Penetration Testing mailing list archives

Re: Email Pen-testing

From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Tue, 23 Mar 2004 11:12:26 -0500

-----BEGIN PGP SIGNED MESSAGE-----

"Rob" == Rob Shein <shoten () starpower net> writes:

    Rob> You put the vest on a mannekin, take it to your firing range,
    Rob> carefully measure the distance, and then fire your hand-loaded
    Rob> bullet through a custom-made rifle that is highly accurate and
    Rob> repeatably maintains a consistent velocity towards the target.
    Rob> You're going to take copious notes on every aspect of it, and
    Rob> by no means will any human be in view anywhere downrange when
    Rob> the shot is fired. This is a bit more like how pen-testing
    Rob> should be done.  You're right, it's not a level playing field,
    Rob> but that didn't start when the pen-tester notified the company;
    Rob> it started when the company hired them and promised not to
    Rob> prosecute them for breaking in :)

  Right, so, to finish the analogy, to do the test right, you get the
bank the duplicate their network (plus as much of the Internet as is
feasible), plus their "trading partners" in your testing lab, with the 
same configuration, and you then attack this in a controlled way.

  (And if you are NASA, you get a duplicate Mars done to imperial units
and drop your landers on that version first)

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQGBh6IqHRg3pndX9AQEr+AQAmLh6k0xlzJl6s6s9urDZotmu3AX4V10m
W7OWn5piOo0zIHAa97duZVg+BPLsGTqz8scAPXjtUxC3T/pIRVNWWhc5h8I68LBx
xqayLiQcbZmHt5WFCTctYiHMFa9gPHoBZQBj9v3qGzYRR5XrWuUP4KmGuWvGrANJ
fjR03P1X4pA=
=3xj+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

Current thread:

RE: Email Pen-testing, (continued)
- - - RE: Email Pen-testing Blake Wiedman (Mar 22)
    - RE: Email Pen-testing Chuck Herrin (Mar 22)
    - RE: Email Pen-testing James Taylor (Mar 23)
    - RE: Email Pen-testing Kevin (Mar 23)
    - RE: Email Pen-testing Chris Hurley (Mar 23)
    - RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
    - RE: Email Pen-testing Frank Knobbe (Mar 24)
    - Re: Email Pen-testing Michael Richardson (Mar 24)
    - RE: Email Pen-testing Rob Shein (Mar 23)
    - RE: Email Pen-testing Brad . Murray (Mar 23)
    - Re: Email Pen-testing Michael Richardson (Mar 23)
    - RE: Email Pen-testing R. DuFresne (Mar 23)
- RE: Email Pen-testing Mike Sues (Mar 22)
- Re: Email Pen-testing Joe Blatz (Mar 22)
- Re: Email Pen-testing Al Smolkin (Mar 22)
- Re: Email Pen-testing Andreas (Mar 22)
- Re: Email Pen-testing Michael Richardson (Mar 22)
  - Re: Email Pen-testing Rainer Duffner (Mar 23)
- Re: Email Pen-testing hwertz (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 22)
- RE: Email Pen-testing Eric McCarty (Mar 22)

(Thread continues...)