Penetration Testing mailing list archives
RE: Evolution of security threats and exploits...
From: Jarret Raim <jarret.raim () RACKSPACE COM>
Date: Wed, 1 Dec 2010 18:33:22 +0000
My specialty is in application security and the client-attacking trend is definitely something that I see pretty often. Malware distributed through application based attacks (XSS, etc) seems to be a very common and effective attack vector. If you are interested in more information on the types of application security vulnerabilities that I see, you can take a look at the OWASP Top 10 which is the top 10 most prevalent application security vulnerabilities (at least according to OWASP). http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Hope it helps. Jarret Raim -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of cribbar Sent: Wednesday, December 01, 2010 6:10 AM To: pen-test () securityfocus com Subject: Evolution of security threats and exploits... Could I ask, from the perspective of an internal systems administrator, the so called “good guy”, do you hackers / pen testers see any major trends in the IT security industry that people with malicious intent are now targeting or exploiting these days, as opposed to say, 5 years ago? Has any of the main focus of primary attack shifted in the last few years? I have always looked at the pen testing / hacking industry with great interest and in many ways, amazement, but some of it seems such an underground industry nobody ever really knows “what’s coming next”, so we struggle to stay current with where we need to invest next and step up our own guard and procedures to stop the next few years wave of “new exploits”. I’ve seen some of you post that server side vulnerabilities are becoming a less favourable and fruitful exploit – any particular reason why, and you tell us the majority of exploits now targeted by the bad guys are “client side”, which I suspect you mean unpatched client apps like Adobe Reader etc? Any reason for the switch from focusing primarily on the server side, and now focusing on client side exploits more? I wondered if you’d be willing to say “in 2010 these are the main threats that criminals/hackers are commonly trying to exploit these days, as opposed to these vulnerabilities and exploits which were the main number 1 target focus 5 years back”. You always stay ahead of the game in finding new areas of “low hanging fruit” every few years, so I can’t see any issue in at least asking the question on main areas of focus now from the pen testing / hacking community. It always seems to evolve, in that you will target certain “families” or vulnerabilities for a few years, and then the suppliers will offer tools and automated patch solutions to hamper you, so then you move on to other low hanging fruit that hadn’t been considered or targeted as much before. Any input or feedback most welcome. Thanks for taking the time to read my post. -- View this message in context: http://old.nabble.com/Evolution-of-security-threats-and-exploits...-tp30348296p30348296.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse () rackspace com, and delete the original message. Your cooperation is appreciated.
Current thread:
- Evolution of security threats and exploits... cribbar (Dec 01)
- RE: Evolution of security threats and exploits... Jarret Raim (Dec 01)
- Re: Evolution of security threats and exploits... Dan Crowley (Dec 01)
- Re: Evolution of security threats and exploits... Shain Singh (Dec 01)
- Re: Evolution of security threats and exploits... Todd Haverkos (Dec 10)
- Re: Evolution of security threats and exploits... cribbar (Dec 11)
- <Possible follow-ups>
- Fwd: Evolution of security threats and exploits... Ryan Sears (Dec 01)
- Re: Evolution of security threats and exploits... Haroon Meer (Dec 01)