lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 24 Feb 2011 12:35:45 -0600
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: Michal Zalewski <lcamtuf@...edump.cx>,
	Pietro de Medici <piedemed@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: What the f*** is going on?

--On February 22, 2011 9:11:30 AM -0800 Michal Zalewski 
<lcamtuf@...edump.cx> wrote:

>> I mean, if these are the security industry's geniuses, why, what would
>> the writers of Stuxnet be?
>
> ...seriously?
>
>> Disclosing how their epic story simply involved SQLi, well, what about
>> the guys discovering 0days in native code?
>
> Totally. I have long postulated that perl -e '{print "A"x1000}' is
> considerably more l33t than <script>alert(1)</script> or ' OR '1' ==
> '1.
>
> I don't understand the point you are getting at. I think that the more
> interesting aspect of this story are the egregious practices revealed
> in that write-up (and elsewhere):
>
> http://lcamtuf.blogspot.com/2011/02/world-of-hbgary.html
>

"Doing security" really isn't that hard.  Behind all the fancy appliances 
and gee-whiz technology, the underlying principle is, don't unnecessarily 
expose your assets to attack.

This boils down to a few simple things:
1) Don't allow users to create simple passwords.
2) Don't allow admins to forego routine patching
3) Don't allow poor configuration of applications
4) Don't allow services that aren't vetted and authorized

Those four simple rules will go a long way toward reducing your attack 
surface enough that the "routine" "hackers" will move on to easier targets. 
Depending upon your infrastructure, some of this can be automated, but the 
bottom line for good security is auditing.  Know what your assets are. 
Know what the weaknesses are.  Do everything you can do to avoid 
unnecessary exposure.

You're not going to stop a determined adversary from getting in.  There is 
always a weakness somewhere that can be leveraged to gain further access. 
But if you forgo routine patching, allow lousy passwords, allow poor 
configuration practices and run services that aren't vetted and authorized, 
then, well, you're an HBGary clone..

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