lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 9 Oct 2007 21:14:30 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, 
	<news@...uriteam.org>
Subject: The Death of Defence in Depth ? - An invitation
	to Hack.lu

Invitation to Hack.lu [1] - A small but nice  Conference  in  the
Heart of Europe.

As you may or may not know, we always  prepare  something special
for Hack.lu, last year BTcrack, this year we'd  like  to  announce
our (n.runs AG) Presentation @ this  years  Hack. lu,   entitled:

----------------------------------------------  
The Death of Defence in Depth ? 
- (In  part)  Revisiting  Anti-Virus  Software
   Sergio Alvarez & Thierr Zoller
----------------------------------------------

The Death of Defence in Depth ? - A  rather  bold  question  that
is; is this another overhyped bloated Presentation ? Or maybe  do
we really have to rethink the way we implement Defence  in  Depth
on our networks ? This talk will hopefully give you the  answers,
if  not  at  least  the  correct  questions  to  ask  yourselves.

Over the last year [2], n.runs AG  investigated  Software that is
commonly being used in an  Defence  in  Depth  approach  and  was
quite alarmed. The number of Bugs and Design  problems  we  found
were so tremendous that we had problems dealing  with  the  shear
amount of Vendor coordination and notification emails. 

Want numbers? Over 4000 emails.
(Where  is the ROI for Responsible Disclosure here?)

The problems reach from simple bypasses  and  Denial  of  Service
attacks to Code execution; the Impacts reach from code  execution
in the DMZ to Code execution in  your  Internal  Network  holding
what  might  be  your  most  precious  Knowledge  -  your  entire
internal and external mail communication. 

This talk will focus on the Paradox of  Defence  in  Depth,   the
more layers of Security you  add  the  more  Attack  Surface  you
offer. The more you defend the more vulnerable you are  to  these
types of Attacks.
Think Parsing engines.

In every product we  tested  we  found  no  evidence  that  these
products had ever undergone any real  outside  security  testing,
not to mention a source code audit.

This talk will show you the Problems  and  more  importantly  the
Impact for your company. The talk has been  prepared  to  make  a
point - Every company sitting in the room could have  been  owned
at this very moment, from the Inside out, prepare for the  worse,
we'll use your Defence against you as  an  entry  vector to  your
network. 

The 2 hour Workshop might even lead us to  the discovery of  new
vulnerabilties, who knows ? ;) Of course  such  information  will
not be communicated by  n. runs  without  any  clues  on  how  to
mitigate or maybe even solve this problem.

Bloated  exhagerated  Statement  ?  You'll  decide.   A  Hack. lu
exclusive - because we love you so much. Batteries not  included.

See you there!

[1] http://www.hack.lu/index.php/Practical
    http://www.hack.lu/reg/ 
[2] http://www.nruns.com/parsing-engines-advisories.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