Keynote: Penetration Testing By Targeting The Soft Underbelly Of Infrastructure presented at SANS Pen Test Summit 2010

by Dan Kaminsky (IOActive),

Tags: Keynote


Summary : Generally, when we attack codebases, we attack them head on. We go straight for the code that is obviously (even if accidentally) exposed, find parsing or logic vulnerabilities, and call it a day. This works, but it also represents something of a blind spot. Real world code is deployed as part of a general IT infrastructure, and attacks against this infrastructure often have profound impact. It is the diffuse nature of infrastructure responsibility that specifically makes it so likely to retain vulnerability. In this talk, I'll discuss concrete, remote attacks that compromise a wide variety of customer-deployed systems, in ways that may seem unfair. I'll also discuss the effects of a new class of attack, based upon transitioning software into a temporary but highly unaudited and vulnerable mode.