Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

From: "SecReview" <secreview () hushmail com>
Date: Mon, 21 Jan 2008 11:40:36 -0500
Nate, 
    Your email was constructive and much appreciated. We'll go over 
the review a second time and incorporate some of your suggestions. 
Thank you for taking the time to provide so much good feedback.



On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters 
<nate.mcfeters () gmail com> wrote:

SecReview,
My 2 cents on your review, although I will try to be nicer then 
you were to
the reviewee.  I'm completely skipping your section where you 
talked to the
non-technical person, that's not even fair... sorta like reviewing 
a
consulting group based on their website alone... oh shit, I forgot 
you guys
do that too.

Your comments on Question 1:

We're not impressed with Michael's answer. First off we have no 
idea what
the hell this means: "Depending on time and availability, we will 
work on
finding any new vulnerability if we generate an anomaly of 
interest." And we
totally disagree with "Currently, the focus is primarily on 
discovering new
Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat 
on,
compared to Oracle." In fact, whatever is being described above 
doesn't
sound anything like a vulnerability assessment, we're not sure 
what kind of
service it is.

The first portion "Depending on time and availability..." I don't 
understand
what your confusion is.  Basically the responder is saying that 
he's willing
to do what the client will pay him for.  Consulting is not a 
cookie-cutter
gig, so sometimes clients want you to spend 5 minutes running 
scans, some
want you to fuzz a proprietary protocol for as long as it takes.  
I
personally don't think either end of the extreme is of value to 
the client,
but you can hardly fault the respondent for delivering what the 
client asks
for.

The second, I don't agree the overall focus is on Oracle, but if 
you read
the new (ZDnet, eWeek), or if you follow the conferences (HITB 
Malaysia 2007
great Oracle presnetation), then you will know that Oracle is 
catching a bit
of the limelight.  Besides that, I don't think you are qualified 
to say what
exactly a vulnerability assessment is... if the client is paying 
you to
assess their database servers, then that is a vulnerability 
assessment of
their database servers and that is what the work is.  Different 
clients have
different needs, and their are different specialty consulting 
groups to help
meet those... can hardly fault him if his specialty is databases.

Your Comments on Question 2:


trying to be cute with your "Again, carefully!" bullshit?


Come on guys... imagine you get called by a group of people asking 
to assess
your company and you don't know who they are, wouldn't you try to 
befriend
them if possible?  A little professionalism would go a long way to 
improving
your reviews.


A penetration test is not "Anything Goes!"


Umm... sorry guys, there is plenty of cause for performing a 
Denial of
Service test.  Keep in mind that availability is a large portion 
of what
security is about.  I don't think he's talking about using a bot 
net to try
to take them down.


it doesn't sound like Michael knows how to perform IDS evasion 

testing.
Using a proxy is >>not going to help anyone evade detection, it 
will just
help them to hide their IP address.

Hmm... well, you're partially right.  I suppose that if he had 
enough proxy
servers and kept his scans very focused, he "might" be able to get 
around an
IDS.  In any case, not all clients want IDS evasion performed... 
for
instance, they may want to test their incident response, or, they 
may allow
the consulting group through the IPS/IDS in an effort to save on 
time and
costs.

Your response to question 3:


From the answer above, it looks like they like the same tools as 

most
people. That said, >>we've seen no proof of talent from anyone at
PlanNetGroup yet. So we're near certain that >>their deliverables 
ARE the
product of automation.

If they are the same tools that everyone use, how can you knock 
them for
that?  It seems to me that a group starts with a score of 0 in 
your book,
and then if they impress you they get points.  If you don't ask 
the right
questions, I don't see how they could impress you.  I concede, it 
is
certainly possible that they have no skills, and that they use 
automation,
but I don't think it is fair to say that at this point of the 
review.

Your response to question 4:


Woha, it takes too much time to create a fake deliverable? Well 

that's one
way to get out >>of it, but we don't buy it. Either way, at this 
point we
don't feel that a sample report would >>help this review, we've 
seen nothing
impressive yet.

