What about the Fortune 500? Doing OK! From significant sample of Fortune 500: 70% have tested and patched mail servers 15% patched, but suffer from NATs This has been a real problem 15% unpatched Non-mail servers doing almost as well 61% patched 21.75% patched, but suffer from NATs 17.25% unpatched Thank you, Mike Ryan, Jacob Carlson, Charles Henderson of Trustwave R&D, Application Testing They do PCI testing, and were well positioned to encourage testing and validation for this flaw Certainly an unusual and awesome use of security through compliance Unprecedented – probably a better hack than the original bug Ĭan we watch the patching in action? (Thank you, Joichim Vidde et al, Clarified Networks) One hundred and twenty million – that, alone, is 42% of broadband subscribers. Just because you can’t scan for it doesn’t mean it’s not out there. There are numbers and are there are numbers 120,000,000 The number of users protected by Nominum’s carrier patching operation They’re not the Internet’s most popular server! That’s BIND, and we saw LOTS of BIND patching They’re not the only server that got lots of updates Microsoft’s Automatic Updates swept through lots and lots of users Do not underestimate MSDNS behind the firewall. Obviously thanks to the Summit Members Paul Vixie David Dagon Georgia Tech – thanks for the net/compute nodes Florian Weimer Wouter Wijngaards Andreas Gustaffon Microsoft Nominum OpenDNS ISC Neustar CERT People have really been incredible with this. Thanks to the community First finder: Pieter de Boer 51 hours later Best Paper Bernard Mueller, Five days later, but had full info/repro Interesting thinking (got close, kept off lists) Andre Ludwig Nicholas Weaver “ (got really really close) Zeev Rabinovich Michael Gersten Mike Christian Left the lists Paul Schmehl Troy XYZ Others Thanks Jen Grannick (she contacted me) DNSStuff (they taught me LDNS, and reimplemented my code better) Everyone else (people know who they are, and know I owe them a beer). I went out on a very shaky limb, to try to keep the details quiet Asked people not to publicly speculate Totally unreasonable request Had to try. There was a rather coordinated patching effort. Introduction Hi! I’m Dan Kaminsky This is my 9 th talk here at Black Hat I look for interesting design elements – new ways to manipulate old systems, old ways to manipulate new systems Career thus far spent in Fortune 500 Consulting now I found a really bad bug a while ago.
Black Ops 2008: It’s The End Of The Cache As We Know It Or: “64K Should Be Good Enough For Anyone” Dan Kaminsky Director of Penetration Testing IOActive, Inc.
0 kommentar(er)
