Dailydave mailing list archives

Re: A change

From: val smith <valsmith () attackresearch com>
Date: Mon, 18 Jan 2010 20:35:32 -0700

Yeh, idk, id be careful with saying its sophisticated or unsophisticated.
Ive seen a lot of really hardcore attacks that use some lame sploit or
phishing as a component of something larger.

I think the media is quick to jump to "omg cyber-ninjas!" and security
people are quick to jump to "omg lame script kiddies!".

Ill admit that burning an 0day seems to be a stupid thing to do, unless its
some kind of mis-direction.

Also there are certain elements out there who don't really seem to care:

1.) if the target discovers the intrusion
2.) if the target knows who they are
3.) if they use high end tools or not (they use both)
4.) if they burn tools

Attackers keep getting in and getting data so why go a step higher?

When I do tests, a lot of the time I use maybe one exploit, usually old, and
then a combination of even older techniques and usually own everything and
don't get detected, so is that unsophisticated? Or just using the minimal
amount of force necessary to achieve the goal?

V.

On Mon, Jan 18, 2010 at 4:47 AM, Nelson Brito <nbrito () sekure org> wrote:

Well... A really sophisticated attack can use "one year old" vulnerability
targeting new exploit "triggers" inside vulnerabilities. I have
demonstrated
this in H2HC - how to play a little bit deeper to really know "almost all"
the
aspects behind a vulnerability.

I can tell you that some of "Protection Solutions" doesn't really protects
and
just let the "new exploit" pass thru the protection layers. I call this
"Z-Day":
An "one-year-old" vulnerability's new approach, that could be compared to
new
"0-day"... Hopefully I will submit this to BH-USA and will demonstrate my
approach.

/*
 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 *
 * Author: Nelson Brito <nbrito [at] sekure [dot] org>

  Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
  http://fnstenv.blogspot.com */

-----Original Message-----
From: dailydave-bounces () lists immunitysec com [mailto:dailydave-
bounces () lists immunitysec com] On Behalf Of dave
Sent: Friday, January 15, 2010 4:39 PM
To: dailydave () lists immunityinc com
Subject: [Dailydave] A change

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we're seeing a sudden change in how large companies (or simply
companies with a high level of perceived threat[1]) deal with software
security. Perhaps the era of IDS and AV and scanners has come to an
abrupt end? We can only hope.

Everyone says an attack is "sophisticated" whenever any 0day is
involved. But that should be the baseline. Or rather, it IS the baseline
and everyone seems to just be finding out.

One of the things Immunity has been including in our services but is now
offering seperately is a client-side 0day penetration test against a
single host using CANVAS technology. You get your penetration verified
during phone consultation. And you receive real-time analyst
interpretation of results, plus delivery of log data at the end. For
more information you can contact mark () immunityinc com.

Thanks,
Dave Aitel
Immunity, Inc.

[1]http://news.cnet.com/8301-27080_3-10434551-245.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
=EWHt
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




-- 
~~~~~~~~~~~~~~~~
Qui audet adipiscitur

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

A change dave (Jan 15)
- Re: A change Charles Miller (Jan 15)
  - Re: A change Moxie Marlinspike (Jan 15)
    - Re: A change Parity (Jan 19)
  - Re: A change Rich Smith (Jan 18)
  - Re: A change delchi delchi (Jan 20)
- Re: A change Nelson Brito (Jan 18)
  - Re: A change val smith (Jan 19)
  - Re: A change Matthew Wollenweber (Jan 20)
    - Re: A change Marius (Jan 20)
    - Re: A change Jim Manico (Jan 20)
    - Re: A change Menerick, John (Jan 24)
    - Re: A change Ben Nagy (Jan 26)
    - Re: A change Rodrigo Rubira Branco (BSDaemon) (Jan 27)
    - Re: A change Nick FitzGerald (Jan 27)
    - Re: A change Lurene Grenier (Jan 27)
    - Re: A change Dragos Ruiu (Jan 28)
- Re: A change Dragos Ruiu (Jan 20)

(Thread continues...)