Full Disclosure mailing list archives
Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
From: "Jerry dePriest" <jerryde () mc net>
Date: Mon, 21 Jan 2008 10:55:41 -0600
nice to see some have mlk off and nothing better to do ----- Original Message ----- From: "SecReview" <secreview () hushmail com> To: <nate.mcfeters () gmail com> Cc: <full-disclosure () lists grok org uk> Sent: Monday, January 21, 2008 10:40 AM Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
Nate, Your email was constructive and much appreciated. We'll go over the review a second time and incorporate some of your suggestions. Thank you for taking the time to provide so much good feedback. On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters <nate.mcfeters () gmail com> wrote:SecReview, My 2 cents on your review, although I will try to be nicer then you were to the reviewee. I'm completely skipping your section where you talked to the non-technical person, that's not even fair... sorta like reviewing a consulting group based on their website alone... oh shit, I forgot you guys do that too. Your comments on Question 1: We're not impressed with Michael's answer. First off we have no idea what the hell this means: "Depending on time and availability, we will work on finding any new vulnerability if we generate an anomaly of interest." And we totally disagree with "Currently, the focus is primarily on discovering new Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat on, compared to Oracle." In fact, whatever is being described above doesn't sound anything like a vulnerability assessment, we're not sure what kind of service it is. The first portion "Depending on time and availability..." I don't understand what your confusion is. Basically the responder is saying that he's willing to do what the client will pay him for. Consulting is not a cookie-cutter gig, so sometimes clients want you to spend 5 minutes running scans, some want you to fuzz a proprietary protocol for as long as it takes. I personally don't think either end of the extreme is of value to the client, but you can hardly fault the respondent for delivering what the client asks for. The second, I don't agree the overall focus is on Oracle, but if you read the new (ZDnet, eWeek), or if you follow the conferences (HITB Malaysia 2007 great Oracle presnetation), then you will know that Oracle is catching a bit of the limelight. Besides that, I don't think you are qualified to say what exactly a vulnerability assessment is... if the client is paying you to assess their database servers, then that is a vulnerability assessment of their database servers and that is what the work is. Different clients have different needs, and their are different specialty consulting groups to help meet those... can hardly fault him if his specialty is databases. Your Comments on Question 2:trying to be cute with your "Again, carefully!" bullshit?Come on guys... imagine you get called by a group of people asking to assess your company and you don't know who they are, wouldn't you try to befriend them if possible? A little professionalism would go a long way to improving your reviews.A penetration test is not "Anything Goes!"Umm... sorry guys, there is plenty of cause for performing a Denial of Service test. Keep in mind that availability is a large portion of what security is about. I don't think he's talking about using a bot net to try to take them down.it doesn't sound like Michael knows how to perform IDS evasiontesting. Using a proxy is >>not going to help anyone evade detection, it will just help them to hide their IP address. Hmm... well, you're partially right. I suppose that if he had enough proxy servers and kept his scans very focused, he "might" be able to get around an IDS. In any case, not all clients want IDS evasion performed... for instance, they may want to test their incident response, or, they may allow the consulting group through the IPS/IDS in an effort to save on time and costs. Your response to question 3:From the answer above, it looks like they like the same tools asmost people. That said, >>we've seen no proof of talent from anyone at PlanNetGroup yet. So we're near certain that >>their deliverables ARE the product of automation. If they are the same tools that everyone use, how can you knock them for that? It seems to me that a group starts with a score of 0 in your book, and then if they impress you they get points. If you don't ask the right questions, I don't see how they could impress you. I concede, it is certainly possible that they have no skills, and that they use automation, but I don't think it is fair to say that at this point of the review. Your response to question 4:Woha, it takes too much time to create a fake deliverable? Wellthat's one way to get out >>of it, but we don't buy it. Either way, at this point we don't feel that a sample report would >>help this review, we've seen nothing impressive yet. Ever tried to do so? It does take awhile, and it is risky. If you miss sanitization and release results of one of your