Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 11 min 48 sec ago

"Severely lacking".

20 January, 2021 - 11:15

Posted by Dave Aitel via Dailydave on Jan 20

Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most...

[mm4.emwd.com] Please Confirm Your E-mail Address

7 January, 2021 - 15:09

Posted by noreply on Jan 07

Hello from mm4.emwd.com!

You're receiving this e-mail because user SeclistsDD has given yours as an e-mail address to connect their account.

To confirm this is correct, go to
https://lists.aitelfoundation.org/accounts/confirm-email/MzAw:1kxbbR:J_gxtLGlz_7WONRMX9blDLA1rXc/

Thank you from mm4.emwd.com!
mm4.emwd.com

Re: The Lost Decade of Security Metrics

5 January, 2021 - 16:23

Posted by Andre Gironda via Dailydave on Jan 05

MITRE ATK > CVE/CVSS
Enterprise v8 is more granular than ever before for vuln purposes, but
always has been extensive for threat purposes

If you want to express CVEs in maldocs or malware (including webshells) may
I suggest Yara and/or Suricata (maybe shortcuts such as JA3 or JARM if TLS
applies)?
If you want to express CVEs in runtime app infra may I suggest
caldera_pathfinder? e.g., this is heartbleed --...

Re: The Lost Decade of Security Metrics

5 January, 2021 - 16:12

Posted by toby via Dailydave on Jan 05

I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics

5 January, 2021 - 12:00

Posted by Chuck McAuley via Dailydave on Jan 05

Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

The Lost Decade of Security Metrics

5 January, 2021 - 09:52

Posted by Dave Aitel via Dailydave on Jan 05

A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

"Is it done yet? Boom! Typey Typey!"

31 December, 2020 - 16:31

Posted by Dave Aitel via Dailydave on Dec 31

Today is my last day at Immunity. I don't know what to say about it that
everyone on this list doesn't already know or that isn't weighed down with
embarrassing secrets. At its best Immunity was a family, but also a machine
for producing absolute monsters, and not just in the technical arenas. Even
when it came to project management, we dropped people in the deep waters of
the Marianas Trench and expected them to build...

Kiroshi Optics

11 December, 2020 - 18:32

Posted by Dave Aitel via Dailydave on Dec 11

https://twitter.com/JesseHeinig/status/1336913378564919297
https://twitter.com/ClipperChip/status/1337289319988473856

People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
book
<https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002>
on it, and it's weird when people stress "Cybernetics" as if they've found...

Worth a listen on your morning drive

10 December, 2020 - 22:05

Posted by Dave Aitel via Dailydave on Dec 10

https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=TheHagueProgramforCyberNorms

(text:
https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-cyberspace/
)

Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.

I lolled at this section which is so true it hurts:

Since publishing that book I explored the concepts of sovereignty...

How many treadmills can you run on at once?

8 December, 2020 - 14:03

Posted by Dave Aitel via Dailydave on Dec 08

I wanted everyone to browse here and enjoy this Microsoft Teams
vulnerability: https://github.com/oskarsve/ms-teams-rce/blob/main/README.md

I also enjoy the discussion
<https://twitter.com/taviso/status/1336365194071535617?s=20> it has
engendered when it comes to how to measure vulnerabilities that are "in the
cloud" or via "Auto-update". It would be good to get clarity on these
things.
[image: image.png]

Measurement...