RE: Evolution of security threats and exploits...

[Jarret Raim <jarret.raim () RACKSPACE COM>]

My specialty is in application security and the client-attacking trend is definitely something that I see pretty often. 
Malware distributed through application based attacks (XSS, etc) seems to be a very common and effective attack vector. 
If you are interested in more information on the types of application security vulnerabilities that I see, you can take 
a look at the OWASP Top 10 which is the top 10 most prevalent application security vulnerabilities (at least according 
to OWASP).

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Hope it helps.

Jarret Raim


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of cribbar
Sent: Wednesday, December 01, 2010 6:10 AM
To: pen-test () securityfocus com
Subject: Evolution of security threats and exploits...


Could I ask, from the perspective of an internal systems administrator, the so called “good guy”, do you hackers / pen 
testers see any major trends in the IT security industry that people with malicious intent are now targeting or 
exploiting these days, as opposed to say, 5 years ago? Has any of the main focus of primary attack shifted in the last 
few years? 

I have always looked at the pen testing / hacking industry with great interest and in many ways, amazement, but some of 
it seems such an underground industry nobody ever really knows “what’s coming next”, so we struggle to stay current 
with where we need to invest next and step up our own guard and procedures to stop the next few years wave of “new 
exploits”.
I’ve seen some of you post that server side vulnerabilities are becoming a less favourable and fruitful exploit – any 
particular reason why, and you tell us the majority of exploits now targeted by the bad guys are “client side”, which I 
suspect you mean unpatched client apps like Adobe Reader etc?
Any reason for the switch from focusing primarily on the server side, and now focusing on client side exploits more?

I wondered if you’d be willing to say “in 2010 these are the main threats that criminals/hackers are commonly trying to 
exploit these days, as opposed to these vulnerabilities and exploits which were the main number 1 target focus 5 years 
back”. You always stay ahead of the game in finding new areas of “low hanging fruit” every few years, so I can’t see 
any issue in at least asking the question on main areas of focus now from the pen testing / hacking community. 

It always seems to evolve, in that you will target certain “families” or vulnerabilities for a few years, and then the 
suppliers will offer tools and automated patch solutions to hamper you, so then you move on to other low hanging fruit 
that hadn’t been considered or targeted as much before. 

Any input or feedback most welcome. Thanks for taking the time to read my post. 

--
View this message in context: 
http://old.nabble.com/Evolution-of-security-threats-and-exploits...-tp30348296p30348296.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace. 
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse () rackspace com, and delete the original message. 
Your cooperation is appreciated.