[Dailydave] Equitablefax
dave aitel
dave at immunityinc.com
Wed Sep 27 15:13:28 UTC 2017
So I assume most people skim any news reports of big breaches in the
same way these days. Was this predictable? Was it preventable? Do we
know who did it? Did they do anything new to attack or defend?
In Equifax's case, the reportable information clearly is the alleged
trading anomalies, rather than the hack itself. But the third question
is interesting to a point. I've been trying to write a keynote for T2
for the past few weeks, and while my muse is clearly on an extended
vacation, there are some interesting generational changes afoot with
regards to these questions.
At some level, in a world where vulnerabilities are super rare,
governments dominate the discussion of malicious actors. I think there's
a lot of news chaff about every little 20-something hacker or aspiring
malware businessman who gets caught. Filtering those out, there are
relatively few reports of hacking groups with high skills levels. And
because of our assumptions that "Governments" are behind everything now,
I think we naturally err towards flinching at boogeymen who...wield SQLi
and Phishing with .jar files.
But when you look at the accomplishments of truly skilled hackers,
they're amazing. And the environment we live in is not one where major
vulnerabilities are rare. The environment is such that any specialized
extremophile
<https://en.wikipedia.org/wiki/Extremophile#/media/File:Grand_prismatic_spring.jpg>
can penetrate and persist all of cyberspace. In a sense, the entire bug
bounty market is a breeding ground for a species that can collect
extremely low impact web vulnerabilities into a life sustaining nutrient
cycle, like the crabs on volcanic plumes in the depths of the Pacific.
Likewise, learning everything about RMI is enough to be everywhere, or
.Net serialization, or CCleaner. In cyber, where there's a way there's a
will.
It used to be we would be more afraid if it was China or Russia or Iran
or whoever. But these days I like to annoy people by asking what if it's
not?
Also, does anyone know how often Equifax did their penetration testing?
My new rule is that if you only do it in Q4 you are unlikely to have a
mature security program. :)
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170927/4b0f40a1/attachment.html>
More information about the Dailydave
mailing list