lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 05 May 2004 10:54:36 +0200
From: Javier Fernandez-Sanguino <jfernandez@...minus.com>
To: Marc Maiffret <mmaiffret@...e.com>
Cc: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: Re: New LSASS-based worm finally here (Sasser)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Maiffret wrote:

 > One thing most people fail to note when speaking of
 > vulnerability-to-worm timelines shrinking is that your basing your
 > timeline off of when a vulnerability is disclosed, to when a worm
 > is discovered, NOT when a worm is released. The importance of this
 > is that your timeline is not specifically based off of when the
 > "bad guy" decides to do a bad thing and more so when the "good
 > guys" discover a "bad guy" has done something bad.

You are absolutely correct. Moreover, the timeline does not take into
account when the vulnerability was "found" (vs. disclosed) which is
imposible to know.

 >
 > With all of these security companies scrambling to be first (even
 > if they have nothing intelligent to say, other than some nifty name
 > for the worm) it means they are investing a lot of resources into
 > being the first to detect these worms. Which means that as their
 > detection capabilities grow, the timeline of how quickly they are
 > able to detect a worm is going to shrink. Which therefore can help
 > lead to the appearance (right or wrong) that worms are being
 > released faster, when in reality it is that they are now being
 > detected faster.
(...)

I agree with your overall appreciation. However, since Klez/Code Red
you can see that the "time to detect a worm since the vulnerability
was published" has reduced from months (sometimes even close to a
year) to less than a month. Even though the data might not be
accurate
to the day (if detection was weeks off) it still shows a trend.
[BTW, If anyone wants the full data, please speak up, no black magic
here, it's gathered from public sources]

 > In the real world most of these discussions about timelines of
 > vulnerability-to-worm do not matter, depending on your goal. For me
 >  personally I think the goal is trying to create as much accurate
 > threat awareness as possible. We do not need to get down to the
 > number of specific days of this worm vs that worm to know that for
 > a fact there have been a few worms lately that have been
 > released/discovered within a timeline that is shorter than a month
 > or two. For any company that is a
(...)

I partly agree with your statement here. However, knowing that
current
worms are very vicious is as important as trying to see a trend
there.
Specially if that trend can raise threat awareness, and might people
make a difference selection between, for example, choosing an
inappropiate (IMHO) security measure like "keep your antivirus
up-to-date" instead of better security measure like "harden your
systems, ask for and purchase a hardened/secure OS/application and
demand proactive security of your vendor (or else)".

The first one is not going to save the day when worms start being
releasing hours after a vulnerability is disclosed (or even before
that). As Caida's data shows, current worm propagation methods assure
that most of the vulnerable (and exposed) population is infected in a
very short amount of time (less than a day?). The second one will
probably do.

Still, the worst threat will still be users themselves in insecure OS
that allow them help somebody fully compromise their system when
double clicking something :-)

Regards

Javier

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQJiryqO1I0N5hzVfEQIHHQCg8KgQUNkcr+yqMArUUBXFiTqB6o8AoK99
gnriCMy4Pd+rU2+8B/UytRss
=7IdS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists