[Dailydave] Longer form questions

[Dave Aitel]

https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html

Ok, so as someone pointed out in private email, they have a blog that goes
through a 20 step process to exporting your private key from your RDP
server to the MITM box that is parsing the protocol. I think this is an
unlikely configuration, but in theory it IS possible. An anomaly detection
algorithm might be a better option for real world detection, even though it
is not specific to the bug.

In other words, just to annoy Rob Graham, maybe network defenses can't
really find every bug they want to - not just because they should not be
edge-devices with vast repositories of every private key on your network,
but because parsing requires state and state requires memory and you don't
have infinite memory.

https://vimeo.com/357848836 <---also watch the INFILTRATE teaser! :)

ALSO: I'm headed to Tel Aviv next week if there's any infosec stuff
happening there and anyone wants to say hi!

-dave







On Wed, Sep 4, 2019 at 12:57 PM Dave Aitel <dave.aitel at gmail.com> wrote:

> So I like the BLUEKEEP marketing train because it's a very hard bug to
> detect authoritatively for either endpoint protection or for network-based
> defenses. So when companies make claims about it, it's worth asking how
> they did that. Twitter is a terrible place for that, but since I know
> everyone in the industry who does this kind of thing is on this list I
> figured I'd ask here...
>
> -dave
>
>
> https://twitter.com/daveaitel/status/1169265348669005825
>
> [image: image.png]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20190905/cde9659c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 454315 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20190905/cde9659c/attachment-0001.png>