lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <405F770B.4020701@immunitysec.com>
From: dave at immunitysec.com (Dave Aitel)
Subject: When do exploits get used?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jay Beale wrote:

| Luke Scharf wrote:
|
|> On Mon, 2004-03-22 at 14:46, Paul Schmehl wrote:
|>
|>
|>> To think otherwise is foolish, as I said.  If one isn't
|>> paranoid, one probably doesn't belong in the security field.
|>> If you're sitting back thinking you're safe because you're
|>> patched and you patch quickly, then you're unalert and exposed.
|>>
|>>
|>
|>
|> Patching, passwords, and basic-permissions *are*, however, the
|> 10% of the work that gets 90% of the benefit.  All the stuff that
|> we get excited about here is just icing on the cake.
|>
|>
| I think you're going to quickly change your mind as soon as the
| first 0-day worm comes out.  All the patching in the world doesn't
| save us if the attackers ever get a widely-used exploit against a
| non-public vulnerability.  At that point, internal firewalling and
| system hardening, to say the least, take center stage.  (Of course,
|  you could add to these, or potentially replace these with, some
| particular host-based intrusion prevention/kernel modification
| solutions, but I'll leave that one alone for now.)
|
| The day of the 0-day worm is coming, or at least the
| close-enough-to-0-day worm, that organizations that do patch often
| will still get badly compromised.  This basically comes down to a
| question of windows of vulnerability.  Your window of vulnerability
|  to a given exploit comes down to the sum of three time windows:


Why the focus on worms again? Worms are what happen when good exploits
are wasted. No one who has an exploit wants a worm to come out. This
is why a real 0day worm is probably not coming out any time soon, imo.


| Patching isn't really 90%.  It seems like that because
| organizations still aren't keeping up with patches and thus don't
| know what would have happened if they had.  It seems like that
| because we're not getting caught in the first two parts of our
| windows of vulnerability that often just yet.  If a worm comes out
| in time window 1 or 2, your 1-hour patch turnaround won't save you.
|
It always boggles me that people will patch production systems for
remote SYSTEM vulnerabilities.

- -dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAX3cKzOrqAtg8JS8RAsAEAKC/mo8O2+pOvqrRy2oSdPqmMVmjoACglrMM
g1N5vh1Pi+Gm3ItLYEM0xAU=
=rI8X
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists