Re: Dreaming of Summer

[David Maynor <dave () 0dayspray com>]

On Sat, 2003-12-06 at 23:43, Sean Batt wrote:
> Hello Daves et al,
>
> Forgive me for asking a daft question; I'm not a security professional,
> just a refugee from Full-Disclosure.
>
> On Sat, 6 Dec 2003, David Maynor wrote:
> > ...
> > I think the shot at troajning a debian package like ssh is worth a local
> > root, this is of course if i was just intrested in blackhat activity.
> > For whitehat i would much rather keep the 0day for pentesting purposes.
>
> I can't quite understand how a whitehat would use a 0day. Isn't a whitehat
> ethically bound to fix or report vulnerabilities?
What is wrong with using code I worte to perform my job? This would be
diffrent if I were just out defacing random webpages, but if its my job,
there seems to be a big diffrence to me.

> Say a WH is contracted to do pentesting, she wanders into an environment
> secured against known vulnerabilities, uses a 0day and then what does she
> report? "You're still vulnerable! I got in. Here's proof. Can't tell you
> how I did it: proprietary tools, trade secrets, etc etc."
I am of the belief that good security comes from a process and not just
implementing a single tool. Lets take the example you used. A whitehat
performs a pentest on a server with critical info on it. The pentest 
(like most good ones) have a local and a remote portion. Lets say this
0day is against ssh. Now if this machine is configured correctly even
though i have 0day for a service they are running i should not be able
to get to the machine to exploit it. Wrappers and firewalls and such,
basically layers of security. If the remote and local attack is
succesful they have more problems that just a vuln sshd, they have a
broken security model. This is what you report to the client. If you
were to ask a average customer of a pentest or security audit "would you
like the results to be valid until the next large vuln, or do you want a
comprehensive audit that will help you even if there is new 0day?" The
answer is often obvious. Alot of people seem to lose sight that
pentesting is suppose to improve security, regardless if the tester gets
in or not.

> Am I being naive thinking that ethical stance is the difference between
> black and white hats? I guess I'm missing something (probably a lot) about
> the utility of 0days and the practice of penetration testing and if anyone
> can comment on that I'd appreciate it.
As I said before security is a process. As a security professional it is
my job to help protect my client against all threats, known or
otherwise. You do this by limiting exposure so if there is a 0day the
effect will be reduced. How do you test the affects a remote 0day would
have on a client unless you have them?
-- 
David Maynor
http://www.0dayspray.com/~dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave