Calm down - nowadays you just get a killbit, sweetie.
Exploitation is...
... a very fascinating and challenging topic in IT. Like programming or algorithm design it has no real limits if you explored the depths. People nowadays are easily impressed: exploits can harm their expectations. Nevertheless most often their expectations are created through advertisement, sales persons or clueless IT people who just repeat the prospects. Expect exploits.
Believe in it: awareness
It seems a minority of IT security professionals writes exploits. Obvious reasons are, that it requires some luck and instinct to get through the attack surface into the depth. And it's getting more complicated through operating system's innovations like ASLR, Library Randomization, DEP, NX bits, RBAC... a whole lot of things. However I truly miss innovations in security from Oracle. That is to be said.
In case of Oracle it would be innovative to make administrators know that they have to patch their systems immediately. Data breaches don't happen through magic - in case you don't like the approach to compare alchemy and hacking. - Data breaches happen through sloppiness, lack of knowledge and responsibility. "It's just data, no identities were stolen..." And data breaches happen because data-base servers get hacked - which don't get updates. Are Oracle admins aware of that? Obviously not. Will they gain awareness?
Responsible disclosure - understand fear
Responsible disclosure is a requirement in order to do something good - sometimes it's done by just making selected groups know the problem, sometimes it's done by making everybody aware of it. Metasploit - which makes everybody aware of it - nowadays includes Oracle exploits; and there're people who complain. Bad? Or good?
The people who are stupid enough to require someone else to write their exploits for them are not the people you need to worry about. If you can't defend against them, you deserve to fail.
- As long as you don't understand the "stupid"'s fear it's neither good or bad.
It's a requirement that we make more people understand exploitation and the danger of modern information systems. It's also very important to make security progress. Sometimes by force if necessary.
People fear that the subversive powers of suites like Metasploit to grow faster than defense: speaking of clean patches and not just killbits. If the game speeds up, and patches require time, the ones losing the game are security people.
The Metasploit ex-sploits are patched - worthless. But one can integrate own exploits into Metasploit and take advantage of the modules? Yes - sure. Everybody can do that. Now in no time.
In truth, the reaction to the release of the Oracle attack packages for Metasploit should have been a collective yawn.
if there wasn't an attack available before the patch, you probably have less than 72 hours before someone out there has one put together. If you're lucky, it will be Carnal0wnage, and it will be in Metasploit for all to see. But most likely, it will be in China, Poland or maybe inside your company. Fact is, you just don't know.
And speaking of the named "bad countries" (wtf)... bad people gain advantage in exploit development too, and that speeds up the game. Well... don't just necessarily listen to the cat. A minority of companies can afford consulting like that. However the side effects are that it's getting more intense.
Have fun - and fear killbits,
wishi
Post new comment