Re: vulnerability overstatement

["Thomas Raef" <TRaef () wewatchyourwebsite com>]

FUD: Fear, Uncertainty & Doubt (unless you're a hacker then FUD is Fully
UnDetectable)

 

I admit that in my early days of marketing security services I thought I
would rely on the emotional buying factor of fear, but quickly realized
that FUD is a dud and you can't scare someone into buying. 

 

There is a company that offers website vulnerability scanning that still
tries to operate on FUD and they're having a hard time convincing people
to buy their services but every time I see something from them, it's all
about FUD.

 

For those of you wordsmiths, my last name spelled backwards is fear. J

 

Thomas J. Raef

e-Based Security <http://www.ebasedsecurity.com/> 

"You're either hardened or you're hacked!"

We Watch Your Website <http://www.wewatchyourwebsite.com/> 

"We Watch Your Website - so you don't have to."

 

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Larry Seltzer
Sent: Wednesday, January 20, 2010 3:53 PM
To: funsec () linuxbox org
Subject: [funsec] vulnerability overstatement

 

It bugs me that (in general) security researchers and vendors never give
a full picture of mitigating factors and limitations when discussing an
attack. They want users to perceive the threat to be as widespread as
possible. Remember, those guys are just in it for the money too.

 

Let's compare two very recent examples: VUPEN's DEP-bypassing exploit
for the Aurora bug for one. What they said in public made it sound like
the exploit just plain runs on platforms where it had been blocked by
DEP, but I suspected a problem from the beginning: DEP bypass schemes
generally rely on techniques that are defeated by ASLR, and IE runs with
ASLR by default on Vista and Win7. Sure enough, Microsoft's response to
these claims (and I believe them) is that ASLR greatly limits the
utility of the DEP bypass:
http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-byp
assed.aspx. On Vista and Win7
<http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-by
passed.aspx.%20On%20Vista%20and%20Win7>  the odds that it will execute
are too remote to bother with. Even on XP, it only works 1 in 3 chances.

 

Contrast that with Tavis Ormandy's disclosure yesterday of the VDM
privilege elevation hack. He explained in full how it worked *and* a)
that it doesn't work on 64-bit kernels and b) gave instructions on how
to disable the 16-bit subsystems as a workaround. What a gentleman. It
sounds like he really just wants to help.

 

Security firms never tell you that you need to run as administrator to
be vulnerable to something or that it won't execute reliably or that you
had to choose to run it manually. They just want you to be afraid.

 

Larry Seltzer
Contributing Editor, PC Magazine

larry_seltzer () ziffdavis com 

http://blogs.pcmag.com/securitywatch/

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.