[Dailydave] What Car Does Dave Drive?

Kurt Grutzmacher grutz at jingojango.net
Mon Oct 8 20:00:53 EDT 2007 

This is where "Threat Management" comes in to play I believe, and is
something InfoSec groups outside of critical infrastructure have not
done well. Hell even critical infrastructures don't execute it in a
super fantastic  way either! There's a lot of dynamic data to consider
assessing the threat risk.

Being able to show that a vulnerability report for some external
product which is "vague" or an internally developed app can have an
exploit developed helps the threat process. It takes the whole "public
exploit available" argument to a different level so you can focus on
the suspected DIFFICULTY of exploiting a system and what it would take
to develop said exploit.

If you believe it takes the financial strength of a nation state to
develop an exploit against a MILSPEC system then you are a little
closer to understanding the threat to said system. There are many more
categories to answer but difficulty of exploit development shouldn't
be a difficult answer, especially if you have staff who understand
what it takes to develop AND the complexity of your environment.

There are no absolutes in this industry other than you're absolutely
going to be targeted at some point. Being accurate in your assumptions
helps and having the basic knowledge of exploit development, including
how your protections may attempt to guard against the execution, is
something all InfoSec groups should do.

After all, know your enemy.  :)


On 10/8/07, shadown <shadown at gmail.com> wrote:
> Hi Joanna,
>
> This is an interesting topic. (not the car thing of course :P)
> Some customers (if not most of them) know that security is something
> critical for them, but in the end most of them just don't really get it.
> I mean, they don't realize how bad things could go, and they use to
> under-rate security problems because there's no public exploit, or just
> because they think that exploiting the issue is whether impossible or so
> difficult that they underestimate and low the bar to the point that they
> don't even fix the problem.
> I do believe that developing custom exploits makes people understand
> that they have to fix the problems with no excuses.
> Actually this is very valid when it comes to demo 'pown'ability and
> pivoting of/from:
>         - Network Printers
>         - Appliances
>         - DSL routers
>         - Voip devices
>         - a large etc
>
> As many of them are developed on different CPUs and modified OSs (some
> of them proprietary), showing what could be done is very eyes-opening
> for the customers.
>
> My 2 cents.
> Cheers,
>   Sergio
>
>
> Joanna Rutkowska wrote:
> > If you want to know the answer:
> >
> > http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2
> >
> > One thing I don't quite get though:
> >
> > <quote>
> > "We'll analyze a random printer DLL you have installed, write an
> > exploit, and use that on your network," he says, to help companies
> > better secure their environments.
> > </quote>
> >
> > While I greatly respect skills needed to write sophisticated exploits, I
> > still don't see how exploit writing could be used to secure anything...?
> >
> > You can, of course, use exploits to test some security products (e.g. an
> > IPS), but here we're talking about exploits for bugs in some custom
> > code. Many of us will agree that IPS are useless in this case, almost by
> > definition, and I think that Dave is one that will agree most eagerly
> > (search for IDS-related threads on this list). So, testing an IPS
> > against custom exploits for bugs in the custom code seems pretty much
> > useless, no?
> >
> > The question is then: how you convince a client to pay you not only for
> > code audit (no doubt it's useful) but also to write an exploit for each
> > bug you find? I *really* would love to know the answer :)
> >
> > Having said that all, I need to stress that I can't overestimate the
> > (educational) value of exploit writing for the whole IT security field
> > -- one might not be following the latest trends in heaps exploits for
> > RPC thingis, but if one never wrote and understood an exploit there's
> > quite a big change that they simply "don't get it all". It's just I
> > don't see how individual companies would be interested in paying
> > somebody for preparing "educational material" for other researchers?
> >
> > joanna.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> --
> Sergio Alvarez
> Security, Research & Development
> IT Security Consultant
> email: shadown at gmail.com
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list