Ultra

[Dave Aitel <dave.aitel () gmail com>]

[image: image.png]
Last week I had a conversation with a well known cyber policy expert and he
was like "I just finished reading Cryptonomicon and you always say it's
some sort of masters degree in cyber policy but I can't figure out why..."

But this US-CERT tweet, and the entire activity of behavior around the
Citrix RCE demonstrates exactly why. Because Cryptonomicon is about
vulnerabilities and the flow of information and how they interact. And
clearly the defensive community has failed somewhere with regards to this
bug.

You can watch this movie here <https://vimeo.com/387524470>, where we point
out the CANVAS version of this exploit is not detectable with the tool
released by Fireeye and Citrix, but the bigger point is that you have NO
telemetry on these systems, other than some logs which are stored locally,
probably.

Questions you have to ask yourself with any bug:

   - What does this vulnerability tell me about the technical debt inherent
   in this product?
   - Do I have enough telemetry to tell me if this vulnerability was
   exploited?
   - What is the risk an attacker used both this vulnerability and a bug I
   don't know about to hide their tracks and establish covert persistence?

Realistically the most dangerous thing is not bad security but a false
sense of security. Attackers will go to any lengths to create a story that
lets you believe you are more secure than you are, and in this case,
US-CERT is helping them.

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave