World's worst exploit kit weaponises white hats' proof of concept code The new wearer of the crown for World's Worst Exploit Kit is compromising users with exploit code for a dangerous new attack published by a white hat researcher. Neutrino is the new king of for-profit p0wnage packages, a market in which criminals create tools to compromise scores of users through the latest vulnerabilities. …
How self-serving for an industry that takes personal injury lawyers one better, and rather than just chasing ambulances throws people under buses.
Specifically:
"That publication is standard practice throughout significant sections of the information security community which operates on an open disclosure basis and the understanding that security through obscurity is largely a myth."
Let us face it, MacOS has tons of holes in it, but the holes don't matter to ordinary (non-targeted users) because nobody is going to make the effort to disclose them -- in other words MacOS users live via security by obscurity. Same to a lesser extent with Linux, and an even lesser extent Windows.
The more obscurity around your OS, the less likely you are to be targeted by mass-made malware.
Your automobile works that way. The lock on your house works that way. The US, UK, Russian and Chinese military works that way.
Yes, security by obscurity is a myth, because security is a myth.
One can no more make a hack proof operating system than one can make a vandal proof main battle tank, bank vault, or missile silo.
The obscurity makes break-ins too expensive to figure out or so time consuming that law enforcement can respond -- that combo is the only security, and it depends on a functioning law enforcement system, which we do not yet have on the internet.
Our industry is the only private industry with ethical standards inferior to personal injury lawyers. Power, glory, money and kicks by doing the difficult research work and then making it freely and widely available to criminals and mid-sized intelligence agencies in order to create work for security companies.
We suck.
"According to the researcher’s repository, the open source exploit affects IE on at least Windows 10." :)
What Open Source license was this exploit code released under I wonder unless he means Public Domain software?
In the most general terms, security is: the act of protecting something valuable. You can add many different types of "security" to a door, room or a network; therefore it isn't a myth. It exists.
Absolute security however, cannot be accomplished. There will always be a weakness if you want access to the valuable. This doesn't make it a myth.
Anyone in cybersecurity knows this and before deciding on what security measures to employ first complete a risk assessment. There is no need to spend $40,000 to protect $1,000 of valuables.
To protect something, cybersecurity employs defense in-depth which are security measures placed to protect something and add protection on top of other protections. Again, security. Some protection methods are better than others, some are more expensive to employ than others.
To make the point, security by obscurity is another security measure used. Therefore, it isn't a myth. Code is obscured all the time to make it more difficult to RE. This doesn't mean it will protect the code forever... it's just another measure employed to make it more difficult to bypass the security measure.
What creates the illusion you speak of is the fact hackers only have to get it right once against millions of systems connected to the Internet. For the most part, hackers are a lot like water in that they follow the path of least resistance.
I think you can figure the rest from here.
"There is no need to spend $40,000 to protect $1,000 of valuables." That is true in the physical world to an extent. If you only have $1000 in valuables and so only spend $200 on your lock, but share a common wall in a duplex with a person who has $1,000,000 in valuables but has spent $2,000 on his lock, you are now a target. The thief may not take your $1,000 in valuables (or he might just because), but he will use you as a stepping stone to gain access to the million dollars next door. The end result is the same -- your house has now been compromised, and if the compromise is not identified for a while, someone else will notice it first and take your $1,000 in valuables.
This is where physical world analogies fall short -- essentially, those people who spent very little (or nothing) on security on their home / business workstations are now used as stepping stones to the gain access to the crown jewels. This is essentially the same as lateral account movement within an organization - compromise enough systems in the lower ranks, and eventually you will be able to gain access to a local or domain admin account.
I still wonder if the "white hats" looking for problems and the publishing the exploit is still a good idea. Seems they give their companies (especially the AV's) some publicity and income since the "black hats" jump all over the published exploits.
Why feed the bad guys info? It does seem to encourage them. You wouldn't publish security holes on bank vaults would you? You'd just tell the bank or the vault maker "here's a problem". Maybe the model for the "white hats" needs to change?
@Mark 85
In a perfect world, this is how it would be done. And in fact it was tried:
(1) White Hats (WHs) went to the Software Houses (SHs) and pointed out the flaw. And many, many SHs did nothing because there were no laws which forced them to fix the problem - their EULAs covered them on that.
(2) WHs then tried a two-tiered approach - warn the SHs but give them a time-limit. After 'x' weeks, they would reveal the flaws. And, again, most of the SHs did nothing but instead pushed for the WHs who made such claims to be treated as 'hackers' and prosecuted - for it was still cheaper than fixing flaws they didn't legally have to fix.
(3) WHs gave up on warning the SHs and now simply publish the flaws amidst lots of publicity, hopefully now getting the *clients* of the SHs to push for a fix.
But again - until the SHs are forced to stop hiding behind their EULAs and *legally* forced to fix security flaws, you will still see much resistance to fixing them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
