Firewall Wizards mailing list archives
Re: Application-level Attacks
From: Adam Shostack <adam () homeport org>
Date: Sat, 29 Jan 2005 14:27:13 -0500
On Sat, Jan 29, 2005 at 04:15:05AM -0500, Marcus J. Ranum wrote: | Adam Shostack wrote: | >I think that older attacks were not application-layer from a business | >perspective | | You're talking marketing. WTF is a "business perspective"??? I assume | that means perception, not reality. That means that what's important is the business impact of their activities, not the technical route they took to achieve them. If I can cut cheques by walking into your lobby and picking up the corporate checkbook and the rubber stamp for signing, or I need to own a win98 box running access, or there's some real process in place, the business question is "Can they send themselves my money?" When the fellows who gave themselves $5m of Cisco stock options executed their attack, where on the technical stack their bits were (application? presentation?) matters less than what they were achieving with the attack. | RCPT To: fishlips () whitehouse gov | MAIL From: "| sed '1,/^$/d' | /bin/sh" | | is pretty damn application-layer, if I recall correctly. The layer is 7, | the application is Sendmail 5. The shell, as they say, is root. Yes it is. And the business question is, is this a trophy-gathering attack, or the Chinese gathering intel? I believe that attacks focused on making money are rising substantially, and that will change the behavior of the attacker in important ways. For example, they will no longer deface your web pages, but add a second database connection string to an app, and document it, so credit cards go to 'secure offsite storage.' More attackers will spend time and money generating 0day, and using it, making your traditional IDS less and less effective. SQL injection will be used to obtain the contents of databases, and the contents will be sold, rather than posted as trophies. So, we've been hearing a lot of this from marketing departments for a long time, but I believe that the rise of phishing as well as the sale of zombies for DDOS and spam, are actually indicators that its happening. Adam _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Multiple firewalls from different manufactureres, (continued)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Frank Knobbe (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Adam Shostack (Jan 30)
- Re: Application-level Attacks Frederick M Avolio (Jan 30)
- Re: Application-level Attacks Adam Shostack (Jan 30)
- RE: Application-level Attacks Bill Royds (Jan 30)
- Re: Application-level Attacks Danny (Jan 28)
- Re: Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Paul D. Robertson (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks Dean A Weber (Jan 28)
- Re: Application-level Attacks Dave Piscitello (Jan 28)