Dailydave mailing list archives
Equitablefax
From: dave aitel <dave () immunityinc com>
Date: Wed, 27 Sep 2017 11:13:28 -0400
So I assume most people skim any news reports of big breaches in the same way these days. Was this predictable? Was it preventable? Do we know who did it? Did they do anything new to attack or defend? In Equifax's case, the reportable information clearly is the alleged trading anomalies, rather than the hack itself. But the third question is interesting to a point. I've been trying to write a keynote for T2 for the past few weeks, and while my muse is clearly on an extended vacation, there are some interesting generational changes afoot with regards to these questions. At some level, in a world where vulnerabilities are super rare, governments dominate the discussion of malicious actors. I think there's a lot of news chaff about every little 20-something hacker or aspiring malware businessman who gets caught. Filtering those out, there are relatively few reports of hacking groups with high skills levels. And because of our assumptions that "Governments" are behind everything now, I think we naturally err towards flinching at boogeymen who...wield SQLi and Phishing with .jar files. But when you look at the accomplishments of truly skilled hackers, they're amazing. And the environment we live in is not one where major vulnerabilities are rare. The environment is such that any specialized extremophile <https://en.wikipedia.org/wiki/Extremophile#/media/File:Grand_prismatic_spring.jpg> can penetrate and persist all of cyberspace. In a sense, the entire bug bounty market is a breeding ground for a species that can collect extremely low impact web vulnerabilities into a life sustaining nutrient cycle, like the crabs on volcanic plumes in the depths of the Pacific. Likewise, learning everything about RMI is enough to be everywhere, or .Net serialization, or CCleaner. In cyber, where there's a way there's a will. It used to be we would be more afraid if it was China or Russia or Iran or whoever. But these days I like to annoy people by asking what if it's not? Also, does anyone know how often Equifax did their penetration testing? My new rule is that if you only do it in Q4 you are unlikely to have a mature security program. :) -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Equitablefax dave aitel (Sep 27)
- Re: Equitablefax Steve R. Smith (Sep 27)
- Re: Equitablefax Kristian Erik Hermansen (Sep 27)
- Re: Equitablefax Chuck McAuley (Sep 27)
- Message not available
- Re: Equitablefax Kristian Erik Hermansen (Sep 27)
- Re: Equitablefax Katie M (Sep 28)
- Re: Equitablefax Katie M (Sep 27)
- Re: Equitablefax the grugq (Sep 29)