clients you could get sued. Perhaps given the context of the investigation he didn't want to give you an old report and it would take to long and too much of his billable time to actually get this to you. That's not unreasonable. You aren't paying him. Again with the comments of nothing impressive yet. You are asking generic questions, how could anything be impressive? It's a phone call or email and you are asking questions that almost all consulting groups should have relatively the same answers to... I see nothing impressive in that at all. Your response to question 5:It sounds like Michael has a difficult time sticking to thescope of work. Any time anyone >>performs Distributed Metastasis it should be built into a scope of work first. If it is not, >>then do not perform the testing because it is invasive and will get you into trouble. This is >>a big negative point in our eyes as its critical that providers are able to adhere to the scopeof work for each specific engagement.I actually agree with most of this, but then again, as long as he doesn't go over the clients budgetary and time constraints and is providing the customer with value, I have no problem with going outside of scope as long as the client does not. Also, I don't know that it is a big negative as you say. Your response to question 6:It sounds like Michael is a corporate security guy and has noexperience as a hacker. Bit of a blanket statement I'd say, but OK, let's assume you are correctCertifications hold little to no water when it comes to real ITsecurity. Agreed, but you are totally putting words into his mouth. He basically says the same thing by calling the CISSP a definition test. Why do that? Most people in security have the certs... most realize they are worth nothing and don't really test tech knowledge, but instead test business knowledge.What does hold water is experience and from what we can tell,Michael has no real hacker >>experience. Please define "no real hacker experience". If you mean he isn't 31337 like you guys, then OK. BTW, most clients aren't just paying for "real hacker experience" they're also paying for the business side, i.e. what is my risk, how can I mitigate, etc. A good team has both people. On your response to question 7: Do you resell third party technologies?We don't think that it is a good idea that Professional ITSecurity Providers sell third party >>technologies. Specifically because they become biased towards a specific technology and >>push that technology as a method of remediation when better methods might already exist. Agreed. But that said, what if your third-party tech. has nothing to do with the main thrust of your consulting work? The question is pretty vague. On your response to question 8 and 9: Ok, I'll buy that you have cookie cutter definitions from google of those flaws and that his definitions don't fit. I'll even buy that you make a good point when you say EIP overwrite is not the only method of exploitation (especially these days), but I'm wondering what you expected. Should he have rattled on and on about how to exploit b0f in an XP SP 2 environment? Talk to you at length about DEP? Bit ridiculous expectations. Hell, while your at it, why didn't you ask him about integer overflows? Off- by one/few/many exploits? Heap overflows? Why not have him recite the Heap Fung Sheui method to you? What about double free flaws, dangling pointers, etc. etc. etc. Let's be serious here, unless you are contracted by Microsoft or another major software vendor, you probably don't pay the bills by doing your own research, so... does this really matter? Sure, it's great... I'd like to know that consultants I was paying top dollar to knew about this, but if he comes on site and spends 3 weeks trying to find an integer overflow, I'm going to be pissed. Disclaimer: I'm not a client of PlanNetGroup. Also, I don't think what you are trying to do is a terrible thing, there's lots of snake oil being sold in the commoditized security market out there, but I disapprove of your professionalism and your methods. Also, I believe the list is still waiting for you to credentialize yourself/yourselves. That still hasn't seem to be grasped here. Look, if you're someone people respect, then maybe people will buy your reviews, but somehow I doubt that is the case. I'm basing that view off of the content of your website and the fact that you still have not credentialized yourself as the list called for so long ago. Do that, and I will re-review my review of your reviews. Nate On Jan 20, 2008 7:17 PM, secreview <secreview () hushmail com> wrote:The PlanNetGroup is a Professional IT Security Services Providerlocatedat http://www.plannetgroup.com. <http://www.plannetgroup.com/>One of ourreaders requested that we perform a review of the PlanNetGroup,so here itis. It is important to state that there isn't all that muchinformationavailable on the web about the PlanNetGroup, so this review isbased mostlyon the interviews that we performed. The PlanNetGroup was founded by Jim Mazotas of Ohio USAaccording to