Dailydave mailing list archives

Re: A change

From: Haroon Meer <haroon () sensepost com>
Date: Tue, 19 Jan 2010 12:30:09 +0200

Hi Dave (all)

On 15 Jan 2010, at 20:39, dave <dave () immunityinc com> wrote:

...... Perhaps the era of IDS and AV and scanners has come to an
abrupt end? We can only hope.

Everyone says an attack is "sophisticated" whenever any 0day is
involved. But that should be the baseline. Or rather, it IS the  
baseline
and everyone seems to just be finding out.

One of the things Immunity has been including in our services but is  
now
offering seperately is a client-side 0day penetration test against a
single host using CANVAS technology. You get your penetration verified
during phone consultation. And you receive real-time analyst
interpretation of results, plus delivery of log data at the end. For
more information you can contact mark () immunityinc com.


I'm not usually the first person to defend IDS or AV, but contrasted  
with a "client-side 0day penetration test against a single host" it  
raises an interesting question..

If we do assume that 0day is the baseline, then surely a test that  
exposes a host to a subset of 0day (without some sort of *cough*  
heuristic defence or detection) achieves very little?

Ie. To misuse the quote, I would now know that I can be owned by known  
(by canvas subscribers) unknowns, but it says nothing new of my  
education/stance to the unknown unknowns. (If I assumed from the start  
that 0day was the baseline.. Then I have learned nothing new from this  
experience.)

If I was using the test to determine how my sandboxing worked, it  
could make sense. If I was testing to see how my "anti exploitation  
mechanisms" were working it could make sense. In the absence of any  
sort of reactive defence, is there value in a semi-automated "click  
here to get owned by 0day you can't currently defend against" type of  
service?[1]

[1] Unless of course you are a vendor, and find it cheaper to capture  
the CANVAS 0day list this way, instead of signing up for a subscription
__
Haroon Meer
haroon () sensepost com
+27 83 786 6637




 ** CRM114 Whitelisted by: From haroon () sensepost com **
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: A change, (continued)
- - Re: A change Matthew Wollenweber (Jan 20)
    - Re: A change Marius (Jan 20)
    - Re: A change Jim Manico (Jan 20)
    - Re: A change Menerick, John (Jan 24)
    - Re: A change Ben Nagy (Jan 26)
    - Re: A change Rodrigo Rubira Branco (BSDaemon) (Jan 27)
    - Re: A change Nick FitzGerald (Jan 27)
    - Re: A change Lurene Grenier (Jan 27)
    - Re: A change Dragos Ruiu (Jan 28)
- Re: A change Dragos Ruiu (Jan 20)
- Re: A change Haroon Meer (Jan 19)
  - Re: A change alexm (Jan 20)