Penetration Testing mailing list archives
Re: Looking for help against Chinese Hacking Team
From: jc <antihacker.jc () gmail com>
Date: Mon, 15 Dec 2008 16:00:22 -0800
Do you know what is horrifying? In the short time I've followed this thread, not one of us so called "experts" advised the initial author to never, ever ever publicly post from
a work-email addy....(if I'm mistaken in my assumption, I apologize...but if I'm not, well...)
Until the 100 advisory voices are in unison, malcontent individuals will always be able to derail the best of intent. Not one follow-up advisory post obscuficated the org. address, and now secondary relational 'events' might exacerbate the initial issue and morph it into something
exponentially worse, considerably beyond a $1k financial scope.Way, way "Too many Chiefs, not enough Indians, Tonto...." (from the television/radio series "The Lone Ranger" -- as a courtesy to any international audience/readership)
Yes, Google is forever, but why make it a one-glance-driveby recon? If it was nestled deeper within the org. question, it wouldn't be screaming Issue & Vector!
(*bright lights*, hello k1dd135) Come on folks, is common sense so uncommon? Think! Security 'Experts'indeed...Group-Think like this is why we get our asses collectively 0wn3d, not
because of some cookie-cutter, technically-masturbatory solution. -jc (grouchy, old, curmudgeon, full of word-salad) On Dec 15, 2008, at 12:34 PM, ArcSighter Elite wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adriel T. Desautels wrote:Hi there, The real problem here is that you don't know what you are doing (yet). Let me pad that by saying that you're clearly not a securityexpert and as such you shouldn't be expected to know how to solve thisproblem. The solution is simple though, especially if you're dealingwith SQL Injection. Before I give you the solution for free (which isposted all over the web) I'll ramble on a bit. First, when you went through your "waves" of security experts, whatwas your decision criteria? I'll admit that there are not very many real "experts" out there and that there are a lot of fraudulent ones. A realexpert would have provided you with a solution to your problem immediately while some of the others (on this list too) have no clue what they are doing. Unfortunately, most of your Certified Ethical Hackers also don't have a clue (certifications are political and not always a real representation of talent). Why am I taking the time to write this? Well honestly I am sick andtired of the bad name that these "Fake" security experts are giving toreal experts. They offer "penetration tests" that start a $500.00, or Web Application Security Assessments that start at $700.00 when it is IMPOSSIBLE to do either at those prices. The fact of the matter is that your average and real "securityexpert" will have a man hour rate of about 190-350 an hour. The average "good" web application penetration test will take more than 10 hours todo. That does not include time to write reports, to do research, toanalyze unique issues, or to do a lot of the other manually intensivework that needs to be done to do the work properly. Can that all be done for $500.00? You do the math.... (the answer is no). Generallyspeaking if you are asking for an application assessment you're going tospend over $10,000.00. If you're not then you're getting ripped off. So anyway, the solution to your problem is as follows: 1-) Your problem appears to be that you suffer from exploitable SQL Injection Vulnerabilities.2-) Your solution is to implement Parameterized Stored Procedures inconjunction with strong input and data validation. Check out http://www.owasp.org as a reference, or you can hire my team to do a kick-ass job and get you locked down good and tight. Youmost probably have may other risks that you are unaware of that can bedealt with by the right team. If you have any questions I'm a big proponent of free advice.From: XXXXXX <XXXX () xxx xxx> - (EDIT)(there, like this) Date: December 12, 2008 19:59:19 EST To: pen-test () securityfocus com Subject: Looking for help against Chinese Hacking TeamWe've been battling the Chinese for several months now and have gonethrough several waves of US security experts who have failed to stop them. In theirdefense, we are not on an unlimited budget and they've gotten us to apointwhere it looks as though somewhere among the site's 400 scripts is a SQLinjection vulnerability. Automated testing by a few pen test products seems to think we're fine. We definitely are not. Is it possible to hire a CEH to find the Chinese-discovered vulnerability for a few hundred dollars? (We aren't just being cheap, we've blown our wad on security that hasn't worked.) Would someone with intimate knowledge ofthe latest wave of Chinese attacks be required for this job? Besides ourfirst rate security team that's just been beat, I've tried the $200 pen testfolks and they have all failed. Microsoft security help has also failed.Advice (Besides porting to Linux)? Help? -- View this message in context: http://www.nabble.com/Looking-for-help-against-Chinese-Hacking-Team-tp20986210p20986210.htmlSent from the Penetration Testing mailing list archive at Nabble.com.Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------Alluding my previous message, he isn't a security expert, and maybe I misunderstood about he wants to know HOW they're breaking in. Maybe I was wrong. In the meantime, I totally agree with you that non-knowledgeable security people are making bad fame to true experts. But think about your post. Even stored procedures could be injected if no proper validation is done, you know. Second, owasp will give him a framework about pen-testing web applications, although is gives some workarounds it's not designed to be some sort of secure coding guide.Secondly, we got something wrong here. The pen-tester shouldn't fix theapplication; developers must. And of course, input validation is theissue, behind SQL injection, BoFs, remote includes; isn't new, don't youthink.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Looking for help against Chinese Hacking Team, (continued)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Message not available
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team Mike (Dec 18)
- Re: Looking for help against Chinese Hacking Team David Howe (Dec 18)
- Re: Looking for help against Chinese Hacking Team p4ssion (Dec 18)