Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: On classifying attacks

from [Crispin Cowan] Network Security [Permanent Link]
Subject: Re: On classifying attacks
Date: Thu, 28 Jul 2005 01:33:46 -0700 
Black, Michael wrote:

Perhaps the current popularity of remote/local terms comes from the
Lincoln Labs studies done in 1998:
http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh_html/

Attacks were divided into four categories:
      denial of service
      probing/surveillance
      remote to local
      user to root attacks
  

I participated in that Lincoln Labs study, and my recollection is that
the remote/local distinction was already popular on bugtraq at the time.
The LL study was an attempt to simulate a natural threat.


In the email examples given so far (note that nothing of similarity was
in the LL study) they would all be "remote to local".
  

Well, no. There is also direct "remote to root", which is a significant
classification that is distinct from "remote to local" and "local to
root". It is what you get if you have an exploit against root privileged
daemons (BIND, ntpd, etc.) and what you get if you have an exploit
against Microsoft Outlook being run as Administrator.


There's no need for trying to define a compound attack -- it serves no
purpose.

How is that? Classification schemes work best when you break things down
to their component atoms so that you can build up letters into words and
words into sentences. Those pesky attackers insist on using blended
attacks, and if we want to discuss what attackers do, we will either
need to define compound attacks, or else come up with a *very* large
lexicon :)

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Vulnerability in Linksys Router access, Nick Simicich
Next by Date:  Re: eBay phishing - phishers are getting better, Ivaylo Zashev
Previous by Thread:  RE: On classifying attacks, Black, Michael
Next by Thread:  Silently fixed security bugs in Oracle Critical Patch Update July 2005, ak
Indexes:  [Date] [Thread] [Top] [All Lists]