Penetration Testing mailing list archives
Fwd: Evolution of security threats and exploits...
From: Ryan Sears <rdsears () mtu edu>
Date: Wed, 1 Dec 2010 14:56:22 -0500 (EST)
Apparently it wouldn't let me send it the first time, so here's what I sent: Hey Cribbar, The evolution of threats is something that has always interested me as well. As far as attacks that are more prevalent now then 5 years ago, I'd have to say both "double free"/"use-after-free" and NULL pointer dereferencing are probably the 2 that stand out in my mind the most. You also have some new social engineering hybrid attacks thanks to SET and java cert spoofing (tab-nabbing, click-jacking, etc). Of course all these issues have been exploitable since day one, but they just recently gained popularity due to it being the path of least resistance (think the "dll hijacking" retardation). That's pretty much what it comes down to, resistance. The server-side used to be more vulnerable because the payoff was bigger, but now-a-days it's mostly client-side. SSH bruteforcing has a minuscule success rate, but you still see people doing it on a huge level, because it's easily automated. It goes along the old adage 'work smart, not hard'. Since Windows used to be so vulnerable to remote attack, I'm fairly certain that was generally considered the 'lowest hanging fruit' of any organization (it still is with XP clients) years ago, but I know that currently the most vulnerable (that is to say the least clearly regulated) surface is web presence. The web is a collection of hacked-together RFCs that are somewhat ambiguous with some conditions (such as http parameter pollution thanks to RFC 3986). It's getting better, but there's no way to majorly over-haul everything without breaking the crap out of it first really. The web as an attack vector holds a lot of advantages though, it's instantaneous (depending on the attack) and due to it's nature, pretty much universal (depending on what attack we're talking here). If you're talking about the evolution of attack vectors, you need to also look at the mitigation things put in place. Now a days things like your basic smashing the stack for fun and profit are rendered almost useless thanks to a few things such as ASLR, DEP, and the NX bit. This has impacted lots of things dramatically, changed the entire scene-scape of the security community, and is also why social engineering is really getting huge. There is no patch for human stupidity, unfortunately. It also kinda comes down to how far you are from 'the pulse', that is knowing the second you're vulnerable in any context, and the implications that ensue. My boss likes to say "If you can't protect - you must detect". You'll never be able to cover all the security problems with something as complex as Windows (zero day wise), but the second something is publicly released, you at least know you're at risk, and can take steps if you need to remain vulnerable to reduce the impact if it IS weaponized against you. Policies also have a big role to play in this aspect, unfortunately though with things like the PCI certification it's making it harder to get funding for security things that are really needed. It's very hard to justify security funding to any manager types, because without the depth of knowledge their only question is 'can I throw money at our company and make us invulnerable?'. The short answer is of course no, but it's hard to get people to understand why something like a zero-day exists. Then you have some kind of thing like stuxnet and it just kinda slaps all your security in the face, but these things happen - your best bet is to reduce your attack surface, put in decent monitoring, and hope for the best. Sometimes though it's some kind of "jack-of-all-trades but master of none" kind of scenario where you're forced to tap-dance around with your servers/clients, setting up everything as fast as you can to get it functional, and having to ignore it after to deal with more pressing issues. Before you know it half of your servers are un-patched, or have something like open config files being indexed, and it's going to take way more work to identify and fix your issues, then to just manage everything logically from day 1. It's a pitfall, but it's also VERY prevalent. That's how the Bradly Manning/wikileaks thing happened - the field op in charge of net security was too busy fighting off local attacks then to be monitoring for some kind of air-gap traffic (sneakernet) or looking for 'bad traffic' - which is difficult to do anyway. Server-side security basically boils down to this - people are sick and tired of being compromised, so there's finally enough backing and enough smart people to design more secure server-side stuff. It'll eventually move to the client side (which it is with adobe x [lulz] and the windows client-side security measures) but servers are what run everything, so naturally we want to protect those first. Then again there are a *lot* of different attack vectors on every layer of the OSI model really. You don't *need* to remotely poison someone's ARP cache if you can just read the wireless probes and solicit a connection that way, then you ARE the man in the middle, which is why clients are so much easier to attack. Sorry if this seems a bit logically 'broken' but I had to write it in pieces while doing other things. If you need clarification/want to talk more feel free to ask! You clearly understand why things are in the state they're in at least on some levels, which is great. The biggest fight is knowing your enemy :) Thanks and sorry for the long reply, Ryan Sears ----- Original Message ----- From: "cribbar" <crib.bar () hotmail co uk> To: pen-test () securityfocus com Sent: Wednesday, December 1, 2010 7:10:13 AM GMT -05:00 US/Canada Eastern Subject: Evolution of security threats and exploits... Could I ask, from the perspective of an internal systems administrator, the so called “good guy”, do you hackers / pen testers see any major trends in the IT security industry that people with malicious intent are now targeting or exploiting these days, as opposed to say, 5 years ago? Has any of the main focus of primary attack shifted in the last few years? I have always looked at the pen testing / hacking industry with great interest and in many ways, amazement, but some of it seems such an underground industry nobody ever really knows “what’s coming next”, so we struggle to stay current with where we need to invest next and step up our own guard and procedures to stop the next few years wave of “new exploits”. I’ve seen some of you post that server side vulnerabilities are becoming a less favourable and fruitful exploit – any particular reason why, and you tell us the majority of exploits now targeted by the bad guys are “client side”, which I suspect you mean unpatched client apps like Adobe Reader etc? Any reason for the switch from focusing primarily on the server side, and now focusing on client side exploits more? I wondered if you’d be willing to say “in 2010 these are the main threats that criminals/hackers are commonly trying to exploit these days, as opposed to these vulnerabilities and exploits which were the main number 1 target focus 5 years back”. You always stay ahead of the game in finding new areas of “low hanging fruit” every few years, so I can’t see any issue in at least asking the question on main areas of focus now from the pen testing / hacking community. It always seems to evolve, in that you will target certain “families” or vulnerabilities for a few years, and then the suppliers will offer tools and automated patch solutions to hamper you, so then you move on to other low hanging fruit that hadn’t been considered or targeted as much before. Any input or feedback most welcome. Thanks for taking the time to read my post. -- View this message in context: http://old.nabble.com/Evolution-of-security-threats-and-exploits...-tp30348296p30348296.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Evolution of security threats and exploits... cribbar (Dec 01)
- RE: Evolution of security threats and exploits... Jarret Raim (Dec 01)
- Re: Evolution of security threats and exploits... Dan Crowley (Dec 01)
- Re: Evolution of security threats and exploits... Shain Singh (Dec 01)
- Re: Evolution of security threats and exploits... Todd Haverkos (Dec 10)
- Re: Evolution of security threats and exploits... cribbar (Dec 11)
- <Possible follow-ups>
- Fwd: Evolution of security threats and exploits... Ryan Sears (Dec 01)
- Re: Evolution of security threats and exploits... Haroon Meer (Dec 01)