Fwd: Evolution of security threats and exploits...

[Ryan Sears <rdsears () mtu edu>]

Apparently it wouldn't let me send it the first time, so here's what I sent:

Hey Cribbar,

The evolution of threats is something that has always interested me as well. 

As far as attacks that are more prevalent now then 5 years ago, I'd have to say both "double free"/"use-after-free" and 
NULL pointer dereferencing are probably the 2 that stand out in my mind the most. You also have some new social 
engineering hybrid attacks thanks to SET and java cert spoofing (tab-nabbing, click-jacking, etc). Of course all these 
issues have been exploitable since day one, but they just recently gained popularity due to it being the path of least 
resistance (think the "dll hijacking" retardation). 

That's pretty much what it comes down to, resistance. The server-side used to be more vulnerable because the payoff was 
bigger, but now-a-days it's mostly client-side. SSH bruteforcing has a minuscule success rate, but you still see people 
doing it on a huge level, because it's easily automated. It goes along the old adage 'work smart, not hard'. 

Since Windows used to be so vulnerable to remote attack, I'm fairly certain that was generally considered the 'lowest 
hanging fruit' of any organization (it still is with XP clients) years ago, but I know that currently the most 
vulnerable (that is to say the least clearly regulated) surface is web presence. The web is a collection of 
hacked-together RFCs that are somewhat ambiguous with some conditions (such as http parameter pollution thanks to RFC 
3986). It's getting better, but there's no way to majorly  over-haul everything without breaking the crap out of it 
first really. The web as an attack vector holds a lot of advantages though, it's instantaneous (depending on the 
attack) and due to it's nature, pretty much universal (depending on what attack we're talking here). 

If you're talking about the evolution of attack vectors, you need to also look at the mitigation things put in place. 
Now a days things like your basic smashing the stack for fun and profit are rendered almost useless thanks to a few 
things such as ASLR, DEP, and the NX bit. This has impacted lots of things dramatically, changed the entire scene-scape 
of the security community, and is also why social engineering is really getting huge. There is no patch for human 
stupidity, unfortunately. 

It also kinda comes down to how far you are from 'the pulse', that is knowing the second you're vulnerable in any 
context, and the implications that ensue. My boss likes to say "If  you can't protect - you must detect". You'll never 
be able to cover all the security problems with something as complex as Windows (zero day wise), but the second 
something is publicly released, you at least know you're at risk, and can take steps if you need to remain vulnerable 
to reduce the impact if it IS weaponized against you. 

Policies also have a big role to play in this aspect, unfortunately though with things like the PCI certification it's 
making it harder to get funding for security things that are really needed. It's very hard to justify security funding 
to any manager types, because without the depth of knowledge their only question is 'can I throw money at our company 
and make us invulnerable?'. The short answer is of course no, but it's hard to get people to understand why something 
like a zero-day exists. Then you have some kind of thing like stuxnet and it just kinda slaps all your security in the 
face, but these things happen - your best bet is to reduce your attack surface, put in decent monitoring, and hope for 
the best.

Sometimes though it's some kind of "jack-of-all-trades but master of none" kind of scenario where you're forced to 
tap-dance around with your servers/clients, setting up everything as fast as you can to get it functional, and having 
to ignore it after to deal with more pressing issues. Before you know it half of your servers are un-patched, or have 
something like open config files being indexed, and it's going to take way more work to identify and fix your issues, 
then to just manage everything logically from day 1. It's a pitfall, but it's also VERY prevalent. That's how the 
Bradly Manning/wikileaks thing happened - the field op in charge of net security was too busy fighting off local 
attacks then to be monitoring for some kind of air-gap traffic (sneakernet) or looking for 'bad traffic' - which is 
difficult to do anyway.

Server-side security basically boils down to this - people are sick and tired of being compromised, so there's finally 
enough backing and enough smart people to design more secure server-side stuff. It'll eventually move to the client 
side (which it is with adobe x [lulz] and the windows client-side security measures) but servers are what run 
everything, so naturally we want to protect those first.

Then again there are a *lot* of different attack vectors on every layer of the OSI model really. You don't *need* to 
remotely poison someone's ARP cache if you can just read the wireless probes and solicit a connection that way, then 
you ARE the man in the middle, which is why clients are so much easier to attack. 

Sorry if this seems a bit logically 'broken' but I had to write it in pieces while doing other things. If you need 
clarification/want to talk more feel free to ask! You clearly understand why things are in the state they're in at 
least on some levels, which is great. The biggest fight is knowing your enemy :)

Thanks and sorry for the long reply,
Ryan Sears

----- Original Message -----
From: "cribbar" <crib.bar () hotmail co uk>
To: pen-test () securityfocus com
Sent: Wednesday, December 1, 2010 7:10:13 AM GMT -05:00 US/Canada Eastern
Subject: Evolution of security threats and exploits...


Could I ask, from the perspective of an internal systems administrator, the
so called “good guy”, do you hackers / pen testers see any major trends in
the IT security industry that people with malicious intent are now targeting
or exploiting these days, as opposed to say, 5 years ago? Has any of the
main focus of primary attack shifted in the last few years? 

I have always looked at the pen testing / hacking industry with great
interest and in many ways, amazement, but some of it seems such an
underground industry nobody ever really knows “what’s coming next”, so we
struggle to stay current with where we need to invest next and step up our
own guard and procedures to stop the next few years wave of “new exploits”.
I’ve seen some of you post that server side vulnerabilities are becoming a
less favourable and fruitful exploit – any particular reason why, and you
tell us the majority of exploits now targeted by the bad guys are “client
side”, which I suspect you mean unpatched client apps like Adobe Reader etc?
Any reason for the switch from focusing primarily on the server side, and
now focusing on client side exploits more?

I wondered if you’d be willing to say “in 2010 these are the main threats
that criminals/hackers are commonly trying to exploit these days, as opposed
to these vulnerabilities and exploits which were the main number 1 target
focus 5 years back”. You always stay ahead of the game in finding new areas
of “low hanging fruit” every few years, so I can’t see any issue in at least
asking the question on main areas of focus now from the pen testing /
hacking community. 

It always seems to evolve, in that you will target certain “families” or
vulnerabilities for a few years, and then the suppliers will offer tools and
automated patch solutions to hamper you, so then you move on to other low
hanging fruit that hadn’t been considered or targeted as much before. 

Any input or feedback most welcome. Thanks for taking the time to read my
post. 

-- 
View this message in context: 
http://old.nabble.com/Evolution-of-security-threats-and-exploits...-tp30348296p30348296.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------