<p dir="ltr">Excellent points. Another great example is the DLL hijacking class of attacks that were "discovered" by HDM in 2010, but were clearly a part of the NSA offensive playbook even before 1998. The awesome ex-NSA guys at Synack presented at Cansecwest on dyld vulns and referenced an unclassified document below. If makes you really wonder how many vulns the NSA has in their classified tool belts that the public won't "discover" until decades later...</p>
<p dir="ltr"><a href="https://i.imgsafe.org/e987527.png">https://i.imgsafe.org/e987527.png</a></p>
<p dir="ltr"><a href="https://www.slideshare.net/mobile/Synack/can-secw">https://www.slideshare.net/mobile/Synack/can-secw</a></p>
<p dir="ltr">I still think it is crazy that everyone "trusts" HTTPS when the NSA surely has root CAs to intermediate any Internet traffic they like in transit -- except the handful of sites at Google that actually utilize HPKP ;)</p>
<div class="gmail_quote">On May 6, 2016 6:16 AM, "Dominique Brezinski" <<a href="mailto:dominique.brezinski@gmail.com">dominique.brezinski@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Actually, the core vulnerability was disclosed in 1996, and I spoke about it at Black Hat in 1997: <a href="http://www.blackhat.com/html/bh-usa-97/speakers.html" target="_blank">http://www.blackhat.com/html/bh-usa-97/speakers.html</a><div><br></div><div>There have been a bunch of derivations of it as Microsoft and Samba changed the protocols and implementations slightly. The core vulnerability has a bunch of variations including reflection, active MITM, credential relaying, etc. The variations have caused further confusion over the years, in some cases causing several people to think they discovered something new. See <a href="https://www.veracode.com/blog/2008/11/credit-for-researchers" target="_blank">https://www.veracode.com/blog/2008/11/credit-for-researchers</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 2, 2016 at 9:19 AM, Andre Gironda <span dir="ltr"><<a href="mailto:andreg@gmail.com" target="_blank">andreg@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Mon, May 2, 2016 at 8:36 AM, dave aitel <<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>> wrote:<br>
> To sum up a few things: Those of you who engaged in laughing at how lame<br>
> Badlock was were all wrong<br>
<br>
</span>Andre Gironda, April 13 at 2:47pm ·<br>
<br>
This banter about BadLock is another great reason to hate the infosec community.<br>
<br>
The vulnerabilities around BadLock have been known since as early as<br>
2007. Dino Dai Zovi had a whole slide deck describing the attacks way<br>
back in the day. Microsoft and SMB environments are not protected<br>
because of the basics --<br>
<a href="https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth" rel="noreferrer" target="_blank">https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth</a><br>
<br>
The original partial fix is well-documented as MS08-068, which every<br>
security professional should already know because SMB Relay is the<br>
centerpoint of lateral movement. We have no idea why Microsoft lagged<br>
behind on making this a bigger deal since that time. It is a big deal.<br>
Nearly every position on nearly every Enterprise network provides this<br>
attack as a pivot.<br>
<br>
dre<br>
<div><div>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div>