Tomorrow you can patch that 0day – but your users will still get you p0wn3d

Presented at DerbyCon 1.0 (2011), Oct. 1, 2011, 5 p.m. (50 minutes).

In large corporate networks, the existence of a 0day exploit can wreck havoc.But a few weeks later, once patch management has done its job, and the risk isgone, what was the point? What has management learned from the ordeal ? Whatcould be improved to prevent the incident from occuring again ? Nothing! Is the network now ‘safe’ from attack? Not even close! In this talk, Rick will show examples of complete penetrations of large corporate networks that were accomplishing using no 0day, in fact no “exploits” in the classic sense, at all. Instead, the only things exploited are the mistakes of users and administrators, to elevate privileges all the way to root/Domain Administrator on almost all machines on the network. But why do a penetration test in this manner? Because it reveals actionable items that can be fixed/mitigated immediately. These fixes will protect the network just as much as patching an 0day. Only, these types of attacks are: - More likely to occur - More widespread - More common - Not audited by auditing groups - Easier to perform - Require less “l33t access” to uber 0day ‘sploits - Less likely to be reported on by the security community If you get nothing out of this talk, you can at least laugh at how easy some complete compromises of Fortune 500 networks can be. I would like for this talk to be a conversation starter about the importance of security research into 0day vulns. This type of research is very important to our industry, but is not helping to secure corporate environments. Is it worth it ? Is the fame and fortune misplaced? Does the security community REALLY care if corporate networks are secure or not ?


Presenters:

  • Rick Redman / Minga - CrackMeIfYouCan   as Rick Redman (Minga)
    Rick Redman has been testing web application security and a penetration tester since 1999. He founded and runs the DEFCON password cracking contest “Crack Me If You Can”. He started out by running a BBS in the early 1993 and selling UUCP based Internet from a 486dx33. After graduating from Purdue’s COAST/CERIAS program in the 90s under ‘spaf’ he hit the ground running being a penetration tester by working on projects such as Sandia National Lab’s “Tiger Team”. Rick made the rounds in 2010 giving talks about advanced password cracking, including being on the closing panel at ShmooCON.

Similar Presentations: