Showing posts with label virus. Show all posts
Showing posts with label virus. Show all posts

Monday, December 15, 2014

All malware defeats 90% of defenses

When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”

He's trying to show how sophisticated, organized, and unprecedented the hackers were.

This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.

Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.

This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, ... everything.

The point I'm trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.

The problem isn't that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn't, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.

The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.


Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.



By 2 comments: Links to this post
Labels: , , ,

Saturday, October 26, 2013

Third Circuit Court giggle

Yet again we have an example how the judicial system treats hacking like witchcraft. Lawyers submitting briefs to the court are required to have (the hacking equivalent of) a Catholic priest sprinkle Holy Water on the document to exorcise any demons or curses.
Read more »
By No comments: Links to this post
Labels: , , , , ,

Thursday, June 26, 2008

Worm source code...

http://www.offensivecomputing.net/?q=node/773

Every wanted to see what a mobile virus looks like? Here is the source code to the infamous Caribe worm which infects Symbia phones.
By No comments: Links to this post
Labels:

Wednesday, December 27, 2006

Applescript vs. VBS

http://blog.info-pull.com/2006/12/26/applescript-even-easier-than-vbs-i/

Of course this will be denounced by the rabid Mac loyal as just more attempts to discredit the security of Apple. I can’t agree more! The sad thing is its really not that hard to do.

Just remember, there isn’t a lot of malware for Apple because the market is so small and insignificant it’s not profitable for malware authors, not that OSX is more secure.
By No comments: Links to this post
Labels: , ,
Subscribe to: Posts (Atom)