this AffirmativeAction Verification Form<http://odnapps01.odn.state.oh.us/das-eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b 8525735d00607a6d?OpenDocument>.We called Mr. Succotash and spoke with him for about an hourabout hiscompany, here's what he had to say. When we spoke with Jim Mazotas we asked him how he defined aPenetrationTest. His answer wasn't really an answer at all but rather was abunch oftechnical words strung into sentences that made no sense. Hereis what hesaid for the most part. We can't give you an exact quote becauseherequested that some of the information related to clients, etcbe keptconfidential. "We get to target object, where we go with that is based uponthe client'scomfort level. We grab banner information, backend supportinformation, andother kinds of information. During a penetration test we mostwill notpenetrate. Most mid level companies will not want penetration."– SanitizedQuote from Jim Not only do we not understand what Jim said, but he'd be betteroff saying"I don't know" next time instead of looking like an idiot andmaking up ananswer. This goes for all of you people that get asked technicalquestions.If you say "I don't know" at least you won't look like a fool.Anyway.When we asked Jim to define a Vulnerability Assessment, webecame evenmore flustered. Again his answer was like a politician trying toevade aquestion with a bunch of nonsensical noise. Again, we'vesanitized this atJim's request. " A Vulnerability Assessment is more a lab based environmenttype test.Analyze servers and all nodes that are a true vital asset to thecompany andassess the vulnerability In a very planned out manner. This isdone in a labbased environment." – Sanitized Quote from Jim Again, next time say "I don't know" because now you look like anidiot.Nobody expects you to know everything, but when you make shit upand try tofool people, its insulting. To be fair to Jim, he did say thathe was nottechnical, but we didn't get technical here. As the founder ofthe businesshe should at least know what his different service boundariesare and howhis services are defined. When we asked Jim if his team performed Vulnerability ResearchandDevelopment, he said that they did not have the time becausethey were"fully booked". His primary customer base includes stategovernment and afew private sector businesses. Unfortunately, we can't disclosewho hisexact customers are. He did say that he provides NetworkManagement Servicesand Wireless Management services for many of his clients. Soundsmore ITrelated than Professional Security related. When we finished with our call to Jim we asked him if he'd bekind enoughto give us contact information for someone more technical in hiscompany. Hetold us that he'd be happy to arrange a call with someone. Atthe end, wedidn't end up calling anyone but instead shot a few emails backand fourth.The rest of this review is based on those emails. We decided to ask the same questions to Jim's technical expert.We knowwho his expert is, but we assume that he wants to stay anonymousbecause hesigned his email with "Jason Bourne". So for the sake of thisinterviewwe'll call him Michael. Here's the email from Michael: -) How do you perform your vulnerability assessments? "* Carefully! :) Typically, we will work with the customer todefine thescope of the assessment; limitations to OS, Network Equipment,WebServer, etc. This could be a combination of components(depending onscope), the real goal ultimately with this is to assess thepatchingeffort of a customer. Depending on time and availability, wewill workon finding any new vulnerability if we generate an anomaly ofinterest.Currently, the focus is primarily on discovering new Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat on,comparedto Oracle. Within vulnerability assessments, we disregard anyattemptsto evade IDS, IPS, etc." We're not impressed with Michael's answer. First off we have noidea whatthe hell this means: "Depending on time and availability, wewill work onfinding any new vulnerability if we generate an anomaly ofinterest." And wetotally disagree with "Currently, the focus is primarily ondiscovering newOracle vulnerabilities - as MS SQL 2K5 is more difficult to beaton,compared to Oracle." In fact, whatever is being described abovedoesn'tsound anything like a vulnerability assessment, we're not surewhat kind ofservice it is. -) How do you perform your penetration testing? * Again, carefully! The definition that I use with customers is -Anything Goes! In addition to attempting to locate missingpatches,vulnerable IOS's, applications, etc - we will perform anassortment oftimed attacks, attempt to spoof trusted connections, or evenperformsocial engineering - like dropping a few pre-trojan'd usb datasticksoutside of a customer service area, a data center, etc. The onlythingthat we do not perform, typically, is denial of service style ortype ofattacks. We have had only one customer that we felt was in thepositionto handle such a test and it was performed against theirdisasterrecovery infrastructure, not