The Death of Defence in Depth ? - An invitation to Hack.lu
Invitation to Hack.lu [1] - A small but nice Conference in the
Heart of Europe.
As you may or may not know, we always prepare something special
for Hack.lu, last year BTcrack, this year we'd like to announce
our (n.runs AG) Presentation @ this years Hack. lu, entitled:
----------------------------------------------
The Death of Defence in Depth ?
- (In part) Revisiting Anti-Virus Software
Sergio Alvarez & Thierr Zoller
----------------------------------------------
The Death of Defence in Depth ? - A rather bold question that
is; is this another overhyped bloated Presentation ? Or maybe do
we really have to rethink the way we implement Defence in Depth
on our networks ? This talk will hopefully give you the answers,
if not at least the correct questions to ask yourselves.
Over the last year [2], n.runs AG investigated Software that is
commonly being used in an Defence in Depth approach and was
quite alarmed. The number of Bugs and Design problems we found
were so tremendous that we had problems dealing with the shear
amount of Vendor coordination and notification emails.
Want numbers? Over 4000 emails.
(Where is the ROI for Responsible Disclosure here?)
The problems reach from simple bypasses and Denial of Service
attacks to Code execution; the Impacts reach from code execution
in the DMZ to Code execution in your Internal Network holding
what might be your most precious Knowledge - your entire
internal and external mail communication.
This talk will focus on the Paradox of Defence in Depth, the
more layers of Security you add the more Attack Surface you
offer. The more you defend the more vulnerable you are to these
types of Attacks.
Think Parsing engines.
In every product we tested we found no evidence that these
products had ever undergone any real outside security testing,
not to mention a source code audit.
This talk will show you the Problems and more importantly the
Impact for your company. The talk has been prepared to make a
point - Every company sitting in the room could have been owned
at this very moment, from the Inside out, prepare for the worse,
we'll use your Defence against you as an entry vector to your
network.
The 2 hour Workshop might even lead us to the discovery of new
vulnerabilties, who knows ? ;) Of course such information will
not be communicated by n. runs without any clues on how to
mitigate or maybe even solve this problem.
Bloated exhagerated Statement ? You'll decide. A Hack. lu
exclusive - because we love you so much. Batteries not included.
See you there!
[1] http://www.hack.lu/index.php/Practical
http://www.hack.lu/reg/
[2] http://www.nruns.com/parsing-engines-advisories.php