Re: What the f*** is going on?

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On February 22, 2011 9:11:30 AM -0800 Michal Zalewski 
<lcamtuf () coredump cx> wrote:

> > I mean, if these are the security industry's geniuses, why, what would
> > the writers of Stuxnet be?
>
> ...seriously?
>
> > Disclosing how their epic story simply involved SQLi, well, what about
> > the guys discovering 0days in native code?
>
> Totally. I have long postulated that perl -e '{print "A"x1000}' is
> considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
> '1.
>
> I don't understand the point you are getting at. I think that the more
> interesting aspect of this story are the egregious practices revealed
> in that write-up (and elsewhere):
>
> http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html

"Doing security" really isn't that hard.  Behind all the fancy appliances 
and gee-whiz technology, the underlying principle is, don't unnecessarily 
expose your assets to attack.

This boils down to a few simple things:
1) Don't allow users to create simple passwords.
2) Don't allow admins to forego routine patching
3) Don't allow poor configuration of applications
4) Don't allow services that aren't vetted and authorized

Those four simple rules will go a long way toward reducing your attack 
surface enough that the "routine" "hackers" will move on to easier targets. 
Depending upon your infrastructure, some of this can be automated, but the 
bottom line for good security is auditing.  Know what your assets are. 
Know what the weaknesses are.  Do everything you can do to avoid 
unnecessary exposure.

You're not going to stop a determined adversary from getting in.  There is 
always a weakness somewhere that can be leveraged to gain further access. 
But if you forgo routine patching, allow lousy passwords, allow poor 
configuration practices and run services that aren't vetted and authorized, 
then, well, you're an HBGary clone..

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/