lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43F17C8C.9090405@science.org>
Date: Tue, 14 Feb 2006 19:45:32 +1300
From: Jason Coombs <jasonc@...ence.org>
To: "Steven M. Christey" <coley@...re.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	ge@...uxbox.org
Subject: Re: On the "0-day" term


Steven M. Christey wrote:
> One would hope that there is some critical mass (i.e. number of
> compromised systems) beyond which any in-the-wild 0-day would become
> publicly known.

We can't presume that all 0-day exploits will end up being widely 
observed and thus become well-known. This is not a valid presumption 
even if it ends up being true in practice, today.

The real challenge is for incident response forensics staff to equip 
themselves ahead of time with the necessary tools (and sources of 
forensic logs, including, for example, full packet capture logs of all 
network traffic within a rolling window time period that is as lengthy 
as possible) to be able to identify a 0-day exploit used as the source 
of entry for a one-off intrusion event.

Being able to detect, reliably, any changes made to configuration 
settings or on-disk and in-memory binaries altered by the intruder is 
good, too, but the capability to ascertain precisely what vulnerability 
got exploited to gain entry in the first place is critical to keeping 
the same well-prepared intruder out the second time around.

Some of the technical barriers to achieving full forensic awareness 
within the time period during which a relevant 0-day event occurred 
include the use of SSL and other encryption which bypasses simple packet 
capture logging (unless one's SSL engine also logs all session keys 
generated) and the processing power and storage space required to 
capture, store, and analyze such a large quantity of real-time and 
historical data. Not to mention the questionable probability that the 
log windows will be wide enough to contain useful information when an 
intrusion is finally noticed.

Dramatic improvements in this area of computer and network forensics 
would fundamentally alter modern information security. I do not see how 
any organization can believe itself to be adequately secured when the 
simple ability to prove security measures are working, and quickly 
determine the precise method of failure when they break down, 
essentially does not exist today.

Sincerely,

Jason Coombs
jasonc@...ence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