Ever tried to do so?  It does take awhile, and it is risky.  If 
you miss
sanitization and release results of one of your clients you could 
get sued.
Perhaps given the context of the investigation he didn't want to 
give you
an old report and it would take to long and too much of his 
billable time to
actually get this to you.  That's not unreasonable.  You aren't 
paying him.
Again with the comments of nothing impressive yet.  You are 
asking generic
questions, how could anything be impressive?  It's a phone call or 
email and
you are asking questions that almost all consulting groups should 
have
relatively the same answers to... I see nothing impressive in that 
at all.

Your response to question 5:


It sounds like Michael has a difficult time sticking to the 

scope of work.
Any time anyone >>performs Distributed Metastasis it should be 
built into a
scope of work first. If it is not, >>then do not perform the 
testing because
it is invasive and will get you into trouble. This is >>a big 
negative point
in our eyes as its critical that providers are able to adhere to 
the scope

of work for each specific engagement.


I actually agree with most of this, but then again, as long as he 
doesn't go
over the clients budgetary and time constraints and is providing 
the
customer with value, I have no problem with going outside of scope 
as long
as the client does not.  Also, I don't know that it is a big 
negative as you
say.

Your response to question 6:


It sounds like Michael is a corporate security guy and has no 

experience
as a hacker.
Bit of a blanket statement I'd say, but OK, let's assume you are 
correct

Certifications hold little to no water when it comes to real IT 

security.
Agreed, but you are totally putting words into his mouth.  He 
basically says
the same thing by calling the CISSP a definition test.  Why do 
that?  Most
people in security have the certs... most realize they are worth 
nothing and
don't really test tech knowledge, but instead test business 
knowledge.

What does hold water is experience and from what we can tell, 

Michael has
no real hacker >>experience.
Please define "no real hacker experience".  If you mean he isn't 
31337 like
you guys, then OK.  BTW, most clients aren't just paying for "real 
hacker
experience" they're also paying for the business side, i.e. what 
is my risk,
how can I mitigate, etc.  A good team has both people.

On your response to question 7:

Do you resell third party technologies?


We don't think that it is a good idea that Professional IT 

Security
Providers sell third party >>technologies. Specifically because 
they become
biased towards a specific technology and >>push that technology as 
a method
of remediation when better methods might already exist.
Agreed.  But that said, what if your third-party tech. has nothing 
to do
with the main thrust of your consulting work?  The question is 
pretty vague.

On your response to question 8 and 9:

Ok, I'll buy that you have cookie cutter definitions from google 
of those
flaws and that his definitions don't fit.  I'll even buy that you 
make a
good point when you say EIP overwrite is not the only method of 
exploitation
(especially these days), but I'm wondering what you expected.  
Should he
have rattled on and on about how to exploit b0f in an XP SP 2 
environment?
Talk to you at length about DEP?  Bit ridiculous expectations.  
Hell, while
your at it, why didn't you ask him about integer overflows?  Off-
by
one/few/many exploits?  Heap overflows?  Why not have him recite 
the Heap
Fung Sheui method to you?  What about double free flaws, dangling 
pointers,
etc. etc. etc.  Let's be serious here, unless you are contracted 
by
Microsoft or another major software vendor, you probably don't pay 
the bills
by doing your own research, so... does this really matter?  Sure, 
it's
great... I'd like to know that consultants I was paying top dollar 
to knew
about this, but if he comes on site and spends 3 weeks trying to 
find an
integer overflow, I'm going to be pissed.

Disclaimer:
I'm not a client of PlanNetGroup.  Also, I don't think what you 
are trying
to do is a terrible thing, there's lots of snake oil being sold in 
the
commoditized security market out there, but I disapprove of your
professionalism and your methods.  Also, I believe the list is 
still waiting
for you to credentialize yourself/yourselves.  That still hasn't 
seem to be
grasped here.  Look, if you're someone people respect, then maybe 
people
will buy your reviews, but somehow I doubt that is the case.  I'm 
basing
that view off of the content of your website and the fact that you 
still
have not credentialized yourself as the list called for so long 
ago.  Do
that, and I will re-review my review of your reviews.

Nate

On Jan 20, 2008 7:17 PM, secreview <secreview () hushmail com> wrote:


The PlanNetGroup is a Professional IT Security Services Provider 

located

at http://www.plannetgroup.com. <http://www.plannetgroup.com/> 

One of our

readers requested that we perform a review of the PlanNetGroup, 

so here it

is. It is important to state that there isn't all that much 

information

available on the web about the PlanNetGroup, so this review is 

based mostly

on the interviews that we performed.

