Penetration Testing: Re: Looking for help against Chinese Hacking Team

["Adriel T. Desautels" <ad_lists () netragard com>]

Great,
	So then it looks like we're in agreement on what "harveyfrank" should  
do.  Do you by chance have any affiliation with ArcSight?

On Dec 16, 2008, at 9:09 AM, ArcSighter Elite wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Adriel T. Desautels wrote:
> > Great,
> >    If he's looking to stop attacks then he needs to remove the vector
> > through which he is being attacked. IPS devices do not remove the
> > vector, they make an attempt to prevent the vector from being  
> > accessed.
> > While I support the use of properly configured and maintained IPS
> > technologies, I'd never recommend using them as a method for  
> > remediation
> > because they are only a method for mitigation.  Sure mitigation is
> > great, but its not a fix.
> >
> >    With respect to your comment about creating properly designed
> > parameterized stored procedures, it is not "almost impossible" if you
> > architect things properly.  You might be able to change a variable  
> > from
> > a 1 to a 2 which is technically SQL Injection, but its not usually an
> > SQL Injection Attack that is of any use.  The idea here is to prevent
> > SQL Injection Attacks not to prevent people from changing variables  
> > that
> > should be harmless right?
> >
> >
> >
> >
> > On Dec 16, 2008, at 8:32 AM, ArcSighter Elite wrote:
> >
> > RaptorX wrote:
> > > > > what Adriel meant was PROPERLY DESIGNED Parameterized Stored
> > > > > Procedures, and
> > > > > I totally agree with him.
> > > > >
> > > > > Providing a short time solution is a good idea but you have to  
> > > > > finish
> > > > > the
> > > > > job properly which in the case of a pen-tester would be report and
> > > > > provide
> > > > > with a viable (permanent) solution.
> > > > >
> > > > > I also agree partially with Sam, specially windows systems, after
> > > > > hacked it
> > > > > is a MUCH BETTER idea to rebuild it improving the security of  
> > > > > course.
> > Well, PROPERLY DESIGNED of course if almost impossible, but you think
> > this is the case? I repeat myself: he's wishing to stop the  
> > attacks, and
> > of course I think/hope he'll take the appropriate measures then.  
> > IMHO he
> > wouldn't be able to fix anything if he is constantly under attack.  
> > And
> > sure, linux is the best solution, even a win port of apache will do
> > better than IIS, again IMHO. Again, SQL injection could result in a  
> > host
> > compromise, so re-deploying would be the optimal form: ex. instead of
> > finding rookits, install clean.
> >
> > Adriel T. Desautels
> > ad_lists () netragard com
>
> Sorry, we got a little communication problem here. I mean PROPERLY
> DESIGNED queries is almost impossible to SQL-inject, my bad if you
> misunderstood me. I'm sure you can't trusts IDS: I already said it  
> in a
> funny way: "they will only stop script-kiddies"; but he must truly
> "mitigate" the attack as you said, before taking another long-term
> measures. The IDS will also mitigate other attack vectors that may
> expose vulnerabilities in his web-app, that may be vulnerable to other
> web-based attacks, I already said, XSS, Sessions, Includes, Injections
> (LDAP/SQL, etc), and the like.
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJR7aXH+KgkfcIQ8cRAnqJAKDoLK6SBIGeDWKggSoxZ60EYLhm3gCgpPC3
> dIOfXBjwnP3u1MYDsEhgoDI=
> =rk++
> -----END PGP SIGNATURE-----
Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------