Richard Bejtlich of Tao Security summarized this years black hat conference:

• Existing defenses are absolutely ineffective against current attacks.
  I am struggling to describe the importance of this insight. It does not matter if you are fully patched, „properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
• Detecting current attacks in „real time” is increasingly difficult, if not impossible.
  Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by „rich Internet applications” and frameworks. I realized that the „rich” in „RIA” refers to the money intruders will make by exploiting Web clients.
• The average Web developer and security professional will never be able to counter these attacks.
  Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get „ahead of the threat” here.

Be afraid, be very afraid!

Tao Security via Jack Dausman.

Tagged as: blackhat, security | Author: Martin Leyrer
[Montag, 20070806, 23:17 | permanent link | 0 Kommentar(e)