The PlanNetGroup was founded by Jim Mazotas of Ohio USA 

according to this Affirmative

Action Verification Form<http://odnapps01.odn.state.oh.us/das-

eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b
8525735d00607a6d?OpenDocument>.

We called Mr. Succotash and spoke with him for about an hour 

about his

company, here's what he had to say.

When we spoke with Jim Mazotas we asked him how he defined a 

Penetration

Test. His answer wasn't really an answer at all but rather was a 

bunch of

technical words strung into sentences that made no sense. Here 

is what he

said for the most part. We can't give you an exact quote because 

he

requested that some of the information related to clients, etc 

be kept

confidential.

"We get to target object, where we go with that is based upon 

the client's

comfort level. We grab banner information, backend support 

information, and

other kinds of information. During a penetration test we most 

will not

penetrate. Most mid level companies will not want penetration." 

– Sanitized

Quote from Jim

Not only do we not understand what Jim said, but he'd be better 

off saying

"I don't know" next time instead of looking like an idiot and 

making up an

answer. This goes for all of you people that get asked technical 

questions.

If you say "I don't know" at least you won't look like a fool. 

Anyway.


When we asked Jim to define a Vulnerability Assessment, we 

became even

more flustered. Again his answer was like a politician trying to 

evade a

question with a bunch of nonsensical noise. Again, we've 

sanitized this at

Jim's request.

" A Vulnerability Assessment is more a lab based environment 

type test.

Analyze servers and all nodes that are a true vital asset to the 

company and

assess the vulnerability In a very planned out manner. This is 

done in a lab

based environment." – Sanitized Quote from Jim

Again, next time say "I don't know" because now you look like an 

idiot.

Nobody expects you to know everything, but when you make shit up 

and try to

fool people, its insulting. To be fair to Jim, he did say that 

he was not

technical, but we didn't get technical here. As the founder of 

the business

he should at least know what his different service boundaries 

are and how

his services are defined.

When we asked Jim if his team performed Vulnerability Research 

and

Development, he said that they did not have the time because 

they were

"fully booked". His primary customer base includes state 

government and a

few private sector businesses. Unfortunately, we can't disclose 

who his

exact customers are. He did say that he provides Network 

Management Services

and Wireless Management services for many of his clients. Sounds 

more IT

related than Professional Security related.

When we finished with our call to Jim we asked him if he'd be 

kind enough

to give us contact information for someone more technical in his 

company. He

told us that he'd be happy to arrange a call with someone. At 

the end, we

didn't end up calling anyone but instead shot a few emails back 

and fourth.

The rest of this review is based on those emails.

We decided to ask the same questions to Jim's technical expert. 

We know

who his expert is, but we assume that he wants to stay anonymous 

because he

signed his email with "Jason Bourne". So for the sake of this 

interview

we'll call him Michael. Here's the email from Michael:

-) How do you perform your vulnerability assessments?

"* Carefully! :) Typically, we will work with the customer to 

define the

scope of the assessment; limitations to OS, Network Equipment, 

Web

Server, etc. This could be a combination of components 

(depending on

scope), the real goal ultimately with this is to assess the 

patching

effort of a customer. Depending on time and availability, we 

will work

on finding any new vulnerability if we generate an anomaly of 

interest.

Currently, the focus is primarily on discovering new Oracle
vulnerabilities - as MS SQL 2K5 is more difficult to beat on, 

compared

to Oracle. Within vulnerability assessments, we disregard any 

attempts

to evade IDS, IPS, etc."

We're not impressed with Michael's answer. First off we have no 

idea what

the hell this means: "Depending on time and availability, we 

will work on

finding any new vulnerability if we generate an anomaly of 

interest." And we

totally disagree with "Currently, the focus is primarily on 

discovering new

Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat 

on,

compared to Oracle." In fact, whatever is being described above 

doesn't

sound anything like a vulnerability assessment, we're not sure 

what kind of

service it is.

-) How do you perform your penetration testing?

