Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: Daniel <daniel () ugc-labs co uk>
Date: Tue, 14 Nov 2006 21:10:24 +0700
David, Say your on a test for a large financial bank and you use a 0hday to take down their core IIS web farm. How do you explain to the CSO how to remedy the problem. Do you explain the risk value you have assigned for a vulnerability which has no solution/patch?. A prime example of this would be a 0hday in IIS6.0 David: your IIS 6.0 is vulnerable to a unpublished, unknown vulnerability CSO: So what do we do David?? David: secure your network CSO: How? David: ???? CSO: Microsoft has no patch for this, they cannot help. I've paid you to do an assessment, what is the risk of the vulnerability versus the loss of business if I have to shut down our front-end trading system See what I mean? On 14 Nov 2006, at 19:55, David Maynor wrote:
Using 0day in pentests I still very valid, IMHO. The goal of designing a secure environment is that it could survive and repel an assault from a determined attacker. Since the debate about whether 0day is used in real world attacks seems to finally be over thanks to thing like IE and office bugs, a person has to take the 0day angle into account while designing an infrastructure. Of course people that leave password lists on open shares will care about this less than people who have been through a pentest process and implemented the suggestions. On 11/14/06, Nicolas RUFF <nruff () security-labs org> wrote:When I was a consultant my shtick was that a "pen-test" is a complete waste of time if you don't have your other ducks in line. This was based on the un-scientific research conducted by myself that basically concluded that 99/100 pen-tests are almost always successful.[...]That's a misleading way to frame the conversation, don't you think? A pen-test isn't supposed to answer the yes/no question, "Can you be hacked?" It's supposed to ask the open-ended questions, "How can you be hacked?" and "How can you fix it?"In my experience, "99/100 internal pen-tests are successful during the first 10 minutes, without using any 0day attack". (I don't even own a CANVAS licence :) This means: - Domain admin account created with a trivial password, for someone who never logged in. - "Password.xls" file found on a public share. - Variations: the share is hidden ('$' sign), the Excel file is password-protected. - Local admin password is the same on every workstation - once you get yours, you can connect to any admin workstation. - Service accounts can be used to log in anywhere, and passwords are stored on every workstation (=> LSADUMP). - VNC/PCAnywhere/... using the same password on all mission-critical legacy NT4 servers. - Blank "SA" password, especially in case of 3rd party applications that silently installed a MSDE database. - ... How can you fix it ? Certainly not by fuzzing and flaw-finding :) Regards, - Nicolas RUFF _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) dan (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Rhys Kidd (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Dave Aitel (Nov 16)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)