Repeate After Me: I Am NOT Save!
Richard Bejtlich of Tao Security summarized this years black hat conference:
- Existing defenses are absolutely ineffective against current attacks.
- Detecting current attacks in „real time” is increasingly difficult, if not impossible.
Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by „rich Internet applications” and frameworks. I realized that the „rich” in „RIA” refers to the money intruders will make by exploiting Web clients.
- The average Web developer and security professional will never be able to counter these attacks.
Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get „ahead of the threat” here.
Be afraid, be very afraid!