Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 2 min 56 sec ago

"For the Glory of the State Machine"

25 September, 2019 - 08:43

Posted by Dave Aitel on Sep 25

So for the past while I've been obsessed with HTTP Desync Attacks
<https://www.youtube.com/watch?v=-y82LadA7N4>. A lot of people call this
"http request smuggling" which is a dumb name in a few ways, most
specifically because it restricts the bug class (and hence your mindset)
down to the smallest possible point. To be fair, in my head I call them
Parser State Mismatch bugs.

The way I look at this bugclass is that no two...

Re: CVSS is the worst compression algorithm ever

24 September, 2019 - 10:30

Posted by Christian Heinrich on Sep 24

Konrad,

Sasha Romanosky and CMU are also listed within the latest minor
release (CVSS v3.1) at
https://www.first.org/cvss/v3.1/specification-document#Appendix-B---Acknowledgments
dated 11 July 2019 as announced at
https://twitter.com/FIRSTdotOrg/status/1149501455553851393 too.

Re: Longer form questions

17 September, 2019 - 16:03

Posted by Andre Gironda on Sep 17

Daemonlogger + Zeek Intelligence Framework for sightings. Doesn't need TLS
secrets. Doesn't need high availability or to run inline. The sensors tell
you what they see and where and when they saw it. No need to block. No need
to "detect". No signatures at all (just a living watchlist). No AI/ML. No
modification of traffic. No huge concern if an APT, skiddie, or admin
crashes it (it's receive-only on the Daemonlogger...

Re: Longer form questions

6 September, 2019 - 14:13

Posted by John Lampe on Sep 06

I think Dave nailed it when he said "anomaly detection algorithm". There is
still value in being able to take netflow data, ip intel, protocol hashing
and enumeration (even encrypted ones), client fingerprinting, and a lot of
other things and bringing that all together. Call it a NIDS, passive
scanner, whatever...it's still an integral part of security. oh, and the
places where those tools live is prime real estate. If you're...

Re: Longer form questions

6 September, 2019 - 12:30

Posted by Allen DeRyke on Sep 06

Network security monitoring is alive and well; netflow, bro, zeek, and
packet capture are incredibly valuable data sources for DFIR and "threat
hunting" purposes; however signature-based IDS as a primary detection
mechanism has always been a bit of a story that vendors sell blue teams to
sleep better at night. The metadata tools do raise the bar for your
adversaries opsec, and the ugly reality is that these tools help us "get...

Re: Longer form questions

6 September, 2019 - 12:28

Posted by Konrads Smelkovs on Sep 06

1) no egress monitoring at network level means very limited clue on first
signs of trouble and timeline
2) network traffic monitoring can point out anomalies very early on.
3) the idea that because a vendor has painted a solution architecture where
everything logs centrally or EDR works all the time is imaginary.
Netflows/Tiered network meta-data provides a solid fallback.

The biggest problem with network monitoring is “cloud”. There is less...

Re: Longer form questions

6 September, 2019 - 12:24

Posted by Nick Selby on Sep 06

I agree with Chris, and I like Anton's question: usually the people who say
NIDS is dead are those who are complaining that NIDS doesn't do some thing
that they think NIDS should and does not do - case in point, detecting all
evil. NIDS is not the answer to securing a network but then, nothing is
*the* answer. As a veteran of a lot of incident responses, I can state that
most of the time, the network is not owned by super ninjas - or if...

Re: Longer form questions

6 September, 2019 - 06:18

Posted by Chris Rohlf on Sep 06

I think netflows have a lot of value in production and corp environments.
But if the question is ‘can NIDS, now or in the future, detect client side
remotes against scriptable targets’ then the answer is a resounding no.
NIDS in server environments simply can’t scale up enough or model the
complex tech stacks they sit in front of.

Sure you can write a signature to match a single exploit instance but its
easily bypassed, and requires...

Re: Longer form questions

6 September, 2019 - 06:14

Posted by Anton Chuvakin on Sep 06

Wow, indeed, so 2007, this brings back memories ....

But on a more serious note: do you guys truly think that network security
monitoring (whether NIDS, network forensics / capture, "NTA / NDR", Bro /
Zeek and such) is "dead dead"? And there no hope for any
zombie-apocalypse-style revival? :-)

Re: Longer form questions

5 September, 2019 - 16:41

Posted by Chris Rohlf on Sep 05

I’ve been happily ignoring Twitter the last few weeks so when I saw a DD
post come in I got excited and felt nostalgic for 2007, which
coincidentally this thread reminds me of. Not just because Dave is trolling
Rob but also because I thought the idea of network based protocol and file
parsers died around that time. How many HTTP implementation quirks does the
Snort engine implement these days? Back then it was almost none. But what
about now?...

Re: Longer form questions

5 September, 2019 - 10:02

Posted by Dave Aitel on Sep 05

https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html

Ok, so as someone pointed out in private email, they have a blog that goes
through a 20 step process to exporting your private key from your RDP
server to the MITM box that is parsing the protocol. I think this is an
unlikely configuration, but in theory it IS possible. An anomaly detection
algorithm might be a better option for real world detection, even though...

Longer form questions

4 September, 2019 - 11:59

Posted by Dave Aitel on Sep 04

So I like the BLUEKEEP marketing train because it's a very hard bug to
detect authoritatively for either endpoint protection or for network-based
defenses. So when companies make claims about it, it's worth asking how
they did that. Twitter is a terrible place for that, but since I know
everyone in the industry who does this kind of thing is on this list I
figured I'd ask here...

-dave...