setting up everything as fast as you can to get it functional, and having to
ignore it after to deal with more pressing issues. Before you know it half of
your servers are un-patched, or have something like open config files being
indexed, and it's going to take way more work to identify and fix your issues,
then to just manage everything logically from day 1. It's a pitfall, but it's
also VERY prevalent. That's how the Bradly Manning/wikileaks thing happened -
the field op in charge of net security was too busy fighting off local attacks
then to be monitoring for some kind of air-gap traffic (sneakernet) or looking
for 'bad traffic' - which is difficult to do anyway.
Server-side security basically boils down to this - people are sick and tired of
being compromised, so there's finally enough backing and enough smart people to
design more secure server-side stuff. It'll eventually move to the client side
(which it is with adobe x [lulz] and the windows client-side security measures)
but servers are what run everything, so naturally we want to protect those
first.
Then again there are a *lot* of different attack vectors on every layer of the
OSI model really. You don't *need* to remotely poison someone's ARP cache if you
can just read the wireless probes and solicit a connection that way, then you
ARE the man in the middle, which is why clients are so much easier to attack.
Sorry if this seems a bit logically 'broken' but I had to write it in pieces
while doing other things. If you need clarification/want to talk more feel free
to ask! You clearly understand why things are in the state they're in at least
on some levels, which is great. The biggest fight is knowing your enemy :)
Thanks and sorry for the long reply,
Ryan Sears
----- Original Message -----
From: "cribbar" email removed
To:
Sent: Wednesday, December 1, 2010 7:10:13 AM GMT -05:00 US/Canada Eastern
Subject: Evolution of security threats and exploits...
Could I ask, from the perspective of an internal systems administrator, the
so called “good guy”, do you hackers / pen testers see any major trends in
the IT security industry that people with malicious intent are now targeting
or exploiting these days, as opposed to say, 5 years ago? Has any of the
main focus of primary attack shifted in the last few years?
I have always looked at the pen testing / hacking industry with great
interest and in many ways, amazement, but some of it seems such an
underground industry nobody ever really knows “what’s coming next”, so we
struggle to stay current with where we need to invest next and step up our
own guard and procedures to stop the next few years wave of “new exploits”.
I’ve seen some of you post that server side vulnerabilities are becoming a
less favourable and fruitful exploit – any particular reason why, and you
tell us the majority of exploits now targeted by the bad guys are “client
side”, which I suspect you mean unpatched client apps like Adobe Reader etc?
Any reason for the switch from focusing primarily on the server side, and
now focusing on client side exploits more?
I wondered if you’d be willing to say “in 2010 these are the main threats
that criminals/hackers are commonly trying to exploit these days, as opposed
to these vulnerabilities and exploits which were the main number 1 target
focus 5 years back”. You always stay ahead of the game in finding new areas
of “low hanging fruit” every few years, so I can’t see any issue in at least
asking the question on main areas of focus now from the pen testing /
hacking community.
It always seems to evolve, in that you will target certain “families” or
vulnerabilities for a few years, and then the suppliers will offer tools and
automated patch solutions to hamper you, so then you move on to other low
hanging fruit that hadn’t been considered or targeted as much before.
Any input or feedback most welcome. Thanks for taking the time to read my
post.
--
View this message in context:
http://old.nabble.com/Evolution-of-security-threats-and-exploits...-tp30348296p30348296.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do
a proper penetration test. IACRB CPT and CEPT certs require a full practical
examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do
a proper penetration test. IACRB CPT and CEPT certs require a full practical
examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------