The Death of Defence in Depth ? - An invitation to Hack.lu

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, <news@xxxxxxxxxxxxxx>
Subject: The Death of Defence in Depth ? - An invitation to Hack.lu
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Tue, 9 Oct 2007 21:14:30 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Kachkeis Liebhaber CoKG
Reply-to: Thierry Zoller <Thierry@xxxxxxxxx>

Invitation to Hack.lu [1] - A small but nice  Conference  in  the
Heart of Europe.

As you may or may not know, we always  prepare  something special
for Hack.lu, last year BTcrack, this year we'd  like  to  announce
our (n.runs AG) Presentation @ this  years  Hack. lu,   entitled:

----------------------------------------------  
The Death of Defence in Depth ? 
- (In  part)  Revisiting  Anti-Virus  Software
   Sergio Alvarez & Thierr Zoller
----------------------------------------------

The Death of Defence in Depth ? - A  rather  bold  question  that
is; is this another overhyped bloated Presentation ? Or maybe  do
we really have to rethink the way we implement Defence  in  Depth
on our networks ? This talk will hopefully give you the  answers,
if  not  at  least  the  correct  questions  to  ask  yourselves.

Over the last year [2], n.runs AG  investigated  Software that is
commonly being used in an  Defence  in  Depth  approach  and  was
quite alarmed. The number of Bugs and Design  problems  we  found
were so tremendous that we had problems dealing  with  the  shear
amount of Vendor coordination and notification emails. 

Want numbers? Over 4000 emails.
(Where  is the ROI for Responsible Disclosure here?)

The problems reach from simple bypasses  and  Denial  of  Service
attacks to Code execution; the Impacts reach from code  execution
in the DMZ to Code execution in  your  Internal  Network  holding
what  might  be  your  most  precious  Knowledge  -  your  entire
internal and external mail communication. 

This talk will focus on the Paradox of  Defence  in  Depth,   the
more layers of Security you  add  the  more  Attack  Surface  you
offer. The more you defend the more vulnerable you are  to  these
types of Attacks.
Think Parsing engines.

In every product we  tested  we  found  no  evidence  that  these
products had ever undergone any real  outside  security  testing,
not to mention a source code audit.

This talk will show you the Problems  and  more  importantly  the
Impact for your company. The talk has been  prepared  to  make  a
point - Every company sitting in the room could have  been  owned
at this very moment, from the Inside out, prepare for the  worse,
we'll use your Defence against you as  an  entry  vector to  your
network. 

The 2 hour Workshop might even lead us to  the discovery of  new
vulnerabilties, who knows ? ;) Of course  such  information  will
not be communicated by  n. runs  without  any  clues  on  how  to
mitigate or maybe even solve this problem.

Bloated  exhagerated  Statement  ?  You'll  decide.   A  Hack. lu
exclusive - because we love you so much. Batteries not  included.

See you there!

[1] http://www.hack.lu/index.php/Practical
    http://www.hack.lu/reg/ 
[2] http://www.nruns.com/parsing-engines-advisories.php

Follow-Ups:
- Re: [Full-disclosure] The Death of Defence in Depth ? - An invitation to Hack.lu
  - From: Felix 'FX' Lindner

Prev by Date: Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
Next by Date: [ GLSA 200710-09 ] NX 2.1: User-assisted execution of arbitrary code
Previous by thread: Re: iDefense Security Advisory 10.09.07: Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow
Next by thread: Re: [Full-disclosure] The Death of Defence in Depth ? - An invitation to Hack.lu
Index(es):
- Date
- Thread