Thursday, May 22, 2008

[ Miscellaneous Security Musings ]

There's not going to be anything too technical or groundbreaking in this post. I'm waiting on a flaw to get fixed by Google right now so I figured I'd post this in the interim.

I've been in the security industry for all of 11 months now and I believe I have a fair amount of knowledge (at least in the web app security arena). As I learned more I began to realize that security is almost cyclical in nature. When defenders (i.e. software companies, network admins) concentrate on one area, attackers will move to another area. After several iterations of switching focus to a different area, the originally vulnerable area will lose focus entirely. Attackers will switch back after finding some new class of vulnerability and the cycle will go on.

This whole train of thought was brought about by a couple things. I've been fortunate enough to be included in research that some really smart people are doing and this theme has popped up recently. Unfortunately I really can't talk about this ongoing research (espeicially since none of it is mine anyway).

But also, something a colleague of mine said the other day reinfoced this. After I discovered that you can put a UNC notation address into an iframe source, he had the idea of forcing the user's Windows computer to connect to a computer of the attacker's choice (think passing the hash). He then turned to me and said "what was old is new again".

I'm not sure where I'm going with this, but it seems to me, this is how it works. Some area of security loses focus, people get sloppy, next thing you know we're seeing vulnerabilities again.

How do you combat this? It's human nature to get complacent. Maybe after a few more years of experience I'll have some creative suggestions for this problem. But for now, I'll just concentrate on the pwnage.

Labels: , , ,


At 7:06 PM, Blogger Kurt Grutzmacher said...

You're totally correct. I've been in this business for nearly a decade and keep talking about the same sorts of things we were battling against when I started.

With updates to Metasploit's SMB code I did last year you can capture hashes in an enterprise via HTTP and use 'em to no end. HTTP to SMBRelay? No problem. Capture an administrator's browser and connect to the domain controller. Yeah!

This was first shown by Jesse Burns in 2004 but no code was ever released. What's old is what's new again.

Certain limitations apply. Exploit and details here


Post a Comment

Links to this post:

Create a Link

<< Home