production." Michael, why are you trying to be cute with your "Again,carefully!"bullshit? A penetration test is not "Anything Goes!", if that'show youdefine it then I don't want you anywhere near any of mynetworks. And whythe hell would you perform a Denial of Service attack againstanyone?Everybody can be knocked off line if you fill up their pipe. Youscare usman! -) How do you perform evasive IDS testing? "* We use a series of proxy servers to attempt to perform basichackingtechniques; port scans, blatant attacks, etc. We are typicallygoing tolook for TCP resets as a means to evaluate if IDS is present and possibly to find if IDS performs blocking activity. Often times,if asystem in a trusted DMZ can be compromised and used as a proxy (exploiting a relationship or rule within a firewall) or an SSH,SSL,encrypted tunnel can be established to a server behind the IDSsensorthan we can successfully pull off an attack without thecustomerssecurity staff even knowing." It doesn't sound like Michael knows how to perform IDS evasiontesting.Using a proxy is not going to help anyone evade detection, itwill just helpthem to hide their IP address. If the target network orapplication is beingprotected by an IPS device, then the IP that they are attackingfrom will beshunned just the same. So, we understand that the PlanNetGroup'sexperthasn't a clue as to how to evade IDS. (Michael, did you get youranswer fromGoogle?) -) What tools do you favor? "* We really do not favor any tools. The focus of our effort(Assuming weare performing a pen-test or assessment) is to analyze asituation andchoose the best tool for the end result or compromise. I willuse commercialapplications, such as AppScan, WebInspect, even ISS. There arehoweverplenty of freeware, low-cost tools that we use; nmap, nessus,metasploit -ultimately, I find that an internet browser and a telnet promptwill sufficefor much of the testing. It ultimately gets back to interpretingthe resultsand adjusting the testing accordingly. We make it a point to tryout newfreeware tools on every assignment. The more tools that we knowof and cantest with opens our options if in the future a situation bestsuited for atool presents itself." Every business that delivers security services has a set oftools thatthey use. These tools change from business to business, butcommon ones arenessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. Fromthe answerabove, it looks like they like the same tools as most people.That said,we've seen no proof of talent from anyone at PlanNetGroup yet.So we're nearcertain that their deliverables ARE the product of automation. -) Can you provide us with sample deliverables? (sanitized) "* No, too much time. Even to sanitize creates an opportunityfor aliability in the event that a customer name is exposed ...accidents dohappen! I will say that we do not take dumps from applicationsandregurgitations the information on paper. We limit our executivesummary to 6pages at most and attempt to keep the entire report limited to25 pages intotal. Our goal with a deliverable is to get the preciseinformation to thekey stake holders so that they can make a decision." Woha, it takes too much time to create a fake deliverable? Wellthat's oneway to get out of it, but we don't buy it. Either way, at thispoint wedon't feel that a sample report would help this review, we'veseen nothingimpressive yet. -) Do you offer the option of performing Distributed Metastasis? "* No, not really. This is my decision as in a previous life Igot walkedout of Bell Atlantic Mobile (Verizon Wireless) using thistechnique when Icompromised their Unix infrastructure by compromising the rloginfunction(on all Unix servers, across all data centers). There is nosubstitute forexperience, especially bad ones!" It sounds like Michael has a difficult time sticking to thescope of work.Any time anyone performs Distributed Metastasis it should bebuilt into ascope of work first. If it is not, then do not perform thetesting becauseit is invasive and will get you into trouble. This is a bignegative pointin our eyes as its critical that providers are able to adhere tothe scopeof work for each specific engagement. -) What is your background with relation to informationsecurity?"* Too long, too boring. Yeah got the CISSP (nice vocabularytest), buthad to as I worked for DOD. Got a number of Certifications (Ihave a stackalmost an inch thick and only get into them about once a year tothrowanother couple on top of the previous ones - too much alphabetsoup for me,but bosses and customers like it. Spoke at a number of European conferences, but found too many people did notunderstand a wordI was talking about, so I got tired of that and quit that scene.My outlookon security has changed, to the point that I will advisecustomers of theirrisk, attempt to make it practical - but if they make aconscious choice notto listen - I do not fret over it.?" It sounds like Michael is a corporate security guy and has noexperienceas a hacker. Certifications hold little to no water when itcomes to real ITsecurity. What does