* Again, carefully! The definition that I use with customers is -



Anything Goes! In addition to attempting to locate missing 

patches,

vulnerable IOS's, applications, etc - we will perform an 

assortment of

timed attacks, attempt to spoof trusted connections, or even 

perform

social engineering - like dropping a few pre-trojan'd usb data 

sticks

outside of a customer service area, a data center, etc. The only 

thing

that we do not perform, typically, is denial of service style or 

type of

attacks. We have had only one customer that we felt was in the 

position

to handle such a test and it was performed against their 

disaster

recovery infrastructure, not production."

Michael, why are you trying to be cute with your "Again, 

carefully!"

bullshit? A penetration test is not "Anything Goes!", if that's 

how you

define it then I don't want you anywhere near any of my 

networks. And why

the hell would you perform a Denial of Service attack against 

anyone?

Everybody can be knocked off line if you fill up their pipe. You 

scare us

man!


-) How do you perform evasive IDS testing?

"* We use a series of proxy servers to attempt to perform basic 

hacking

techniques; port scans, blatant attacks, etc. We are typically 

going to

look for TCP resets as a means to evaluate if IDS is present and
possibly to find if IDS performs blocking activity. Often times, 

if a

system in a trusted DMZ can be compromised and used as a proxy
(exploiting a relationship or rule within a firewall) or an SSH, 

SSL,

encrypted tunnel can be established to a server behind the IDS 

sensor

than we can successfully pull off an attack without the 

customers

security staff even knowing."

It doesn't sound like Michael knows how to perform IDS evasion 

testing.

Using a proxy is not going to help anyone evade detection, it 

will just help

them to hide their IP address. If the target network or 

application is being

protected by an IPS device, then the IP that they are attacking 

from will be

shunned just the same. So, we understand that the PlanNetGroup's 

expert

hasn't a clue as to how to evade IDS. (Michael, did you get your 

answer from

Google?)

-) What tools do you favor?

"* We really do not favor any tools. The focus of our effort 

(Assuming we

are performing a pen-test or assessment) is to analyze a 

situation and

choose the best tool for the end result or compromise. I will 

use commercial

applications, such as AppScan, WebInspect, even ISS. There are 

however

plenty of freeware, low-cost tools that we use; nmap, nessus, 

metasploit -

ultimately, I find that an internet browser and a telnet prompt 

will suffice

for much of the testing. It ultimately gets back to interpreting 

the results

and adjusting the testing accordingly. We make it a point to try 

out new

freeware tools on every assignment. The more tools that we know 

of and can

test with opens our options if in the future a situation best 

suited for a

tool presents itself."

Every business that delivers security services has a set of 

tools that

they use. These tools change from business to business, but 

common ones are

nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From 

the answer

above, it looks like they like the same tools as most people. 

That said,

we've seen no proof of talent from anyone at PlanNetGroup yet. 

So we're near

certain that their deliverables ARE the product of automation.

-) Can you provide us with sample deliverables? (sanitized)

"* No, too much time. Even to sanitize creates an opportunity 

for a

liability in the event that a customer name is exposed ... 

accidents do

happen! I will say that we do not take dumps from applications 

and

regurgitations the information on paper. We limit our executive 

summary to 6

pages at most and attempt to keep the entire report limited to 

25 pages in

total. Our goal with a deliverable is to get the precise 

information to the

key stake holders so that they can make a decision."

Woha, it takes too much time to create a fake deliverable? Well 

that's one

way to get out of it, but we don't buy it. Either way, at this 

point we

don't feel that a sample report would help this review, we've 

seen nothing

impressive yet.

-) Do you offer the option of performing Distributed Metastasis?

"* No, not really. This is my decision as in a previous life I 

got walked

out of Bell Atlantic Mobile (Verizon Wireless) using this 

technique when I

compromised their Unix infrastructure by compromising the rlogin 

function

(on all Unix servers, across all data centers). There is no 

substitute for

experience, especially bad ones!"

It sounds like Michael has a difficult time sticking to the 

scope of work.

Any time anyone performs Distributed Metastasis it should be 

built into a

scope of work first. If it is not, then do not perform the 

testing because

it is invasive and will get you into trouble. This is a big 

negative point

in our eyes as its critical that providers are able to adhere to 

the scope

of work for each specific engagement.

-) What is your background with relation to information 

security?


