Dailydave: Re: Pentesters giving away Client information

[Daniele Muscetta <daniele () muscetta com>]

You various guys wrote (not even in order):

>    Taking a slant on the "pentesters getting owned" thread, how about the
> information that people sometimes give away, especially on public mailing
> lists ?
>  
I agree with you.
Anyway, i don't think those post in fact should be there at all in the 
first place.
A good pentester would not need that.


Anyway, this makes me want to consider other two possible scenarios:
1) the pentester could be owned later on, even some months after the 
assignment, but still leak highly-confidenial data he left on his harddisk;
2) the customer could (and often would) leak that data anyway (with the 
next random-mailer worm for example ?).
I am not referring to any episode in particular, nor to facts that I 
witnessed, just thinking what common scenarios could be.



> > First hand, not aware of any consultants laptop getting 0wned but several
> > times I have been on the receiving end of some fairly heavy scanning from
> > the admins during internal tests, so they were certainly having a go...
>  
>
> Hahaha, they do it *ALL THE TIME*! Especially when you've taken over some
> "admin stations" with their ssh keys and the like, 
[...]

> I have experienced network admins monitoring and attempting to drop
> connections as the team performs the pen-test.



As a result, I think that talking about customer trying to 'defend' 
themselves from the pentester is just plain silly.
The talk is not silly on its own, but the customer/target that did so in 
those situations was silly!
I work on this 'customer-side role', too. And whenever I spotted the 
intrusion attempts from pentesters I just notified them I saw them, but 
always let them do their work.
After all I am paying them to TELL me if something is seriously wrong, I 
am not trying to hide it from them !
The ultimate purpose is to fix problems found after a pen test !


Moreover, the chances of a pentester being owned are (if the right guy 
is involved - but selection MUST be careful) very small.
In many cases I think the problem could eventually lie more with the 
customer's report being stolen afterwards from the customer (being 
passed internally to different managers/depts.), than the risk of the 
pen test team being owned later on, or on site, or whatever...
This should not refer to the company I work for, AFAIK.


Best Regards,

Daniele




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave