Re: Fwd: Penetration test of 1 IP address

[Justin Seitz <jseitz () crossflux com>]

It's really not that surprising. Recently, I had a friend who is a
co-owner in a web development/design company, who also host their own
small Debian network. I had spent some time teaching him the ins and
outs of the linux shell, how to use iptables, some basic networking,
etc. Not a week later, he was phoning me to ask if I could help him to a
penetration test on one of his clients. I was apalled to find out that
the client had asked him if they could test the "security" of the boxes
on his network, and they agreed that they could.

It's rather frightening, even though I am not a professional pen-tester,
to hear that anyone and their dog with some command line access, who can
download and install Nessus, are offering penetration testing. It makes
you wonder why those of us who are interested in creative software
exploits, network hardening, etc. for the greater good and knowledge of
the public domain, are getting bad raps.

<advice>If the closest thing to security knowledge is getting all your
help from a mailing list, I would stop offering pen-tests, fess up to
your boss, setup a home linux box and put on a pot of coffee</advice>

JS

Brian Loe wrote:

> Every time I see one of these e-mails the first question that pops
> into my mind is, "where do I get a customer like that?!"
>
> The second thing that pops into my mind is that it can't be a "real"
> job - that its most likely some high school kid who wants to be
> famous, but not smart enough to figure out how.
>
> I'm not a security "expert". I've never done a pen test. However,
> everything that has been suggested, I already knew how to do - and
> would have known to do it.
>
> On 2/9/06, Levenglick, Jeff <JLevenglick () fhlbatl com> wrote:
>  
>
> > That's right.. Legal software. I wonder what would happen if this person
> > was not legit and
> > The company found out that all of the people on this list helped him?
> >
> > Or better yet. (as I stated before) This person does not have the
> > background or knowledge to give this company
> >    
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
> futile against web application hacking. Check your website for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
>
>  


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------