On Wed, Jun 12, 2013 at 4:51 AM, Jimmy Hess <mysidia@gmail.com> wrote:
On 6/12/13, shawn wilson <ag4ve.us@gmail.com> wrote:
The scope is constantly changing. Not really. The old tricks are the best tricks. And when a default install By best, you must mean effective against the greatest number of targets.
By best, I mean effective - end of story.
of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem.
Backwards compatibility and protocol downgrade-ability is a PITA.
Yes, telling people that NT/2k can't be on your network might be a PITA, but not using software or hardware that has gone EOL is sometimes just a sensible business practice.
It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not
For the orgs that the 2K tool is likely to be most useful for, $2k is a lot of cash. The scan tools that are really worth the trouble start around 5K, and people don't like making much investment in security products, until they know they have a known breach on their hands. Many are likely to forego both, purchase the cheapest firewall appliance they can find, that claims to have antivirus functionality, maybe some stateful TCP filtering, and Web policy enforcement to restrict surfing activity; and feel safe, "the firewall protects us", no other security planning or products or services req'd.
I don't really care to price stuff so I might be a little off here (most of this stuff has free components). Nessus starts at around $1k, Armitage is about the same (but no auto-pown, darn), Metasploit Pro is a few grand. My point being, you can have a decent scanner (Nessus) catching the really bad stuff for not much money (I dislike this line of thought, but if you aren't knowledgeable to use tools and just want a report for a grand, there you go).
As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with [snip]
I would call this wishful thinking; 0days are expensive, so the people who want to use them, will want to get the most value they can get out of the 0day, before the bug gets fixed.
Odays are expensive, so when you see them, someone (Google, Firefox, Adobe, etc) have generally paid for them. Once you see them, they are not odays (dispite what people like to call recently disclosed public vulns - it ain't an 0day).
That means both small numbers of high value targets, and, then... large numbers of lesser value targets. If you have a computer connected to the internet, some bandwidth, and a web browser or e-mail address, you are a probable target.
No, this means Stuxnet, Doqu, Flame. This means, I spent a million on people pounding on stuff for a year, I'm going to take out a nuclear facility or go after Google or RSA. I want things more valuable than your student's social security numbers.
If a 0day is used against you, it's most likely to be used against your web browser visiting a "trusted" site you normally visit.
I don't have anything to back this up off hand, but my gut tells me that most drive by web site malware isn't that well thought out.
The baddies can help protect their investment in 0day exploit code, by making sure that by the time you detect it, the exploit code is long gone, so the infection vector will be unknown.
If the US government can't prevent companies from analyzing their work, do you really think random "baddies" can? Seriously?... No really, seriously? Here's the point, once you use an Oday, it is not an 0day. It's burnt. It might still work on some people, but chances are all your high value targets know about it and it won't work on them.