lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 05 May 2004 10:54:36 +0200 From: Javier Fernandez-Sanguino <jfernandez@...minus.com> To: Marc Maiffret <mmaiffret@...e.com> Cc: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: New LSASS-based worm finally here (Sasser) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marc Maiffret wrote: > One thing most people fail to note when speaking of > vulnerability-to-worm timelines shrinking is that your basing your > timeline off of when a vulnerability is disclosed, to when a worm > is discovered, NOT when a worm is released. The importance of this > is that your timeline is not specifically based off of when the > "bad guy" decides to do a bad thing and more so when the "good > guys" discover a "bad guy" has done something bad. You are absolutely correct. Moreover, the timeline does not take into account when the vulnerability was "found" (vs. disclosed) which is imposible to know. > > With all of these security companies scrambling to be first (even > if they have nothing intelligent to say, other than some nifty name > for the worm) it means they are investing a lot of resources into > being the first to detect these worms. Which means that as their > detection capabilities grow, the timeline of how quickly they are > able to detect a worm is going to shrink. Which therefore can help > lead to the appearance (right or wrong) that worms are being > released faster, when in reality it is that they are now being > detected faster. (...) I agree with your overall appreciation. However, since Klez/Code Red you can see that the "time to detect a worm since the vulnerability was published" has reduced from months (sometimes even close to a year) to less than a month. Even though the data might not be accurate to the day (if detection was weeks off) it still shows a trend. [BTW, If anyone wants the full data, please speak up, no black magic here, it's gathered from public sources] > In the real world most of these discussions about timelines of > vulnerability-to-worm do not matter, depending on your goal. For me > personally I think the goal is trying to create as much accurate > threat awareness as possible. We do not need to get down to the > number of specific days of this worm vs that worm to know that for > a fact there have been a few worms lately that have been > released/discovered within a timeline that is shorter than a month > or two. For any company that is a (...) I partly agree with your statement here. However, knowing that current worms are very vicious is as important as trying to see a trend there. Specially if that trend can raise threat awareness, and might people make a difference selection between, for example, choosing an inappropiate (IMHO) security measure like "keep your antivirus up-to-date" instead of better security measure like "harden your systems, ask for and purchase a hardened/secure OS/application and demand proactive security of your vendor (or else)". The first one is not going to save the day when worms start being releasing hours after a vulnerability is disclosed (or even before that). As Caida's data shows, current worm propagation methods assure that most of the vulnerable (and exposed) population is infected in a very short amount of time (less than a day?). The second one will probably do. Still, the worst threat will still be users themselves in insecure OS that allow them help somebody fully compromise their system when double clicking something :-) Regards Javier -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQJiryqO1I0N5hzVfEQIHHQCg8KgQUNkcr+yqMArUUBXFiTqB6o8AoK99 gnriCMy4Pd+rU2+8B/UytRss =7IdS -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists