[Dailydave] INFILTRATE 2017 Initial Thoughts

Dave Aitel dave.aitel at gmail.com
Tue May 2 13:28:27 EDT 2017


We are in a time of different skies falling than expected. It's hard to
remember this, but only a couple years ago, remote vulnerabilities and
exploits were thought extinct. Everyone moved to client-sides and
exploiting trust relationships in domains and strange cryptographic
incantations like "padding oracle attacks" because the remote heap
overflows we used to eat were becoming unfathomably complex. People started
hacking junk to go to BlackHat.

We even have whole lineages of devoted extremeophile Archaea exploiting
chains of logic bugs so tenuous and complex they come from the fonts of
sulfuric acid of the HTTP specifications themselves.

But if you look around today, every Intel chip comes with a remote built
in, and every Java and .Net program is being eaten from inside by
deserialization bugs that make the larval Aliens look like benevolent
symbiots.

Which is to say this: The platforms have rotted like Atlanta's highway
system. The hypervisors we relied on as a stopgap have advisories coming
out as often as the PHP content management systems we still, for whatever
reason, can't get our marketing departments to stop using.

It's not just the leaks, although what do you do when 100k boxes still have
SMB available to the internet and ETERNALBLUE is just one of the recent
remote vectors on it. Just as a bonus, you learn that every Solaris box on
the Internet has had remotes in basically every open port. Not only is the
future unevenly distributed, but the PAST as well, when it comes to
exploitation.

Our IDS companies can't analyze these things fast enough to create
signatures, and even if they could, we have no faith the signatures work,
and no faith the companies in charge of fixing the bugs can really fix them
and no faith there isn't an identical bug two lines down. Frankly it's just
dumb luck nobody truly mean has revitalized their 90's interest in
destructive worms. In real biology it is less the circle of life than the
fractal of parasites, and maybe the same in true in the virtual world.

But maybe that's a good thing? Maybe literally this is as bad as it gets,
and your Amazon packages are still getting delivered and we got this far
without really knowing what a Higgs Boson was so maybe we never HAVE to
have secure systems or a working model of physics and it's not such a big
deal?

Regardless, what I learned from INFILTRATE is many things, probably more
than I want to say in public, but certainly more than can be summed up in a
keynote's title. Yet "Beset on all sides" is an apt FEELING and if you were
curiously looking about yourself today in the security world, you'd think
"We don't yet know what helps and we appear pretty beset in every way." And
Justin Schuh's keynote is all about that and you can click here
<https://vimeo.com/213683047> to watch it.

The audio gets fixed about 20 minutes in, but honestly often I stop this
talk and think about things while I'm listening to it. For example, why do
we still rely on DNS and the big PKI system that is TLS? WE KNOW IT IS A
BAD IDEA. Justin knows, because he's been battling it one horrible tentacle
at a time and he talks about different angles of that in his keynote like
someone with the sucker-mark shaped scars of an elder sperm whale.

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170502/1edff43c/attachment.html>


More information about the Dailydave mailing list