From: Dave Aitel (daveimmunitysec.com)
Date: Tue Oct 11 2005 - 07:04:55 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I know I sound like Kate Moss here, but: Sniffing is not the easy
answer. Making sniffing solutions is like betting that over the next
decade or so, cpu*memory > bandwidth*protocol complexity. I just can't
see that happening. It used to be plausible because there were a lot of
shortcuts you could take - signatures, for example - that would help
out. These days, everyone knows signatures are broken and you have to
parse every protocol to do whatever it is you are trying to do. Of
course it's possible you don't have all the information you need to do
whatever it is you want to do: deep down, sniffing solutions are
essentially a tax on network segmentation.

One of the things I think that is going to change the balance of the
equation is a forced honesty among sniffing solutions vendors. For
example, CANVAS 7 is a Service Oriented Architecture. What this means to
sniffing companies is that they never get to see the algorithm that
generates our nops. Our shellcode polymorphism routines can remain
hidden, and evolve over short periods of time, and still be used by a
wide number of people.
The internal algorithm that powers an exploit can remain unspoken - you
send us the binary for su, we return you a root shell. It allows for
coordination on a mass scale - if I've hacked 2^16 machines (or some
smaller number of networks + spoofing), I can scan you on each port from
a separate IP address.

That's my thought for the day. Now I'm going to go teach class - I'm
missing fabulous 8-bug Microsoft Christmas! This is the first Microsoft
Christmas with a public BinNavi to help you produce quick repros
(http://www.immunitysec.com/products-binnavi.shtml). :>

-dave
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]