"Defending Forward" in time

[Dave Aitel <dave.aitel () gmail com>]

So I went to S4 this week, which is a good conference here in Miami Beach,
mostly about hacking/protecting utilities and other critical infrastructure
components. But I had the good fortune to run into a friend
<https://www.gocomics.com/calvinandhobbes/2018/01/16> I'd never met before.
Anyways, they were telling me about how some Android State surveillance
spyware installed at the border on everyone's phone looked for some file
hashes and then sent in some data via what was essentially a public web API.

There's a lot of stuff that works like this, EDR systems, SIEMs of various
types, etc. And one of the classic attack patterns is that usually these
systems don't have client-certificates signing the data the client sends.
So you can send fake data as a large number of real and not-real hosts. . .
corrupting the database or simply filling it up and making it a lot less
useful because every query takes about ten minutes, especially if you know
how the indexer
<http://www.phpinternalsbook.com/php5/hashtables/hash_algorithm.html> works.

In other words, for some reason, one malicious host is weirdly not usually
a threat model that most defensive systems have considered.

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave