<div dir="ltr"><div><div>Ok.. Lets step back even further.<br><br></div>At the root of all of this is the issue that old software never goes away. Every year we add more software. Very rarely do we remove old software.<br><br></div><div>It is like a giant snowball of crap. Every year it only gets bigger.<br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 14, 2017 at 10:04 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>No matter how "strategic" everyone says they are in our community, or in the NatSec policy community adjacent to it, people have the localized perspectives of a gecko, endlessly chasing moth after useless moth attracted to the laundry-room-light of Fail that is the software development world.</div><div><br></div>If you're going to look even a tiny tiny bit into the future, you have to step back and say "This entire class of software is broken and we need another way." Put another way: If you have a small team of vulnerability researchers, what technology quadrants would you put them on, so in a couple years, you would be unstoppable.<div><br></div><div>INFILTRATE is one way to view this, if you have the right eyes.</div><div><br></div><div>People are well aware that every Java middleware is broken - Tomcat's latest Strut's issue is no surprise to people following along. But so are all the things similar to it: DCOM, for example. This is compounded by the <a href="https://github.com/BloodHoundAD/BloodHound" target="_blank">overall destruction of the entire Active Directory security model</a>. </div><div><br></div><div>Some other bug classes that are being actively exploited in modern and interesting ways:</div><div><ul><li>Timing attacks<br></li><li>MITM - especially non-traditional versions of this<br></li><li>State machine attacks (f.e. <a href="https://mitls.org/pages/attacks/SMACK" target="_blank">1</a>, <a href="http://2015.hackitoergosum.org/slides/HES2015-10-29%20Cracking%20Sendmail%20crackaddr.pdf" target="_blank">2</a>)<br></li><li>Hardware flaw excitement (RowHammer, cache timing attacks, etc.)<br></li><li>Cloud-computer attacks<br></li><li>Cryptographic-protocol attacks<br></li><li>Binary Remoting Protocols (DCOM, JavaRMI, etc.)<br></li><li>People forgetting we are in a 64 bit world now and can send large amounts of data<br></li><li>Hypervisor escapes because those things are just Kernels</li><li>Modern heap overflows</li><li>Attacking that fancy security infrastructure you just installed (SIEMs, Breach Detection, etc.)</li><li>DoS attacks</li></ul><div>"WTF are you talking about?" I hear people asking. What I'm saying is "Name a binary remoting protocol popular in 2007 that hasn't been analysed yet, and it's going to have massive security issues if you have a year of resources to pour into it.".</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-dave</div><div><br></div><div><br></div></font></span></div><div><br></div></div>
<br>______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>