[Dailydave] A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

Fri Nov 1 15:16:02 UTC 2019

Ok, so you can/should watch it here:
https://www.youtube.com/watch?v=uohyx7OIugY

Alex is a great keynote speaker and I really like a lot of his talk
(especially where he delves into how disintermediation has broken all
social systems without ever using the word disintermediation) but also I
think he's super wrong about something so I'm going to spam this at him
(and all of you) to annoy him, specifically in a section about priorities
as a community, which is followed by a whole section on how the technical
companies all emulate Steve Jobs and pretend everything they do is perfect.

[image: image.png]

"Even in a position where we faced the best attackers, I only saw true 0day
deployed twice"

[image: image.png]

[image: image.png]

"""If you have Superman vision and you're able to zoom in to the screen you
would see that every pixel on the screen is actually comprised of sub
pixels right of red green blue sub pixels *this sub pixel represents all of
the human harm ever caused by side-channel attacks in the history of
information security.* This is what dominates discussion in the security
research community - super complicated esoteric issues for which there's
almost no demonstration ever or even good theoretical purposes in which
this would be the best way for somebody to leak out information or somehow
otherwise compromise the system. And so this is the fundamental issue -
that if you actually look at what people are working on that pyramid is
inverted. People are spending way more than a sub-pixel thinking about
super esoteric side-channel attacks in Intel processors. That doesn't mean
we shouldn't research. It doesn't mean we shouldn't fix it. But it
shouldn't be the thing that we think way more about..... I want to read way
more about how people are making it easier for real enterprises to patch
their systems. I want to read way more about how people are designing their
systems to not be able to be easily abused to cause harm and a variety of
really horrible ways then I read about more side-channel attacks. I
certainly don't want people coming up with with damn names and domains just
for their side channel attack. That drives me totally insane."""

So here's two things:
1. The security research community is tiny. We get a not insignificant
subset of it at INFILTRATE every year. The reason the material the research
community puts out gets attention is precisely because it turns
conventional wisdom on its head. You study the latest heap overflow because
it fills in your knowledge of how weird machines work in the real world.
You learn about HTTP Desync attacks because they reflect a larger problem
in parsers in general, in that you cannot ADD two parsers together to get a
more secure solution (which is also what weird machines tell you). Hey it
turns out WAFs and AVs can only make you LESS secure, not more. That's a
USEFUL thing to know!

You study side channel attacks because it answers the question "If I can't
trust the silicon what can I trust?" and the answer is a dried leaf you
found in your driveway and an old walnut stick, and not the latest blinky
box from a company set up by a conglomerate that also does *government
contracting* "on the side" for a government that is not yours. :)

2. There's lots of hackers out there who use ONLY 0day. This is one of
those things that's obvious every time you talk to a group of old ones
about their favorite bugs and everyone's favorite was one that nobody
detected for decades. Kaspersky finds someone using Chrome 0day about once
a month now. And that's because advanced attacks have strategic impact, and
even if you solved the entire rest of that pyramid, one good 0day can
tumble a society.

How would one detect side channel attacks exactly? What it looks like is
someone (me maybe) buying a bunch of VMs in your hosting provider and then
using their CPU for a little bit.

I don't think Maersk had issues with patching. The issue is that no matter
how good at patching you are, it doesn't matter in the face of a worm that
uses Active Directory to traverse around, and they probably did not listen
to the Bloodhound researchers talk about the many many ways AD is a risk
all by itself. Every attacker (Avast
<https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/>
and the Indian Nuclear
<https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/>
hackers, this week alone) seems to have Domain Admin but the security
engineering community hasn't asked why yet...

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/4e2c99a5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 249750 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/4e2c99a5/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 380673 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/4e2c99a5/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 237032 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191101/4e2c99a5/attachment-0005.png>