Thursday, April 19, 2012

From LOW to PWNED [0] Intro

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [0] Intro/The point of the talk (sorry no pics of msf or courier new font in this one):

I had several points (I think...maybe all the same point...whatever)

1.  We tend to have an over reliance on vulnerability scanners to tell us everything that is vulnerable.  To be honest I have been guilty of this myself.  Most of us probably have a for a variety of reasons, time, experience, level of effort required/paid for, etc.  This over reliance on scanners has lead to a "no highs" == "secure environment".  Most of us know this is not *always* the case and the point of the talk was to show some examples were medium and low vulnerabilities have led to a further exploitation or impact that I would consider "high" or above. Whether you call them chained exploits, magic, or the natural evolution of taking multiple smaller vulnerabilities and turning them into a significant exploit or opportunity its becoming more normal/common to have to go this route.

2. Given the "no highs" == "secure environment" mentality some clients have been conditioned that anything that is not a high is not exploitable and therefore not a priority for fixing (sometimes ever).  This of course is not the outcome most people would recommend. Nevertheless some people take that approach.

3. How many IDS/IPS signatures exist for low and medium vulns and how often do we ignore/disable those? Feedback welcome here.

4. Clients should pay attention to low/medium vulns as much as they do high+ vulns and in turn pentesters/VA people/security teams should also pay attention to low/medium vulns. Does that mean ever SSLv2 enabled should be full out emergency? Hell no, but *someone* needs to be able to vet that those low/medium findings cant be turned into something more.

5. Keep in a human in the mix.  Tools/scanner are great for automating tasks but I don't think we are there yet with the technology of taking multiple less severe vulnerabilities and turning them into something significant. Bottom line, the scanner wont find all your ownable stuff, you need a person(s) to do this.


Thoughts?

-CG





3 comments:

Daniel Miller said...

Totally agree. Example: I wrote NfSpy to combine a few "low" findings with NFS, and now I regularly grab SSH keys, plaintext passwords, and more from NFS servers.

Bill Sempf said...

On the Presentation Zen topic - instead of sullying your slides, write a short whitepaper. Provide that instead of the slides, and make printouts available at your talk. That's my take.

CG said...

yeah i've read that. that works fine if you are giving a preso at work and i know 10 people are coming i've never seen anyone do that as security conference though.

considering most of us work on slides up until the last minute i dont see that happening too often in the future.