Penetration Testing mailing list archives
Re: Evolution of security threats and exploits...
From: Dan Crowley <dcrowley () coresecurity com>
Date: Wed, 01 Dec 2010 13:59:23 -0500
On 12/1/2010 7:10 AM, cribbar wrote:
I’ve seen some of you post that server side vulnerabilities are becoming a less favourable and fruitful exploit – any particular reason why, and you tell us the majority of exploits now targeted by the bad guys are “client side”, which I suspect you mean unpatched client apps like Adobe
Reader etc?
Any reason for the switch from focusing primarily on the server side, and now focusing on client side exploits more?
This is true. People are starting to understand that you can't run all the services you can possibly fit onto a box exposed to the Internet 24/7 and not have some issues. Firewalls and IDS/IPS are more common all the time, and people writing network-accessible applications are more aware of the danger involved. Nowadays, remote vulns that allow for compromise of a fully patched Windows workstation running only default services over the network comes about once every two years. Lots of organizations also have a process for patching their systems on a regular basis, preventing this sort of issue. On the other hand, few people writing client-side software care much about writing securely. (At least, sometimes it seems that way.) Plus, humans are naturally curious, desire to be helpful, and are prone to bad decisions when emotions get involved. For these reasons and more, it's often much easier to trick someone at the target organization to run some bit of code or trigger a client-side vulnerability than it is to find an exploitable vulnerability accessible from the Internet. Then again, everyone these days wants to have a website accessible to the Internet all the time without any lapse in availability. They want interactivity and pizazz, and neglect security for its sake. In order to pay less, they'll often hire in-house or low-end developers who might not have a clue about security. There's also lots of interdependent layers. If you have a website, an attacker can try to attack your web applications, your database, your web application framework, your web server, and your operating system. If one or more of these layers are inconsiderate of each other in the right way (as in the case of poison NULL byte issues) there can be severe security issues. Also, the internal network of most companies aren't well protected. Data often flies about in the clear, and getting onto that internal network usually means you can redirect somebody inside it to route sensitive data to you. If it's a wireless network, it can be even easier. Some people set up rogue access points at work to make their job easier. For an attacker, this means a pre-configured remote foothold on the internal network. It may be enough to set up shop near the physical location and sniff traffic, hoping for juicy data. And speaking of physical security, remember that no amount of firewalling, application whitelisting, IPS, AV, etc will protect you from a data breach if a machine is physically stolen. So, does it make sense for the attackers to move away from network-based attacks? Sure does. Are they? Operation Aurora? Client side attacks. Heartland Payment? SQL injection and sniffing. Stuxnet attacks? Delivered via flash drive. TJX? Attacked via in-store wireless network. Food for thought, isn't it? -- Daniel Crowley, CICP, GCIH Technical Specialist Core Security Technologies ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Evolution of security threats and exploits... cribbar (Dec 01)
- RE: Evolution of security threats and exploits... Jarret Raim (Dec 01)
- Re: Evolution of security threats and exploits... Dan Crowley (Dec 01)
- Re: Evolution of security threats and exploits... Shain Singh (Dec 01)
- Re: Evolution of security threats and exploits... Todd Haverkos (Dec 10)
- Re: Evolution of security threats and exploits... cribbar (Dec 11)
- <Possible follow-ups>
- Fwd: Evolution of security threats and exploits... Ryan Sears (Dec 01)
- Re: Evolution of security threats and exploits... Haroon Meer (Dec 01)