Java Security & Criminals
Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get practical advice on what really works to secure a system.
Sorry, dreaming there for a minute.
What Brian really did was go look at what attackers are doing in their commercial exploit kits, and discovered that Java exploits have surpassed Adobe exploits in ‘his’ sample.
I’m curious what you all think of the approach. What can we learn from attacker toolkits and marketing pitches? What are the limits of this?
Exploit packs, especially the commercial packs, represent the commodity exploitation techniques at play. If any AV vendor, IDS vendor, etc. cannot defend against them then this shows a serious gap. The obfuscation and packing involved typically bypasses many defenses and of course they are updated often. What can we learn: defenders and researchers need to adapt quicker, analyze in more depth and LE and others doing takedown need to be more agile especially with regards to bullet-proof hosting (good luck). Organizations need to use tools like Secunia’s PSI/CSI/OSI and use patch management to help reduce non-0day driveby attacks, and security awareness on common trickery techniques needs to be distributed, first to those who have sensitive data or access to protect. The funding for all of this must come from someewhere! @curtw