Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Rate Stratfor's Incident Response
From: Benjamin Kreuter <ben.kreuter () gmail com>
Date: Sat, 14 Jan 2012 16:53:57 -0500

Hash: SHA512

On Sat, 14 Jan 2012 14:33:23 -0700
Sanguinarious Rose <SanguineRose () OccultusTerra com> wrote:

On the kiddies, I can't see the advantage of hiring a professional
sqlmap and havij operator.

For a full-time position with benefits, no, there is no real
advantage.  However, if your own team cannot even do that much, then
perhaps the kiddie should be be hired on a temporary or contract basis,
to give a report of what sort of common vulnerabilities can be

I always report the vulns that I stumble upon (from my own email
and such) and while I'm doing this in good faith, I would never
dare to actively exploit that vuln for better proof, because if
they sue me, they would win. So I try to keep it that way, that I
cannot be held responsible, because I didn't broke any law.

I do agree and can't see the real need for someone to actually prove
it like that which is rather over the line in being illegal. It also
requires more work then is even required to report it.

People are very bad with understanding hypothetical problems.  As an
example, my alma mater would (and perhaps still does) routinely send
important, official emails about financial aid, tuition, etc. with a
format like this:

[stuff about finances that needs to be taken care of quickly]

Click here to do [something important]:

There was no method available to verify that these emails actually came
from the university's administration -- no digital signatures, nothing
in the mail system that even checked that the message originated from
a university IP address, nothing. I tried to bring this up with them,
and even gave a live demonstration of spoofing an email address for the
non-technical folks.  It was not until an actually phishing attack was
detected that any action was taken.

Telling someone they have a vulnerable system will only affect change
if they already take security seriously.  Since most organizations
still do not view security as central to the design of their systems,
you need to really drive the point home with evidence.  This means
actually attacking the system, or at the very least giving some
demonstration that the vulnerability is real and can really be

- -- Ben

- -- 
Benjamin R Kreuter
UVA Computer Science
brk7bx () virginia edu

- --

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
Version: GnuPG v2.0.14 (GNU/Linux)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]