[Noisebridge-discuss] Fw: continuing adventures in the brave new world.

Zephyr Pellerin zephyr.pellerin at gmail.com
Thu Apr 5 00:54:58 PDT 2012


> Does anyone know the author of that site?  I'm simultaneously impressed
> and a bit concerned because I'm not very confident about their threat model.
> It seems like the threat model includes offline attacks but it has -- in
> the scheme of things -- very little test for structure so it doesn't really
> know the difference between passwords built Diceware-style out of words and
> completely random strings.

Come come, any hacker worth their salt hasn't kept D8.dic on their box
since the turn of the century. It's prohibitively expensive and today
developers basically manufacture exploitable software as a release
requirement. sudo, the privilege escalation binary we all know and
left, just had an exploitable FORMAT STRING bug in it (Didn't we get
rid of all of those in like, 1999?).

Backdoored login scripts or LDAP forest managers are considerably more
likely than someone cracking a dump, especially considering
xp_cmdshell is default in SQL08, file reading queries in pgsql are as
well ( COPY X from Y where Y is a filepath is a real thing), and ways
to turn sqli into shells on mysql are too numerous to list.

Still, the real weakest chain in your security is your web browser and
what plugins your web browser loads - flat out. This has been the
preferred method to pop people-you-don't-know's box for at least 3
years (Or at least since that pesky /GS switch & --stack-protection
happened :)  Thats doubly true of breaking server side daemons - Any
application developer worth his salt (or using these newfangled ORMs)
will use prepared queries or a DB firewall, will be installed on a box
with address randomization, safe exception handlers, W^X etc, but will
probably not check his box for kernel mode rootkits that are hooking
his tty every day.

The fact that people care about passwords reflects a little (a lot?)
out of date perception of how it's actually done. Virtually all
computers compromised today are done with either a clever web bug or
some memory corruption bug (perhaps not accounts, but certainly
computers).  Just because the deep well of stack based buffer
overflows has (mostly) dried up doesn't mean use after frees and
friends don't happen all the time, and no matter what your platform
is, if you *really* think your patch cycle is 0 day turnaround.. well,
I'd take a hard look at your sanity (laff).

As far as how hotmail is being compromised, theres been quite a few
bugs in password recovery in both hotmail & yahoo's systems. Don't
rely on them for  security, Even our venerable lord Gmail has had it's
fair share of remote mail reading bugs -
https://damagelab.org/index.php?showtopic=9026


More information about the Noisebridge-discuss mailing list