"* Too long, too boring. Yeah got the CISSP (nice vocabulary 

test), but

had to as I worked for DOD. Got a number of Certifications (I 

have a stack

almost an inch thick and only get into them about once a year to 

throw

another couple on top of the previous ones - too much alphabet 

soup for me,

but bosses and customers like it. Spoke at a number of
European conferences, but found too many people did not 

understand a word

I was talking about, so I got tired of that and quit that scene. 

My outlook

on security has changed, to the point that I will advise 

customers of their

risk, attempt to make it practical - but if they make a 

conscious choice not

to listen - I do not fret over it.?"

It sounds like Michael is a corporate security guy and has no 

experience

as a hacker. Certifications hold little to no water when it 

comes to real IT

security. What does hold water is experience and from what we 

can tell,

Michael has no real hacker experience.

-) Do you resell third party technologies?

"* No, but kind of wished that we would. I think that it would 

help with

sales."

We don't think that it is a good idea that Professional IT 

Security

Providers sell third party technologies. Specifically because 

they become

biased towards a specific technology and push that technology as 

a method of

remediation when better methods might already exist.

-) Can you tell me why the EIP is important?

"* The EIP controls an applications execution. If an attacker 

can modify

the EIP while it is being pushed on the stack then the attacker 

*could*

execute their own code and create a thread (aka. a buffer 

overflow condition

exists). I had a good refresher this past year at Blackhat with 

a course run

by Saumil Shah - he had an interesting buffer overflow
for the Linked-In client."

The EIP is the Instruction Pointer for the x86 architecture. The 

purpose

of the EIP is to point to the next instruction in a particular 

code segment.

If the EIP can be overwritten then the flow of control of an 

application can

be changed. In most cases this can lead to the execution of 

arbitrary code

on the targeted system. Hackers use this to penetrate vulnerable 

systems.


-) Can you define a format string exploit?

"* A format string exploit leverages what is considered a 

programming

bug. If input is not sanitized, an attacker can perform calls to 

the

stack; read, write, etc without knowing details about the EIP."

Unfortunately this answer isn't accurate or detailed enough as 

almost all

software vulnerabilities are the result of user input that is 

not properly

sanitized or validated. A format string condition occurs when a 

user inserts

a format token into a C based application and that input is not 

properly

sanitized. Hence why it is called a format string vulnerability. 

When that

input hits a function that performs formatting, such as printf() 

the input

is interpreted in accordance with the format tokens. Sometimes 

this can be

used to write arbitrary data to arbitrary memory locations. The 

EIP isn't

the only valuable memory location.




If you've managed to get this far, then you've survived reading 

Michael's

answers to our questions. We're not going to spend much more 

time writing

this review because by now we've formed our opinion. We did take 

a quick

look at the PlanNetGroup's website and as with their people, we 

were not the

least bit impressed.

Our opinion of the PlanNetGroup is that they'd have a hard time 

hacking

their way out of a wet paper bag. Their security expert is not 

an expert by

our standards, as he did not properly answer any of our 

questions or help to

define any of their services. We're pretty sure that the 

PlanNetGroup could

run nessus and offer basic vulnerability assessment services. 

We're also

pretty sure that they could offer IT services at some level. But 

we'd hardly

call them subject matter experts and wouldn't recommend their 

services to

anyone.

If you are using the PlanNetGroup services and feel that we have 

not given

them a fair review then please comment on this post. We will 

consider your

comments. We have to say that Jim and Michael were both very 

polite,

friendly, and respectful, but we can't let their kind nature 

impact our

opinion of their service delivery capabilities. We think that 

they should

sit down and try to define their services properly. We also 

think that they

should hire an ethical hacker with real world experience if they 

intend to

protect anyone.

Score Card (Click to Enlarge)




<http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS
QlSXs/s1600-h/96YV5X.jpeg>


--
Posted By secreview to Professional IT Security Providers - 

Exposed<http://secreview.blogspot.com/2008/01/plannetgroup-
f.html>at 1/20/2008 04:21:00 PM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Regards, 
      The Secreview Team
      http://secreview.blogspot.com

--
Love Graphic Design? Find a school near you. Click Now.
http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/
      Professional IT Security Service Providers - Exposed

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: