lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <096A04F511B7FD4995AE55F13824B8332131F5@contoso>
Date: Thu, 1 Nov 2007 20:37:00 -0400
From: "Roger A. Grimes" <roger@...neretcs.com>
To: "Alex Eckelberry" <AlexE@...belt-software.com>,
	"Thor (Hammer of God)" <thor@...merofgod.com>,
	"Gadi Evron" <ge@...uxbox.org>, <bugtraq@...urityfocus.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: mac trojan in-the-wild

Actually, on that same note, I recently did an analysis of the last
three years of published Windows vulnerabilities.

86% required local end-user interaction (i.e. social engineering) to be
pulled off.
http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-threats_
1.html

I didn't analyze Linux or BSD threats, but my gut feeling puts them at
the same level or even higher.

With 86% or more of the past threats requiring social engineering to
pull off, we can safely say the "future" you state below is here now.

Now, what is interesting is that any exploit requiring social
engineering to work has so far been less of a problem than the vast
majority of "remote buffer overflow" exploits like the Blaster and SQL
worms.  Social engineering-required malware still works, and works well,
but not with the same success of remote buffer overflow malware. There
is very little we in the security space can point to as a success...but
the overall decrease in remote buffer overflows is one.  Unfortunately,
the social engineering malware is getting better day-by-day. We can no
longer count on mispellings (sic) and bad grammar to be malware
indicators. Our users, regardless of the OS, are ready as ever to click
on interesting content, malicious or not. We've got to design our
defenses to pay more attention to client-side attacks, but it is the
weak point now, not in the future.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes@...oworld.com or roger@...neretcs.com
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************


-----Original Message-----
From: Alex Eckelberry [mailto:AlexE@...belt-software.com] 
Sent: Thursday, November 01, 2007 5:49 PM
To: Thor (Hammer of God); Gadi Evron; bugtraq@...urityfocus.com;
full-disclosure@...ts.grok.org.uk
Subject: RE: mac trojan in-the-wild

The future of malware is going to be largely through social engineering.
Does that mean we ignore every threat that comes out because it requires
user interaction?  Seems like whistling past the graveyard to me. 

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