Full Disclosure mailing list archives
Re: What the f*** is going on?
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 24 Feb 2011 12:35:45 -0600
--On February 22, 2011 9:11:30 AM -0800 Michal Zalewski <lcamtuf () coredump cx> wrote:
I mean, if these are the security industry's geniuses, why, what would the writers of Stuxnet be?...seriously?Disclosing how their epic story simply involved SQLi, well, what about the guys discovering 0days in native code?Totally. I have long postulated that perl -e '{print "A"x1000}' is considerably more l33t than <script>alert(1)</script> or ' OR '1' == '1. I don't understand the point you are getting at. I think that the more interesting aspect of this story are the egregious practices revealed in that write-up (and elsewhere): http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html
"Doing security" really isn't that hard. Behind all the fancy appliances and gee-whiz technology, the underlying principle is, don't unnecessarily expose your assets to attack. This boils down to a few simple things: 1) Don't allow users to create simple passwords. 2) Don't allow admins to forego routine patching 3) Don't allow poor configuration of applications 4) Don't allow services that aren't vetted and authorized Those four simple rules will go a long way toward reducing your attack surface enough that the "routine" "hackers" will move on to easier targets. Depending upon your infrastructure, some of this can be automated, but the bottom line for good security is auditing. Know what your assets are. Know what the weaknesses are. Do everything you can do to avoid unnecessary exposure. You're not going to stop a determined adversary from getting in. There is always a weakness somewhere that can be leveraged to gain further access. But if you forgo routine patching, allow lousy passwords, allow poor configuration practices and run services that aren't vetted and authorized, then, well, you're an HBGary clone.. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: What the f*** is going on?, (continued)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? Michal Zalewski (Feb 22)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? coderman (Feb 22)
- Re: What the f*** is going on? jf (Feb 22)
- Re: What the f*** is going on? Chris Evans (Feb 22)
- Re: What the f*** is going on? jf (Feb 24)
- Re: What the f*** is going on? coderman (Feb 24)
- Re: What the f*** is going on? jf (Feb 24)
- Re: What the f*** is going on? Michal Zalewski (Feb 24)
- Re: What the f*** is going on? jf (Feb 24)
- Re: What the f*** is going on? jf (Feb 24)