Dailydave mailing list archives
Re: Longer form questions
From: Dave Aitel <dave.aitel () gmail com>
Date: Thu, 5 Sep 2019 11:01:03 -0400
https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html Ok, so as someone pointed out in private email, they have a blog that goes through a 20 step process to exporting your private key from your RDP server to the MITM box that is parsing the protocol. I think this is an unlikely configuration, but in theory it IS possible. An anomaly detection algorithm might be a better option for real world detection, even though it is not specific to the bug. In other words, just to annoy Rob Graham, maybe network defenses can't really find every bug they want to - not just because they should not be edge-devices with vast repositories of every private key on your network, but because parsing requires state and state requires memory and you don't have infinite memory. https://vimeo.com/357848836 <---also watch the INFILTRATE teaser! :) ALSO: I'm headed to Tel Aviv next week if there's any infosec stuff happening there and anyone wants to say hi! -dave On Wed, Sep 4, 2019 at 12:57 PM Dave Aitel <dave.aitel () gmail com> wrote:
So I like the BLUEKEEP marketing train because it's a very hard bug to detect authoritatively for either endpoint protection or for network-based defenses. So when companies make claims about it, it's worth asking how they did that. Twitter is a terrible place for that, but since I know everyone in the industry who does this kind of thing is on this list I figured I'd ask here... -dave https://twitter.com/daveaitel/status/1169265348669005825 [image: image.png]
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Longer form questions Dave Aitel (Sep 04)
- Re: Longer form questions Dave Aitel (Sep 05)
- Re: Longer form questions Chris Rohlf (Sep 05)
- Re: Longer form questions Anton Chuvakin (Sep 06)
- Re: Longer form questions Chris Rohlf (Sep 06)
- Re: Longer form questions Nick Selby (Sep 06)
- Re: Longer form questions Allen DeRyke (Sep 06)
- Re: Longer form questions John Lampe (Sep 06)
- Re: Longer form questions Andre Gironda (Sep 17)
- Re: Longer form questions Chris Rohlf (Sep 05)
- Re: Longer form questions Dave Aitel (Sep 05)
- Re: Longer form questions Konrads Smelkovs (Sep 06)