Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

From: Daniel <daniel () ugc-labs co uk>
Date: Tue, 14 Nov 2006 21:10:24 +0700
David,

Say your on a test for a large financial bank and you use a 0hday to  
take down their core IIS web farm. How do you explain to the CSO how  
to remedy the problem. Do you explain the risk value you have  
assigned for a vulnerability which has no solution/patch?.

A prime example of this would be a 0hday in IIS6.0

David: your IIS 6.0 is vulnerable to a unpublished, unknown  
vulnerability
CSO: So what do we do David??
David: secure your network
CSO: How?
David: ????
CSO: Microsoft has no patch for this, they cannot help. I've paid you  
to do an assessment, what is the risk of the vulnerability versus the  
loss of business if I have to shut down our front-end trading system

See what I mean?


On 14 Nov 2006, at 19:55, David Maynor wrote:


Using 0day in pentests I still very valid, IMHO. The goal of designing
a secure environment is that it could survive and repel an assault
from a determined attacker. Since the debate about whether 0day is
used in real world attacks seems to finally be over thanks to thing
like IE and office bugs, a person has to take the 0day angle into
account while designing an infrastructure. Of course people that leave
password lists on open shares will care about this less than people
who have been through a pentest process and implemented the
suggestions.

On 11/14/06, Nicolas RUFF <nruff () security-labs org> wrote:

When I was a consultant my shtick was that a "pen-test" is a  
complete
waste of time if you don't have
your other ducks in line.  This was based on the un-scientific  
research
conducted by myself that
basically concluded that 99/100 pen-tests are almost always  
successful.

[...]

That's a misleading way to frame the conversation, don't you  
think?  A
pen-test isn't supposed to answer the yes/no question, "Can you  
be hacked?"
It's supposed to ask the open-ended questions, "How can you be  
hacked?" and
"How can you fix it?"


In my experience, "99/100 internal pen-tests are successful during  
the
first 10 minutes, without using any 0day attack".

(I don't even own a CANVAS licence :)

This means:
- Domain admin account created with a trivial password, for  
someone who
never logged in.
- "Password.xls" file found on a public share.
- Variations: the share is hidden ('$' sign), the Excel file is
password-protected.
- Local admin password is the same on every workstation - once you  
get
yours, you can connect to any admin workstation.
- Service accounts can be used to log in anywhere, and passwords are
stored on every workstation (=> LSADUMP).
- VNC/PCAnywhere/... using the same password on all mission-critical
legacy NT4 servers.
- Blank "SA" password, especially in case of 3rd party  
applications that
silently installed a MSDE database.
- ...

How can you fix it ? Certainly not by fuzzing and flaw-finding :)

Regards,
- Nicolas RUFF
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: