EH-Net

I think this should be an nice question tu argue, and this because of many of us dedicate to security. Java, .NET are the future of applications and web services so where does buffer overflows and format string bugs goes? Accionally many of the vulnerabilities that we exploit are cause of this miss undestanding of safe programming. Millions of lines of codes have been patched againts this flaws.

So where do you think security is going, to Social Engineering (boring), to anit virus technologies (kind of Social Engineering), to IDS/IPS tech.

In Past Conventions on Defcon and BlackHat, nothing new or even intersting.

No new attacks techniques?

so were are in a dead spot, or it is really the end of security as we know it.

There seems to be a common misconception that hacking is mostly exploiting flaws in software. This couldn't be further from the truth.  Regardless if "new" techniques are coming out every few weeks or months or whatever, that certainly doesn't mean there are not a lot of vulnerable servers out there. Its really all about the security of data and can we access it without authorization.  This is what we are hired to do. Of course we have  certain "rules of engagement" and we cant kidnap someone and force them to give us their password at gun point, lol. 

Regardless whether  I can access data via a buffer overflow, crack a password, hijacking services, fooling authentication systems, social engineering, etc... if I can gain access to data I am not authorized to access, I feel I have compromised that security.  If I trick someone into giving me their password, is that "hacking"? Well not really in my interpretation of the word, but its the public impression of the term.  Did it allow me to have  unauthorized access to data?  Maybe.  In this context, the era of "hacking" is hardly coming to an end. 

The security of a program isn't always about sanitized validated inputs and dropping invalid data.  A program can only be as secure as the environment in which it resides: hard and software. Millions of lines of less than secure code notwithstanding the further consideration of what code interacts muddies the situation significantly. http://www.ntguard.com/article.cfm/id/341504  (http://www.ntguard.com/article.cfm/id/341504) further underscores that as we add complexity, we risk adding vulnerability.

Coders are under time,financial, and interoperability constraints that inject inevitable flaws into their end product.  Good practice and QC become limited by client needs, production schedules, and limitations of manpower. Manufacturers mitigate these needs as reasonably as they can within these limitations.  Flawed code doesn't seem to be going away.

Social engineering is never going to go away because we're flawed creatures. we want to be helpful, useful, liked, and appreciated.  We'd have to take the human element out. 

AV technologies will continue to struggle to keep up with the virii available if only for the percieved protection they provide.  Per the refernces in the link above, I dare say AV technologies might have become near self-perpetuating.

I wouldn't attribute the lack of new tools and techniques to a lack of them existing, rather a lull in publishing.  People can only explore so much before repeating research.  This career has been punctuated by bursts of frenzied discoveries based on other research.  We are just as likely to be experiencing the calm before the storm.

Why are you trying to hack in his end?

This isn't that kind of bar, buddy.   :o

nothing like lowering the tone....... ;)

As already stated Social Engineering is here to stay, and I dont think its boring its actually an area that really interest me. Many organisation still under estimate this factor, and do not invest in education and awareness.

With regards to is hacking coming to an end, I think it depends what you define as hacking. Hacking to me is manipulating something to do something it was not specifically designed to do, and I think this will always be a possibility.

Internet is still in its infacy I feel, as we move more and more towards doing computing in the cloud, security will become ever more important, but the stuff we see today will still exist in new flavours, viruses, exploits, denial of service.

I am still looking forward to my life in the world of InfoSec.

As stated, application security is far more than buffer overflows and format string vulnerabilities.

I've rarely found exploitable (as in arbitrary code execution) buffer overflows on externally visible resources (internal is a different story).   I've frequently found application vulnerabilities such as SQL Injection (much less common in .NET than classic ASP).   Even more common are business logic vulnerabilities -- not so much technical (like SQL Injection, XSS, CSRF, etc.), but flaws in the business logic of the application that lead to a compromise.   Things like having the price of a store item as a hidden form field.

Or having a form to allow users to download VCS files from an online calendar application....and not checking the file location that is passed into the download app.   Just had that recently -- allowed me to download any file on the server if I modified that hidden form field.   Downloaded the SAM and SECURITY files from the repair directory, cracked them and logged into the server as an Administrator.

The skill (and the fun) in hacking is finding those vulnerabilities wherever and however they present themselves, not in trying a pre-defined set of tests and seeing what works.    The application layer is where the majority of exploits have migrated to.

Good question and good thread.

I am going to agree with Simon, its very rare to find something remotely exploitable  (network level) from an external look. Web App is another story but its getting harder and harder to get a shell from that.  But you can see data you shouldn't see all day and that's really where security is going, protecting the data over getting a shell.  Getting a shell is still more fun though.

Alot of the current vulnerabilities are user level, in fact someone I respect said "client sides are the new remotes" and I think he is correct.  Getting users to execute your code is the new way for remote entry and catching those outbound connections will be the next (well really current) thing to protect against.

I personally dont consider SE boring, trying to outsmart whoever it is you are trying to SE should be a good challenge and will only get harder as things go on.

Heck....SE is some of the most fun you get to have as a hacker ;)

I'm not sure that I agree entirely on the rarity of shell access remotely through web apps, though.   I just pulled one today (SQL Server 2k5, with an ISS IPS in place, so it was a bit tricky).   

I will certainly agree that they're becoming more scarce in current iterations of web programming languages (.NET is vastly better with security than classic ASP)....but legacy code and vulnerable applications in current languages are not too difficult to come by....at least, not yet :)

2k5, very nice.  i'd like to hear a bit more about that. 

Certainly....though to avoid derailing the thread, we should probably take it to PM (or a new thread, if you prefer).

Please start a new thread, as I'm sure that several of us are interested

For your enjoyment:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2814.0/