On Fri, 02 Sep 2011 20:55:35 -0000, "Thor (Hammer of God)" said: > LOL. "Warning, if you get the user to execute code, then it is possible to > get the user to execute code!! All you have to do is get files on their > system, and then get them to execute those files! Note that once you get the > user to execute the code, it will actually run in the context of that user!! > This is remote code execution vulnerability!" > Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change.... And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a "Your machine is infected - click here to fix it" pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves.
Attachment:
pgpBfNai7jRi8.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/