My specialty is in application security and the client-attacking trend is definitely something that I see pretty often. Malware distributed through application based attacks (XSS, etc) seems to be a very common and effective attack vector. If you are interested in more information on the types of application security vulnerabilities that I see, you can take a look at the OWASP Top 10 which is the top 10 most prevalent application security vulnerabilities (at least according to OWASP).

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Hope it helps.

Jarret Raim

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of cribbar

Sent: Wednesday, December 01, 2010 6:10 AM

To: pen-test (at) securityfocus (dot) com [email concealed]

Subject: Evolution of security threats and exploits...

Could I ask, from the perspective of an internal systems administrator, the so called â??good guyâ?, do you hackers / pen testers see any major trends in the IT security industry that people with malicious intent are now targeting or exploiting these days, as opposed to say, 5 years ago? Has any of the main focus of primary attack shifted in the last few years?

I have always looked at the pen testing / hacking industry with great interest and in many ways, amazement, but some of it seems such an underground industry nobody ever really knows â??whatâ??s coming nextâ?, so we struggle to stay current with where we need to invest next and step up our own guard and procedures to stop the next few years wave of â??new exploitsâ?.

Iâ??ve seen some of you post that server side vulnerabilities are becoming a less favourable and fruitful exploit â?? any particular reason why, and you tell us the majority of exploits now targeted by the bad guys are â??client sideâ?, which I suspect you mean unpatched client apps like Adobe Reader etc?

Any reason for the switch from focusing primarily on the server side, and now focusing on client side exploits more?

I wondered if youâ??d be willing to say â??in 2010 these are the main threats that criminals/hackers are commonly trying to exploit these days, as opposed to these vulnerabilities and exploits which were the main number 1 target focus 5 years backâ?. You always stay ahead of the game in finding new areas of â??low hanging fruitâ? every few years, so I canâ??t see any issue in at least asking the question on main areas of focus now from the pen testing / hacking community.

It always seems to evolve, in that you will target certain â??familiesâ? or vulnerabilities for a few years, and then the suppliers will offer tools and automated patch solutions to hamper you, so then you move on to other low hanging fruit that hadnâ??t been considered or targeted as much before.

Any input or feedback most welcome. Thanks for taking the time to read my post.

--

View this message in context: http://old.nabble.com/Evolution-of-security-threats-and-exploits...-tp30
348296p30348296.html

Sent from the Penetration Testing mailing list archive at Nabble.com.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse (at) rackspace (dot) com [email concealed], and delete the original message.
Your cooperation is appreciated.

[ reply ]