hacking/cracking
the other side of the story


jim geovedi

guide to ict megatrend
31 January 2008 — Hotel Shangri-La, Jak...
‣   information security

‣   0-day vulnerabilities
infosec ≠ satpam


‣   current trends: identity thefts, botnet,
    mobile communication hacking, 0-day
    vulnerabilitie...
industry status


‣       big security companies acquire small
        start-up or spin-off companies to offer
        mor...
software
development


‣   cheap software development?
    outsource to india or china!
security investment

‣       companies bought a lot of security
        devices or applications
    ‣    firewall, anti vi...
common issues

‣       companies do not have enough
        resources.
‣       vendors re-introducing:
    ‣    weak and e...
‣   information security

‣   0-day vulnerabilities
‣   0-day, pronounce zero-day, sometimes
    oh day, means new.

‣   the term has it's origin in the warez scene,
    but ...
‣   0-day is used to refer to exploits,
    software, media or vulnerability
    information released today and those
    ...
vendor noticed   patch released
   intrusion




                                                 time




value          ...
vendor noticed      patch released
   intrusion




                                                         time




valu...
‣   0-day users: intelligence agents,
    professional penetration testers, product
    vendors, random hackers/crackers
obtaining 0-day

‣   conducting research (source code/
    binary audit)
‣   share/trade between friends
‣   install honey...
market


‣       current 0-day business model is
        considered weak
    ‣    the auction model
the players

‣   corporate: ISS, eEye, iDEFENSE,
    TippingPoint (3Com/ZDI), Immunity,
    Gleg, Argeniss, wabisabilabi, ...
programs

‣   https://labs.idefense.com/vcp/
‣   http://www.wslabi.com/wabisabilabi/
    rrp.do?
‣   http://www.zerodayini...
prizes
‣   remote arbitrary code execution vulnerabilities
    in specified e-mail clients and servers (outlook,
    outlo...
how many?

‣       every complex software have bugs
    ‣    we should assume every popular
         application exist has...
fin.
jim@geovedi.com
Hacking Cracking 2008
Hacking Cracking 2008
Hacking Cracking 2008
Hacking Cracking 2008
Hacking Cracking 2008
Hacking Cracking 2008
Upcoming SlideShare
Loading in...5
×

Hacking Cracking 2008

1,084

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,084
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hacking Cracking 2008

  1. 1. hacking/cracking the other side of the story jim geovedi guide to ict megatrend 31 January 2008 — Hotel Shangri-La, Jakarta
  2. 2. ‣ information security ‣ 0-day vulnerabilities
  3. 3. infosec ≠ satpam ‣ current trends: identity thefts, botnet, mobile communication hacking, 0-day vulnerabilities, corporate espionage, wiretapping
  4. 4. industry status ‣ big security companies acquire small start-up or spin-off companies to offer more solutions ‣ "palugada" propaganda
  5. 5. software development ‣ cheap software development? outsource to india or china!
  6. 6. security investment ‣ companies bought a lot of security devices or applications ‣ firewall, anti virus, spam and content filtering, ids, ips, patch management, etc.
  7. 7. common issues ‣ companies do not have enough resources. ‣ vendors re-introducing: ‣ weak and easy guessed passwords ‣ clear-text protocols ‣ misconfigurations
  8. 8. ‣ information security ‣ 0-day vulnerabilities
  9. 9. ‣ 0-day, pronounce zero-day, sometimes oh day, means new. ‣ the term has it's origin in the warez scene, but has become firmly entrenched in the exploit trading scene.
  10. 10. ‣ 0-day is used to refer to exploits, software, media or vulnerability information released today and those that have not yet released.
  11. 11. vendor noticed patch released intrusion time value life cycle of 0-day (quick response from vendor)
  12. 12. vendor noticed patch released intrusion time value life cycle of 0-day (very late response from vendor)
  13. 13. ‣ 0-day users: intelligence agents, professional penetration testers, product vendors, random hackers/crackers
  14. 14. obtaining 0-day ‣ conducting research (source code/ binary audit) ‣ share/trade between friends ‣ install honeypot ‣ buy from 0-day brokers
  15. 15. market ‣ current 0-day business model is considered weak ‣ the auction model
  16. 16. the players ‣ corporate: ISS, eEye, iDEFENSE, TippingPoint (3Com/ZDI), Immunity, Gleg, Argeniss, wabisabilabi, etc ‣ group or personal: cirt.dk, piotr bania, inge henriksen, mario ballano, neil kettle, etc.
  17. 17. programs ‣ https://labs.idefense.com/vcp/ ‣ http://www.wslabi.com/wabisabilabi/ rrp.do? ‣ http://www.zerodayinitiative.com/ details.html
  18. 18. prizes ‣ remote arbitrary code execution vulnerabilities in specified e-mail clients and servers (outlook, outlook express, thunderbird, sendmail, exchange) $8,000 - $12,000 ‣ remote arbitrary code execution vulnerabilities in specified critical internet infrastructure applications (apache httpd, bind, sendmail, openssh, iis, exchange): $16.00 - $24.000
  19. 19. how many? ‣ every complex software have bugs ‣ we should assume every popular application exist has at least one 0-day exploit in wild ‣ professionals keep their own 0-day!
  20. 20. fin. jim@geovedi.com

×