<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
So the AV community (<a
href="http://partners.immunityinc.com/movies/RSA2012.mov">in my
opinion</a>) often suffers from the hilarity of underestimating
their opponent. But occasionally events overtake them and they are
forced to readdress their thoughts - for example, in Mikko's paper <a
href="http://www.wired.com/threatlevel/2012/06/internet-security-fail/">here</a>
where he says "
<meta charset="utf-8">
<span style="color: rgb(51, 51, 51); font-family:
Arial,Verdana,sans-serif; font-size: 14px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: 20px; orphans: 2; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; background-color: rgb(255, 255, 255); display:
inline ! important; float: none;">Flame was a failure for the
antivirus industry. We really should have been able to do better.
But we didn’t. We were out of our league, in our own game."<br>
</span><br>
The<a
href="http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf">
Verizon DBIR</a> - as much as I think you can go back and forth
on the quality of the metrics here, (especially because everything
talks about "records" which are meaningless), it's still a data
point, and probably the best public one available - provides what
should have been an obvious statement to Mikko and other people
building defensive technology or methodologies: 92% of breaches were
discovered by a third party (and it's no coincidence that the one
company with a computer is the one doing the telling). 85% of
breaches (that were eventually discovered at all) took weeks or more
to even find out about. <a
href="http://www.youtube.com/watch?v=rDP6A5NMeA4&feature=player_detailpage#t=1654s">Mudge's
talk</a> is pretty funny in this regard too. . . and not that new.
People keep acting surprised that someone can test software against
AV and it's a bit weird. As Verizon says: "Perhaps we should create
new breach discovery classifications of “YouTube,” “Pastebin,” and
“Twitter” for the 2013 DbIR? "<br>
<br>
I'm pretty sure if you're reading this list you've heard many of the
people on it say that they believe it's not really a "Flame" problem
or even a "Nation-State" problem. (Probably if you are on this list
you are not thinking of it as a "problem" per-se). But it is funny
that the offensive community, composed of the "script kiddies" that
get ridiculed on a regular basis in AV-people's blogs, occasionally
does things like <a
href="http://www.youtube.com/watch?v=GmCkewZHrSQ">this</a>. :><br>
<br>
-dave<br>
<br>
<br>
<br>
<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a class="moz-txt-link-abbreviated" href="http://www.infiltratecon.com">www.infiltratecon.com</a>
</pre>
</body>
</html>