RE: [Full-Disclosure] Re: W2K source "leaked"?

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Gadi Evron
> Sent: Friday, February 13, 2004 9:51 AM
> To: Drew Copley
> Cc: bugtraq () securityfocus com; full-disclosure () lists netsys com
> Subject: [Full-Disclosure] Re: W2K source "leaked"?
>
> > As for your comments on zero day, I have some strong 
> opinions on that:
> > First, I recall two massive zero day exploits being used 
> last year. One
> > in IE being used by spammers and one in IIS.
>
> Two out of how many?

It is true that there are exploits which can go under the radar. 

I have a lot of fascination for these. 

Customers can't report to AV or security companies trojans they never
even knew they had.

The requirement level is high, however:

-> Finding a substantial Window's bug is difficult. Usually. It isn't
black magic, but it isn't well documented and requires a substantial
amount of effort.
-> There is a huge demand to just release the bug to the public through
Full Disclosure
-> traditional trojan models have the trojan listening on a port, always
active... This can mean it could crash or otherwise reveal itself to the
end user. Magnify the end user pool and you so magnify the chance for an
unknown error to reveal itself. Especially across different locale
systems.
-> One needs to take care of erasing the tracks back and forth to the
system. This would mean that one would have to communicate with the
trojan in a way that would be imperceptible to all of the 'radars'
people have out there (honeypots, sniffers, firewalls, ids')... The more
end users or "victims" or "targets" the larger the chance that this
communication would be seen
-> One would need to keep silent about all of this. This would rule out
most people. Except for professionals and true fanatics. Both the
fanatic and the professional would have to entirely resist the
temptation to brag about such an amazing feat. Human nature is strongly
propelled by the need for praise from men... Ego feeding. Forget food
and shelter. People want glory. So, you either have a loner or someone
really, really committed to their goal. 
-> One would need to understand the target's AV, IDS and whatever other
system of protection or evidence gathering they might have in place. 
-> If someone wants to just make a bunch of money by stealing online,
they don't have to have a new bug and they don't have to jump through
all of these hoops. So what if they are detected? By then they could
clean up shop already. It isn't like there is some kind of effective or
fast police force anywhere dealing with any of this. This is a huge
factor.




> > We should expect this trend to advance exponentially, I would think,
> > just considering the amount of people coming online, the natural
> > progression of security, the infiltration time required for 
> the market
> > to meet the demand and such other natural factors.
>
> That's the future, not the present. :)

A lot of security companies already plan for this. It isn't anything
new, to note this. But, it is just something a lot of people don't seem
to really think much of. There tends to be this idea that bugs just
mysteriously happen and are documented. But, there is a huge process
there. And, that process is largely not easy to duplicate. It requires
unorthodox thinking, which is not well suited to the regimented idealism
of corporate or governmental environments.

> > Read: organized crime, corrupt governments and corporations 
> and such...
> > have yet to really understand the unorthodox ways of 
> bugfinding or the
> > power of the field. But that they will... That is simply a force of
> > nature. It is inevitable.
>
> Why would organized crime (etc.) chose to make such exploits in their
> arsenal public?

I think you misunderstood me.

> > We should prepare for this now.
> >
> > But, like most events similar to this in history, we won't. 
> Or, we won't
> > do a very good job of it. Maybe others are more optimistic.
>
> Of course we will, after-the-fact. :)

Yep.

It is how law is enforced anywhere. Always has been. Reactive. Proactive
security is always a reaction. We are lazy. We require inertia. And, by
"history", I am - of course - speaking of information security history
and physical security history. 

>       Gadi Evron.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html