Where the Wild Things Are

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yesterday over Belgian food (oddly enough) we had a conversation like
this:

A: So, the next two days of class should teach us to be better
penetration testers?
B: Well, it'll teach you how to be a better hacker. That's not the
same thing, but it will either make you a better penetration tester or
just a more interesting person.
A: So what's the difference between hacking and penetration testing?

This is one of those questions that you can have really long boring
threads on, like the iPhone thread, but which is still quite a good
question. I think the "difference between Vulnerability Assessment and
Penetration Testing" is a lot easier. If you stop after you find the
first bug, it's a penetration test. If you try to find all the bugs in
a system, it's a vulnerability assessment. Easy.

But penetration testing and hacking are much more similar, and yet
completely different in some way, like the difference between pancakes
and crepes (It's breakfast time here in Singapore).

First of all, there's covertness. It's no mistake that CANVAS had
covertness as a giant part of the UI from almost day 1. Covertness
requires infrastructure - an insane amount of infrastructure. (For
example, hacking requires that you fly around the world teaching
people to hack just like you, so that you gain some anonymity. :>)
There's a reason good hackers search out other good hackers to hang
with - and it's not because they're naturally social beasts. It's
because the job is really massive if you're going to do it right. The
exploits have to be...insanely good. The toolset required is huge and
changes constantly. As protective technology improves, you need to
start building specialized debuggers, binary analysis, and statistical
analysis tools. This isn't cheap, which means now you need business
and organizational skills. And eventually this level needs to trickle
down to penetration testers.

Penetration testing used to be one of the simplest things in security.
You portscanned, you downloaded tools from the internet, you ran them.

These days it's a lot harder, but still nothing compared to the needs
of a hacker. Non-the-less, the hacker does have a few things going for
them. In particular, two major things: Scope, and Time.

There's no such thing as scope to a hacker, and if they need to own
your entire ISP to get one step closer to you, they will. Makes MITM
attacks easier. And a hacker can watch their prey over long periods of
time. You'll have 3 system administrators before the hacker gives up
watching you. All hunters have patience.

Speaking of hunters, tonight I'm headed to the "Night Zoo" with Thomas
Lim to see some of the original creatures of Singapore.  You gotta
take your nature where you can find it.

- -dave
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFt/L6tehAhL0gheoRApNJAJwJYs4EkXoXTqWgw/CFgE+EKsQ0agCeOtao
ByhLgOa6BwPkblV2GDPMIMg=
=EMtA
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave