Penetration Testing

Re: Case studies books

Tue, 09 Mar 2010 10:58:38 GMT

Posted by David Glosser on Mar 09

not a book, no idea how real, but fun to watch

http://en.wikipedia.org/wiki/Tiger_Team_(TV_series)

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become...

Re: Evaluating pentesters

Tue, 09 Mar 2010 09:45:04 GMT

Posted by Shohn Trojacek on Mar 09

Tony,

I'd say that similar to a job interview, you could ask them to tell
"war stories" and then measure their hesitation and response time to
detect BS. Of course, you don't want to mistake contemplation for
hesitation, but this is generally an effective tool in any area. For
example, you can call up a former employer and ask if they would hire
that person again. The lack of a response can be more telling than an
actual response at...

Re: Professional Scrpt Kiddies vs Real Talent

Tue, 09 Mar 2010 09:34:37 GMT

Posted by Omar Herrera on Mar 09

Hi Adriel,

I agree that you have script kiddies on both ends, but this is the
nature of humans. You get you car these days to the mechanic and most of
them run some kind of scanner without understanding the inner details,
look at the report, replace the parts and that's it. They do what they
were trained for, nothing more or nothing else, and sometimes, that's
just what it's needed.

We got scientists and experts that claim to know the...

Re: Evaluating pentesters

Tue, 09 Mar 2010 09:21:39 GMT

Posted by Jason Ross on Mar 09

In theory, there is; see http://securityscoreboard.com

In practice, there's a lot of security companies listed on the site
which have little information about them posted. That's largely
due to the fact that the site is really just starting to gain momentum,
but it still means that not a lot of data is available.

Still, even without the full realisation of user scores and such, it's
a helpful resource IMO. Specifically, it provides a very nice...

Re: Evaluating pentesters

Tue, 09 Mar 2010 09:09:55 GMT

Posted by aceinyaface on Mar 09

Hey Tony,

This is a bit dated, but I guess this is what this guy was trying to do:
http://secreview.blogspot.com/

I've heard a lot about Netragard and heard they provide the services
you are looking for and do a very good job. FWIW.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that...

Re: Professional Scrpt Kiddies vs Real Talent

Tue, 09 Mar 2010 08:54:53 GMT

Posted by Vikram Dhillon on Mar 09

Thanks for that awesome email, I suppose you are right that in most cases the script kiddies are just being an
annoyance, imagine though if they did know and fully understood what those tools did. Wouldn't that be scarier :) Then
again, that's just my opinion, but I do strongly believe that ignorance is benifiting us one way or the other. With the
advent of linux however, things have changed a lot, the code is open so its harder to make it...

Re: Professional Scrpt Kiddies vs Real Talent

Tue, 09 Mar 2010 08:38:27 GMT

Posted by Adriel T. Desautels on Mar 09

Comments embedded below:

When shouldn't a penetration tester be a hacker?

Hence why I made the correction to our blog: " As far as I am concerned, these are some of the best guys in the
industry:" When I first wrote it I wrote it as if the list was all inclusive, and that's just impossible. My mistake.

Care to elaborate? I might be having an idiot moment here, but I'm not following what you are trying to communicate.

What does...

Re: Professional Scrpt Kiddies vs Real Talent

Tue, 09 Mar 2010 08:08:57 GMT

Posted by Adriel T. Desautels on Mar 09

Hi Wim, my comments are embedded below.

Why are you making the assumption that Vulnerability Research is limited to "products"?

Interesting perspective and I can't say that I share your view in its entirety. That said, I certainly agree that
contributing to the community is of huge value. I think that our contributions are proof of that aren't they?

I love HD, so do the people on our team, but I'm not sure that I'd go so far as...

Re: proposed pen-test

Tue, 09 Mar 2010 07:39:41 GMT

Posted by Shohn Trojacek on Mar 08

I haven't thought this very far through, but wanted to comment that
this is hilarious for many reasons. I can imagine the look of surprise
on the user's face.

I'm not sure there would be a whole lot of value in performing this
unless your users have been trained quite well in this area. I'm
operating under the presumption that this is a "normal" user
population not used to security protocols and such. In other words,
I'd probably spend...

Re: Professional Scrpt Kiddies vs Real Talent

Tue, 09 Mar 2010 07:12:20 GMT

Posted by Wim Remes on Mar 08

while I understand what triggered this post and/or e-mail, it is barely scratching the surface. Infosec is so much
more than finding vulnerabilities in products that you can hardly
limit a list of "security experts" to people doing vulnerability research. It just ain't right. For me there's two
kind of people in infosec : People that are actually contributing to a
very open and interactive community (no, not by stepping in the...

Re: proposed pen-test

Tue, 09 Mar 2010 07:05:56 GMT

Posted by Terry Cutler on Mar 08

Hey John, I'm actually reproducing the Hack that was done on Google
called "Project Aurora" in a Keynot demo at Novell Brainshare. I'll be
using Core Impact 10 to do this. In essence what happens is that Core
installs a webserver instance on my PC and fires off an email to whom
ever you specify and FROM who ever you want. Now, core has some built
in HTML messages that look like the real deal such as Facebook and
Linkedin invitations....

Re: Evaluating pentesters

Tue, 09 Mar 2010 07:00:41 GMT

Posted by Andre Gironda on Mar 08

Is there some kind of capital planning, budgeting, or decision-making
process that occurs before a company seeks out to hire penetration
testing firm(s)?

http://www.penetration-testing.com

Why PCI DSS focused and not anything else? I would have rather you
said ISO 27002, BITS FISAP, or Unified Compliance. Actually I would
rather have you say that this is risk management and fraud management
focused, perhaps citing standards in those areas.

Ok....

Re: Evaluating pentesters

Tue, 09 Mar 2010 06:35:15 GMT

Posted by David Glosser on Mar 08

I would assume that a PCI Approved Scanning Vendor (ASV) would also
have those resources.
Another option may to visit the PCI forums and mailing lists and check
out the replies to user questions. Many of those answers are from
people who have performed PCI gap analyses and PCI audits

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to...

Re: proposed pen-test

Tue, 09 Mar 2010 06:29:48 GMT

Posted by krymson on Mar 08

If you have access to the mailboxes of the department, could you just slip them in with some prepared wear-and-tear on
the packages and maybe a stamp making it look like it has been processed? Of course, now you're just pretending to be
the real post instead of actually using them!

One problem with USB keys and social testing would be any effects if your targets take the devices home to check them
out, or give them to a student or friend or...

Re: Evaluating pentesters

Tue, 09 Mar 2010 06:23:18 GMT

Posted by Tracy Reed on Mar 08

On Fri, Mar 05, 2010 at 07:01:33PM -0500, Tony Turner spake thusly:

Just out of curiosity, what makes for a bad pen-testing firm?

I'm going to be looking for one myself (PCI as well) and would like to
know what to avoid.

Although pen-testing is way-overrated IMHO. The attackers will have
far more time and be far more resourceful than your pen-testers will
ever be.

There seems to be a cottage industry of small shops praying on
merchants who...