Re: chargen is the new DDoS tool?

[shawn wilson <ag4ve.us () gmail com>]

On Wed, Jun 12, 2013 at 4:51 AM, Jimmy Hess <mysidia () gmail com> wrote:
> On 6/12/13, shawn wilson <ag4ve.us () gmail com> wrote:

> > > The scope is constantly changing.
> > Not really. The old tricks are the best tricks. And when a default install
> By best, you must mean effective against the greatest number of targets.

By best, I mean effective - end of story.

> > of Windows still allows you to request old NTLM authentication and most
> > people don't think twice about this, there's a problem.
>
> Backwards compatibility and protocol downgrade-ability is a PITA.

Yes, telling people that NT/2k can't be on your network might be a
PITA, but not using software or hardware that has gone EOL is
sometimes just a sensible business practice.

> > It seems you are referring to two things - exploit writing vs pen testing.
> > While I hate saying this, there are automated tools that could clean up
> > most networks for a few K (they can also take down things if you aren't
> > careful so I'm not saying spend 2k and forget about it). Basically, not
>
> For the orgs that the 2K tool is likely to be most useful for,  $2k is
> a lot of cash.
> The scan tools that are really worth the trouble start around 5K,  and
> people don't like making much investment in security products,  until
> they know they have a known breach on their hands.    Many are likely
> to forego both,  purchase the cheapest firewall appliance they can
> find, that claims to have antivirus functionality,  maybe some
> stateful TCP filtering, and Web policy enforcement to restrict surfing
> activity;    and feel safe,  "the firewall protects us", no other
> security planning or products or services  req'd.

I don't really care to price stuff so I might be a little off here
(most of this stuff has free components). Nessus starts at around $1k,
Armitage is about the same (but no auto-pown, darn), Metasploit Pro is
a few grand. My point being, you can have a decent scanner (Nessus)
catching the really bad stuff for not much money (I dislike this line
of thought, but if you aren't knowledgeable to use tools and just want
a report for a grand, there you go).

> > As I indicated above, 0days are expensive and no one is going to waste one
> > on you. Put another way, if someone does, go home proud - you're in with
> [snip]
>
> I would call this wishful thinking;  0days are expensive,  so the
> people who want to use them, will want to get the most value they can
> get out of the 0day, before the bug gets fixed.

Odays are expensive, so when you see them, someone (Google, Firefox,
Adobe, etc) have generally paid for them. Once you see them, they are
not odays (dispite what people like to call recently disclosed public
vulns - it ain't an 0day).

> That means both small numbers of high value targets, and,  then...
> large numbers of lesser value targets.     If you have a computer
> connected to the internet, some bandwidth, and a web browser or e-mail
> address, you are a probable target.

No, this means Stuxnet, Doqu, Flame. This means, I spent a million on
people pounding on stuff for a year, I'm going to take out a nuclear
facility or go after Google or RSA. I want things more valuable than
your student's social security numbers.

> If a 0day is used against you,  it's most likely to be used against
> your web browser  visiting a "trusted"  site you normally visit.

I don't have anything to back this up off hand, but my gut tells me
that most drive by web site malware isn't that well thought out.

> The baddies can help protect their investment in 0day exploit code,
> by making sure that by the time you detect it,  the exploit code is
> long gone,  so  the infection vector will be unknown.

If the US government can't prevent companies from analyzing their
work, do you really think random "baddies" can? Seriously?... No
really, seriously?

Here's the point, once you use an Oday, it is not an 0day. It's burnt.
It might still work on some people, but chances are all your high
value targets know about it and it won't work on them.