Learning bugs is beautiful 💫
My methodology:
1. I try to explain bug first
2. Re-write it, to fully grasp the idea
3. Summarise and answer, "How to find it next time"
I believe that this repo will be useful during the learning path! (checklist 👇)
https://t.co/xkmCVCq1J8
"Diverting people away from evidence-based cybersecurity practices deprives them of the opportunity to improve their security posture. [...] You wouldn’t advise people to avoid trees on a sunny day just because, in rare cases, lightning could strike."
-- @boblord
https://t.co/sQAkJYkCYE
Running as much of your production code in ultra-minimal containers that don't include anything that the service isn't expected to need at runtime (even including /bin/sh) is a good safety net against attacks like this. Actual sandboxing is better, of course.
Bugtraq defined much of the current industry, for better or worse.
It was largely in response to the Morris Worm, CERT, and the continued ignoring of bugs by vendors. Hackers would find a vulnerability in a product exposed to the public Internet and notify the vendor. The vendor would then ignore the bug report, usually because the hacker who found the bug wasn't a customer, and they don't respond to support requests from non-customers.
So hackers would then widely exploit the bug. Back then, there were no firewalls, and hackers had free play over the Internet.
The important piece of knowledge is that trying to cover up bugs doesn't work. For one thing, they usually leak, as hackers tell their friends. For another thing, independent researchers frequently find the same bug at roughly the same time.
Transparency is better, making such bugs public. If you attempt to cover them up, they'll get passed around in the hacker underground, with widespread exploitation without people realizing they are getting exploited, so customers don't complain to the vendor. If you make them public, so that any hacker can exploit the vulns, you create a situation so intolerable to customers that they will force the vendor to fix the bugs.
The philosophical basis for this is known as Kerckhoff's Principle that goes all the way back to 1880s with cryptography. Your adversary will discover your secrets, keeping them secret only hurts the defenders.
Therefore, we've come to believe in "full disclosure", that for all bugs, the full details are eventually published. We call it "responsible disclosure" when hackers wait until after the vendor fixes the problem, but not waiting is also responsible. Some vendors (like Microsoft) will take as long as you allow, so after a year, the responsible thing is to "drop 0day" and disclose to the world without a fix available. Google takes a different approach, saying "disclose regardless in 90 days", which is probably the best compromise between cover-ups and transparency.
Today, the #1 way you can judge the security of a product/company is whether they have a "disclosure policy". In other words, when hackers discover a bad vulnerability, is there somebody at the company they can contact (like [email protected])? does the company know how to respond, to fix the bug, release a patch, and disclosure within 90 days?
In the past, when companies were ignorant of this, there was nobody you could contact, not the CEO, not marketing, not PR, not customer support. None of them understood how to deal with this, so vuln reports went nowhere, and hackers ended up disclosing to public mailing lists like Bugtraq.
When they have a vulnerability disclosure handling policy, then they've taken their first steps. Over time, the vulnerability reports force the company to change its processes to be more security minded.
It's the first thing you should demand from any vendor, and government departments (like the military) are already demanding this of suppliers.
That's all the good. There's also some bad.
For one thing, people obsessed about "0days", vulns hackers are using before they've been disclosed and fixed. They are scary, because it means that people can invisibly hack into computers. The NSA always has 0days for Android and iPhone available that they can use against high value targets. Knowing that the NSA can hack your phone any time they want, find your location, then dronestrike you with a hellfire missile is scary as f*** and the demise of many an ISIS/AlQaeda terrorist.
But on the other hand, only big government orgs like the NSA can afford the millions of dollars it takes to acquire the 0days, and frankly, you aren't worth "burning" 0days over. The more an 0day is used, the more likely it is to be discovered and fixed by the vendor, thus "burning" it, requiring the NSA to buy another.
This is certainly a concern for political activists, but it's not a general 'cybersecurity' concern. Defenders of the average network don't need to care about 0days. But they do, and spend entirely too much on worrying about them.
The other side of the coin is worrying about patching. It's the #1 thing that people tell you to do in order to improve security. It's not. You need to patch things exposed to hackers, like Windows, the iPhone, or Chrome, and Microsoft Office, but for the most part everybody else can ignore them. The lack of IoT patching is not a big problem, for example.
But cybersecurity special interests are stupid and have been lobbying government to force patching on consumers whether they want it or not. This will make life harder for everyone, as the primary threat now becomes government regulators and broken patches. Worse, IoT vendors will simply automate patches -- opening the door to a supply-chain threat. Giving the vendor control over your IoT device now means when a hacker breaks into such a vendor, they can grab control over all the IoT devices. A good example is at the start of the Russia-Ukraine war, Russian hackers broke into the satellite provider and bricked all the ground terminals/routers.
Anyway, today's cybersecurity deals a lot with discovering vulns, fixing them, releasing patches, disclosing them, and (among hackers) exploiting them. It's process that begun back in 1993 with Bugtraq.
Possibly the best line in any vuln research article ever from @praetorianlabs.
Oh, BTW, if you use F5, you probably have an issue...
https://t.co/0KZ2vVqLNV
"You are not allowed to convince others not to like someone. That is being a bully" --Miss R - Middle School Science class. That's so profoundly simple and extends way past the surface level of the statement. #SelfIntrospection By this definition have you been a bully recently?
I have So. Many. Thoughts. 🧵
Please my newer friends in infosec, do NOT get infosec Twitter and infosec confused. They are NOT the same, and the people who are grinding away working because they can’t get the time to go to cons, don’t care about keeping a Twitter page bcause 1/
Here's my experience from running a popular identity:
Being wrong is a moment of elevation, not shame. Owning error is only possible by those who have a strong connection to audience and trust.
Your doubting whether to admit fault is a weakness valuable audiences will suss out.
I want to thank @defcon for creating an event that reminds me how much I truly love the hacker community. By hacker I mean makers, tinkerers, defenders, the curious, the mischievous & more. I felt safe & welcome the whole time. I once again felt like I was with “my people”. ❤️
So much of the advice in the security industry today is essentially how to be a better firefighter.
I want the majority of it to be essentially how to build structures that are more resilient to fires.
Everyone gets compromised eventually - Dragos will be eventually I’m sure - removing the stigma and focusing on the actions/response is key. Kudos to the Cisco and Cisco Talos team for the compromise disclosure and detailed analysis https://t.co/KdgUbGyJ0j