OK, I am officially depressed. Here’s Richard Bejtlich’s impression of the state of security after one day at BlackHat:
My overall impression from the first day of briefings can be summarized in this manner.
- Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
- Detecting current attacks in “real time” is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by “rich Internet applications” and frameworks. I realized that the “rich” in “RIA” refers to the money intruders will make by exploiting Web clients.
- The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get “ahead of the threat” here.
Holy crap. What in world am I doing then? I guess making money off some poor, ignorant bastards who have no idea that every effort we are making is totally useless. Well, I guess in order to maintain my integrity, I should just quit.
Sheesh.
Vet
