Re: On classifying attacks

To: djweber@xxxxxxxxxxxx
Subject: Re: On classifying attacks
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Sun, 26 Mar 2006 04:09:52 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <0IKC005HIR3AF33U@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <0IKC005HIR3AF33U@xxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Daniel Weber wrote:

Crispin Cowan wrote:

I participated in that Lincoln Labs study, and my recollection is
that the remote/local distinction was already popular on bugtraq at
the time.


I've seen a lot of classification schemes proposed on Bugtraq in the
intervening years, some of them quite good.  (Search the archives for
"taxonomy" or "classification".)  But unless they are -very- simple to
use, they won't be taken up by the community.  If you can come up with
a single word that imputes the concept of "malicious data that I can
easily get onto the victim's machine and in front of the victim's
eyes but requires him to run it," that would be a great step forward.

Simplicity is key. (Unlike this posting, which I did not have timeto make shorter and simpler.)

What made my life a little confusing of late was not Trojan horseattacks, as I got used to the idea of treating them with a differentterminology all-together. Once on the system, it is compromised and howthe attack happens is irrelevant but *can* be quantified. How it got onthe system is the question here.

I.e., remote connection exploiting a service, etc.

The issue that bothers me is how we treat browser or generally clientside vulnerabilities.


I often see advisories on bugtraq such as this:
Remote exploit while using a browser to gain local access
After reading, I find out it's an SQL injection.

Another example is, if a user has to browse to a remote site to getexploited, it is true the attack code was on a remote site, but theprocessing, the exception and the exploitation happened locally.

The difference with other client attacks triggered from remote locationis the attacker. If he/she connects to you and tries to exploit, theservice is running and then runs into say, an exception. With a browseryou go to a remote site, download code, run it locally and get exploited.

I am not sure what these should be called, but an SQL injection is not aremote vulnerability as we term it, despite some similarities.

Many of us still argue on what a worm vs. Trojan vs. virus, etc. are.Let's not get to the stage where we have that with vulnerabilities.


        Gadi.

Follow-Ups:
- Re: On classifying attacks
  - From: David M Chess

References:
- Re: On classifying attacks
  - From: Daniel Weber

Prev by Date: Re: SYM06-006, Veritas NetBackup: Multiple Overflow Vulnerabilities in NetBackup Daemons
Next by Date: Announcement: The Web Hacking Incidents Database
Previous by thread: Re: On classifying attacks
Next by thread: Re: On classifying attacks
Index(es):
- Date
- Thread