lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <42F1B5B7.7090603@novell.com>
Date: Wed, 03 Aug 2005 23:29:11 -0700
From: Crispin Cowan <crispin@...ell.com>
To: Forte Systems - Iosif Peterfi <toto@...tesys.ro>
Cc: 'Technica Forensis' <forensis.technica@...il.com>,
	"'Black, Michael'" <black@...excorp.com>,
	'James Longstreet' <jlongs2@....edu>,
	'Derek Martin' <code@...zashack.org>, bugtraq@...urityfocus.com
Subject: Re: On classifying attacks


Forte Systems - Iosif Peterfi wrote:
> Basicaly, compound attacks need the victim intervention.
No; compound attacks need more than one attack vector. In your example
of attacking a web server, the attacker needs a compound attack
comprised of a remote->local attack and a local->root attack to take
over the machine. It is "compound" in that it is comprised of more than
one attack, but does not necessarily involve the victim's intervention.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