hold water is experience and from what wecan tell,Michael has no real hacker experience. -) Do you resell third party technologies? "* No, but kind of wished that we would. I think that it wouldhelp withsales." We don't think that it is a good idea that Professional ITSecurityProviders sell third party technologies. Specifically becausethey becomebiased towards a specific technology and push that technology asa method ofremediation when better methods might already exist. -) Can you tell me why the EIP is important? "* The EIP controls an applications execution. If an attackercan modifythe EIP while it is being pushed on the stack then the attacker*could*execute their own code and create a thread (aka. a bufferoverflow conditionexists). I had a good refresher this past year at Blackhat witha course runby Saumil Shah - he had an interesting buffer overflow for the Linked-In client." The EIP is the Instruction Pointer for the x86 architecture. Thepurposeof the EIP is to point to the next instruction in a particularcode segment.If the EIP can be overwritten then the flow of control of anapplication canbe changed. In most cases this can lead to the execution ofarbitrary codeon the targeted system. Hackers use this to penetrate vulnerablesystems.-) Can you define a format string exploit? "* A format string exploit leverages what is considered aprogrammingbug. If input is not sanitized, an attacker can perform calls tothestack; read, write, etc without knowing details about the EIP." Unfortunately this answer isn't accurate or detailed enough asalmost allsoftware vulnerabilities are the result of user input that isnot properlysanitized or validated. A format string condition occurs when auser insertsa format token into a C based application and that input is notproperlysanitized. Hence why it is called a format string vulnerability.When thatinput hits a function that performs formatting, such as printf()the inputis interpreted in accordance with the format tokens. Sometimesthis can beused to write arbitrary data to arbitrary memory locations. TheEIP isn'tthe only valuable memory location. If you've managed to get this far, then you've survived readingMichael'sanswers to our questions. We're not going to spend much moretime writingthis review because by now we've formed our opinion. We did takea quicklook at the PlanNetGroup's website and as with their people, wewere not theleast bit impressed. Our opinion of the PlanNetGroup is that they'd have a hard timehackingtheir way out of a wet paper bag. Their security expert is notan expert byour standards, as he did not properly answer any of ourquestions or help todefine any of their services. We're pretty sure that thePlanNetGroup couldrun nessus and offer basic vulnerability assessment services.We're alsopretty sure that they could offer IT services at some level. Butwe'd hardlycall them subject matter experts and wouldn't recommend theirservices toanyone. If you are using the PlanNetGroup services and feel that we havenot giventhem a fair review then please comment on this post. We willconsider yourcomments. We have to say that Jim and Michael were both verypolite,friendly, and respectful, but we can't let their kind natureimpact ouropinion of their service delivery capabilities. We think thatthey shouldsit down and try to define their services properly. We alsothink that theyshould hire an ethical hacker with real world experience if theyintend toprotect anyone. Score Card (Click to Enlarge)<http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS QlSXs/s1600-h/96YV5X.jpeg>-- Posted By secreview to Professional IT Security Providers -Exposed<http://secreview.blogspot.com/2008/01/plannetgroup- f.html>at 1/20/2008 04:21:00 PM_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Regards, The Secreview Team http://secreview.blogspot.com -- Love Graphic Design? Find a school near you. Click Now. http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/ Professional IT Security Service Providers - Exposed _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) SecReview (Jan 21)
- Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) Jerry dePriest (Jan 21)
- Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) Nate McFeters (Jan 21)
- Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) Jerry dePriest (Jan 21)
- Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) Nate McFeters (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) J. Oquendo (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) Nate McFeters (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) Valdis . Kletnieks (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) Nick FitzGerald (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) damncon (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) Valdis . Kletnieks (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) Nate McFeters (Jan 21)
- Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F ) Valdis . Kletnieks (Jan 21)
- Re: [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) Jerry dePriest (Jan 21)