lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 27 Oct 2006 09:57:02 +0200
From: poo <skodliv@...il.com>
To: "cdejrhymeswithgay@...h.com" <cdejrhymeswithgay@...h.com>
Cc: botnets@...testar.linuxbox.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, ge@...uxbox.org
Subject: Re: Vulnerability automation and Botnet
	"solutions" I expect to see this year

*. Gadi Intelligence (very limited)


On 10/26/06, cdejrhymeswithgay@...h.com <cdejrhymeswithgay@...h.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron <ge@...uxbox.org>
> wrote:
> >So, what I am going to talk about... A tad bit of history on
> >vulnerabilities and their use on the Internet, and then, what we
> >are going
> >to see on corporate, ISP and Internet security relating to botnets
>
> >this
> >coming year.
> >
> >Vulnerabilities don't exist for the sake of vulnerabilities. They
> >are used
> >for something, they are a tool. Botnets are much the same, using
> >vulnerabilities on the next layer.
> >
> >This past year we have seen how disclosed vulnerabilities, patched
> >vulnerabilities and 0days have been utilized by automated kits. An
> >inter-linked system of websites which download malicious code
> >(update the
> >kits), try to infect millions of users from just a couple dozen
> >main hubs,
> >and react to the environment.
> >If a certain vulnerability is seen to be more successful on
> >certain OS
> >types or if one is found to not work, the kit will be fixed
> >accordingly
> >and distributed. Often immediately after a patch Tuesday, likely
> >that same
> >Friday evening.
> >
> >This way, income can be maximized with the number of infections,
> >data
> >stolen and thus ROI. Both from the expected response time of the
> >vendors
> >as well as how many victims can be reached in that window.
> >
> >One such kit is Webattacker, which has recently been getting more
> >known in
> >public circles.
> >
> >Where we are
> >
> >That does it, botnets are mainstream. People did not yet
> >understand the
> >idea that software vulnerabilities facilitate an attack (=are not
> >the
> >attack) and botnets facilitate much the same, only on a different
> >level. I
> >will discuss that further after what interests everybody.
> >
> >Solutions in the coming year!
> >
> >First, many products in the industry have been implemented
> >successfully in
> >the past, just as solutions of necessity, not "products". Some
> >were
> >successful, some failed. Some (services) have been supplied to the
>
> >rich
> >and connected, some haven't.
> >Botnets are now main-stream, which means other lesser beings and
> >corporations want these services. They want to be protected in a
> >hostile
> >world. They realize the Internet is not a safe place, and plan
> >accordingly.
> >
> >Services we will see more and more of:
> >*. Intelligence (very limited), showing IP addresses for botnet
> >command
> >and control (C&C) servers, which your computers may be connecting
> >to
> >(i.e. compromised).
> >*. Intelligence (very limited), showing IP addresses that you
> >control
> >which show in spam (meaning compromised hosts) or show in other
> >ways in
> >botnet data being collected. Mostly, this is spam-oriented and the
>
> >rest of
> >the intelligence is barely noticeable as of yet.
> >*. Intelligence (very limited) on the millions on millions of
> >credentials
> >(for sites, credit cards, banks, eCommerce systems, etc.) and
> >identities
> >being stolen every single day by massive phishing man-in-the-
> >middle trojan
> >horses.
> >*. Intelligence (very limited) other black listing services.
> >
> >In the past, a limited version of these services was provided, but
>
> >very
> >secretly, and at a very high cost.
> >
> >Products:
> >
> >Botnet products on the network can either detect internal problems
>
> >(such
> >as bots on the corporate or ISP network or the spreading of
> >infections) or
> >external problems (such as C&C servers or attacks from the world).
>
> >These
> >can be based on behavior or intelligence.
> >
> >Solutions, which we discussed in the past and are now going to
> >manifest:
> >
> >Intelligence-based (until now only supplied by select groups to
> >select
> >groups) -
> >*. Known bad IPs. Etc. Much like in spam, only for other realms.
> >*. Known bad URLs or domain names. Etc. Much like in spam, only
> >for other
> >realms.
> >
> >Detection -
> >*. IDS approach (decent but not even close to cutting it),
> >*. DNS monitoring approach (very cool, but is just one approach in
>
> >a
> >layered solution).
> >*. Netflow approach (proven for years now, only one approach,
> >however
> >useful, which is growing more limited every day).
> >
> >Respond and quarantine -
> >*. Walled garden approach (close off/limit suspicious or confirmed
> >compromised computers until they clean themselves. NOt successful
> >in
> >current solutions, shows promise).
> >*. Try to fix the situation remotely (solve the vulnerabilities,
> >etc. ahead of time or remove after the fact).
> >
> >There are several others, but these are the main ones describing
> >the 10 or
> >so products we are about to see (all of which are already
> >available
> >publicly as open source, privately developed tools or unsuccessful
> >solutions due to lack of client awareness and interest).
> >
> >QoS, virtualization and half decent intelligence gathering will
> >come
> >next. Other solutions I will not waste breath speaking of right
> >now, they
> >will appear for public consumption once the effectiveness of the
> >solutions
> >above (or the better ones there) is done to dust.
> >
> >What's next?
> >
> >Decent, real decent, intelligence, and support response tools to
> >mitigate
> >what you find in conjunction with a response team trained to deal
> >with
> >thousands of real incidents rather than mark check-lists on a
> >couple an
> >hour to a couple a month. That's simply not being aware of what's
> >happening in your network.
> >Many of the CERTs and SOCs are very trained and high quality, they
>
> >are not
> >equipped or don't see what they need to react to nor in most cases
>
> >are
> >built to deal with this threat.
> >
> >What's never going to happen?
> >
> >With security done right, on a wide-scale, with a decent systems
> >design,
> >network, policy, monitoring and responce - a lot can be done and
> >0days can
> >also be avoided, even (and especially) with business concerns
> >being put
> >first.
> >
> >Gadi Evron,
> >ge@...uxbox.org.
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> If Hitler was alive and a hacker, do you think your box would be
> working, Gadi?
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.5
>
> wpwEAQECAAYFAkVAxgAACgkQsGS6s78KOsXp5gP8CIlcHIyTcYj8wDx+LMRuHnrIsCO2
> N6ELTIQfGdwLBR+o57u41PHmurUdwcwiXChZ4W2Qz/p1NO+Js7rXETMYHRUW/hwv0Aos
> KZN7RpCFH3PsS9fnPKljBEaWTDG6q+IoBvKI/+6V6M+s0jftHsPp6I6w9eiWf9TQ9tp7
> tF9QnSg=
> =WL6I
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no account
> required
> http://www.hushmail.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
smile tomorrow will be worse

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