Penetration Testing mailing list archives
Re: Looking for help against Chinese Hacking Team
From: ArcSighter Elite <arcsighter () gmail com>
Date: Tue, 16 Dec 2008 09:09:29 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adriel T. Desautels wrote:
Great, If he's looking to stop attacks then he needs to remove the vector through which he is being attacked. IPS devices do not remove the vector, they make an attempt to prevent the vector from being accessed. While I support the use of properly configured and maintained IPS technologies, I'd never recommend using them as a method for remediation because they are only a method for mitigation. Sure mitigation is great, but its not a fix. With respect to your comment about creating properly designed parameterized stored procedures, it is not "almost impossible" if you architect things properly. You might be able to change a variable from a 1 to a 2 which is technically SQL Injection, but its not usually an SQL Injection Attack that is of any use. The idea here is to prevent SQL Injection Attacks not to prevent people from changing variables that should be harmless right? On Dec 16, 2008, at 8:32 AM, ArcSighter Elite wrote: RaptorX wrote:what Adriel meant was PROPERLY DESIGNED Parameterized Stored Procedures, and I totally agree with him. Providing a short time solution is a good idea but you have to finish the job properly which in the case of a pen-tester would be report and provide with a viable (permanent) solution. I also agree partially with Sam, specially windows systems, after hacked it is a MUCH BETTER idea to rebuild it improving the security of course.Well, PROPERLY DESIGNED of course if almost impossible, but you think this is the case? I repeat myself: he's wishing to stop the attacks, and of course I think/hope he'll take the appropriate measures then. IMHO he wouldn't be able to fix anything if he is constantly under attack. And sure, linux is the best solution, even a win port of apache will do better than IIS, again IMHO. Again, SQL injection could result in a host compromise, so re-deploying would be the optimal form: ex. instead of finding rookits, install clean. Adriel T. Desautels ad_lists () netragard com
Sorry, we got a little communication problem here. I mean PROPERLY DESIGNED queries is almost impossible to SQL-inject, my bad if you misunderstood me. I'm sure you can't trusts IDS: I already said it in a funny way: "they will only stop script-kiddies"; but he must truly "mitigate" the attack as you said, before taking another long-term measures. The IDS will also mitigate other attack vectors that may expose vulnerabilities in his web-app, that may be vulnerable to other web-based attacks, I already said, XSS, Sessions, Includes, Injections (LDAP/SQL, etc), and the like. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJR7aXH+KgkfcIQ8cRAnqJAKDoLK6SBIGeDWKggSoxZ60EYLhm3gCgpPC3 dIOfXBjwnP3u1MYDsEhgoDI= =rk++ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Looking for help against Chinese Hacking Team, (continued)
- Re: Looking for help against Chinese Hacking Team Sam Stelfox (Dec 15)
- RE: Looking for help against Chinese Hacking Team George M. Garner Jr. (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 18)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Message not available
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team Mike (Dec 18)
- Re: Looking for help against Chinese Hacking Team David Howe (Dec 18)
- Re: Looking for help against Chinese Hacking Team p4ssion (Dec 18)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)