Dailydave mailing list archives
Re: Pentesters giving away Client information
From: Daniele Muscetta <daniele () muscetta com>
Date: Tue, 04 May 2004 22:36:31 +0200
You various guys wrote (not even in order):
Taking a slant on the "pentesters getting owned" thread, how about the information that people sometimes give away, especially on public mailing lists ?
I agree with you.Anyway, i don't think those post in fact should be there at all in the first place.
A good pentester would not need that. Anyway, this makes me want to consider other two possible scenarios:1) the pentester could be owned later on, even some months after the assignment, but still leak highly-confidenial data he left on his harddisk; 2) the customer could (and often would) leak that data anyway (with the next random-mailer worm for example ?).
I am not referring to any episode in particular, nor to facts that I witnessed, just thinking what common scenarios could be.
First hand, not aware of any consultants laptop getting 0wned but several times I have been on the receiving end of some fairly heavy scanning from the admins during internal tests, so they were certainly having a go...Hahaha, they do it *ALL THE TIME*! Especially when you've taken over some"admin stations" with their ssh keys and the like,
[...]
I have experienced network admins monitoring and attempting to drop connections as the team performs the pen-test.
As a result, I think that talking about customer trying to 'defend' themselves from the pentester is just plain silly. The talk is not silly on its own, but the customer/target that did so in those situations was silly! I work on this 'customer-side role', too. And whenever I spotted the intrusion attempts from pentesters I just notified them I saw them, but always let them do their work. After all I am paying them to TELL me if something is seriously wrong, I am not trying to hide it from them !
The ultimate purpose is to fix problems found after a pen test !Moreover, the chances of a pentester being owned are (if the right guy is involved - but selection MUST be careful) very small. In many cases I think the problem could eventually lie more with the customer's report being stolen afterwards from the customer (being passed internally to different managers/depts.), than the risk of the pen test team being owned later on, or on site, or whatever...
This should not refer to the company I work for, AFAIK. Best Regards, Daniele _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Pentesters giving away Client information Nexus (May 04)
- Re: Pentesters giving away Client information wirepair (May 04)
- Re: Pentesters giving away Client information Daniele Muscetta (May 04)
- RE: Pentesters giving away Client information Steve W. Manzuik (May 04)