Thursday, April 03, 2008

The Real "Security 2.0"?

Yes! YES! Y-E-S! You guessed right - a blogging frenzy; I am baaack from my vacation/speaking in first cold then warm places and I have a "backblog" of fun items.

First is "Why Hacking Changed" from The Hacker Webzine. Please read it; and see thru all the drama.

Some quotes:

"Old school hacking is dead, network hacking is dead, firewalls are useless and AV software is a mere redundant software package that underlines your frustration and ignorance about contemporary hacking."

"If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer. With the application layer, I also mean the scripting language beneath it, since it interacts with the applications that it's running and share memory, and thereby the hardware it's running on."


"We can even prove that we can own your network with only seven characters typed into your query string: 1' OR 1=1 is far more dangerous than any shellcode I've ever seen in my life."

"What works today works also tomorrow. And what will work in two or 5 years from now is software and application hacking."


Anonymous said...

I know the post is a bit old, but better late than never, as they say :-)

Yes, there's a new world of exploitation opportunities out there thanks to the new applications (especially all this web stuff); however, I would refer you to HD Moore's BlackHat presentation on Tactical Exploitation. I think it presents a more balanced view of the process even in today's world. To quote his slides, "Hacking is not about exploits". Application vulnerabilities will come and go, but the network infrastructure, bad session management, weak passwords, trust relationships, and people weaknesses will always be there :-) That said, the new exploitation opportunities of the new technologies make it much more interesting :-)

Anton Chuvakin said...

Thanks for the comment.

Security never goes out of style indeed :-) - 'cause people are people, not 'cause TCP/IP is "bad" or Windows is vulnerable...

Dr Anton Chuvakin