Re: Rate Stratfor's Incident Response

[Benjamin Kreuter <ben.kreuter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sat, 14 Jan 2012 14:33:23 -0700
Sanguinarious Rose <SanguineRose () OccultusTerra com> wrote:

> On the kiddies, I can't see the advantage of hiring a professional
> sqlmap and havij operator.

For a full-time position with benefits, no, there is no real
advantage.  However, if your own team cannot even do that much, then
perhaps the kiddie should be be hired on a temporary or contract basis,
to give a report of what sort of common vulnerabilities can be
exploited.

> > I always report the vulns that I stumble upon (from my own email
> > and such) and while I'm doing this in good faith, I would never
> > dare to actively exploit that vuln for better proof, because if
> > they sue me, they would win. So I try to keep it that way, that I
> > cannot be held responsible, because I didn't broke any law.
>
> I do agree and can't see the real need for someone to actually prove
> it like that which is rather over the line in being illegal. It also
> requires more work then is even required to report it.

People are very bad with understanding hypothetical problems.  As an
example, my alma mater would (and perhaps still does) routinely send
important, official emails about financial aid, tuition, etc. with a
format like this:

[stuff about finances that needs to be taken care of quickly]

Click here to do [something important]:
[link]

There was no method available to verify that these emails actually came
from the university's administration -- no digital signatures, nothing
in the mail system that even checked that the message originated from
a university IP address, nothing. I tried to bring this up with them,
and even gave a live demonstration of spoofing an email address for the
non-technical folks.  It was not until an actually phishing attack was
detected that any action was taken.

Telling someone they have a vulnerable system will only affect change
if they already take security seriously.  Since most organizations
still do not view security as central to the design of their systems,
you need to really drive the point home with evidence.  This means
actually attacking the system, or at the very least giving some
demonstration that the vulnerability is real and can really be
attacked.

- -- Ben



- -- 
Benjamin R Kreuter
UVA Computer Science
brk7bx () virginia edu

- --

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBCgAGBQJPEfl6AAoJEOV0+MnZK9ijV6sP/imaxMqZMoKFsY1ulSNiE9MN
U/B3j90iSleznY184HP8Fdbs6iKHOemKXsG4t6PXetYDICv+OYpQxtGV8Gt8d8GG
SG7eXuZqxbIMPcBS9Ozypt4V/VfXFAV4viyPyITphat4DPYs68aYQH36ENzD/HVF
OIwfWAu05CsQd3p5tgAoWo7KYUB0XLtKSqe648OWPvM5UaX0yfb9qSryrmWEjxxI
P3nOwodBcQDX1G7BwikRjrhTs98+Umczv6ijfXtdafv50/wurONcEsJC1SiJmqzv
6ZSp87jXxZWXgiJAqliSb9aXfZOj7xF1MUbj0oNVbPmx/uHStADIRxDM17pNm1Nf
Doc0Ta+JUho4pDH40S+OB4PjzxeQEEcLmAUjqaPQgQ268DwRxi1iTAsyoYqdcJJL
V78Db5hMrywWAeNEz7wjHDhEJmtmtnkcnxZEhqCx1AtSJIeHgqVKUY3TQrVhdBz/
4siM5cOSBaLmxvNl43MJSbwtDaILF+UhCKWh86rV5GLCD9x8jKaT5NI1DXFA6BFk
NObJeHIPlu/WTYKGOmRuqAkvet0ESYWct0XFMsj4Eugafo5jPqmRb1ASBICvzB5o
xr79LueVYFy2ft7cAPyU2aSwl1WAFlEDLVDoe4FbNUXziYdHenDHmqJxjbDdK3Ul
Zsryhbvmo3zpap+U8jpi
=rugN
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/