Re: Conficker (and friends) v.s. Penetration Testing

["kalgecin () gmail com" <kalgecin () gmail com>]

i totally agree most "system admins" only depend on the ready made
tools such as the anti-virus and firewall they have a very limited if
any knowledge on how these tools work. i myself asked the headmaster
at our school to pentest the school network and it went flowless. i'm
posting the results on my blog but due to the fact that i'm using my
phone, i'm limited to 150 letters per post. the blog is at
kalgecin.blogspot.com

On 4/4/09, Adriel T. Desautels <ad_lists () netragard com> wrote:
> Conficker (and friends) v.s. Penetration Testing
>
> Its funny to me that people haven't commented on the fact that the
> ability of a worm to spread is proof positive of just how insecure
> today's networks are. (Yet, even with this lack of security others are
> talking about this kick-ass idea of "Cloud Computing"). The fact is
> that if people managed their networks properly (which includes testing
> properly with quality security service providers) that worms would not
> be able to spread, or at least not so quickly and on such a wide scale.
>
> As an example, we recently performed a penetration test for one of our
> customers. The time between project kickoff and successful penetration
> was less than 15 minutes. That is to say that we were able to hack
> into our customers network within 15 minutes of starting the project.
> The way we did it was to create a .pdf based invoice and send it to
> the customer from a trusted source. This particular invoice wasn't
> really an invoice of course, it was a pdf document designed to exploit
> a vulnerability in their adobe acrobat reader. In this case, when our
> victim opened the pdf document their computer established a reverse
> http connection back to us. We then tunneled back in over that
> connection and had access to our customer's network. If we were
> malicious it would have been game over.
>
> So what does this have to do with worms? If you think about it a worm
> uses the same methodology for penetrating into networks as hackers do.
> Just like hackers, worms will penetrate your network by embedding
> themselves in files (like our PDF example above), or by exploiting
> vulnerabilities in computers systems, or maybe via social engineering.
> Either way, the technique is the same, and as such the defense should
> be the same. Why isn't it?
>
> Most people _try_ to protect their networks with anti-virus scanners
> and other technology. They implement these scanners on their desktops,
> servers, gateway's etc. They also use Intrusion Detection/Prevention
> Systems, firewalls and other similar solutions in an attempt to
> prevent infection or penetration. They never stop to question the
> security of the technology that they install. In 2006 Symantec's own
> Antivirus technology was vulnerable to attack. Back then it was
> possible to send someone a specially crafted email to penetrate into
> their computer. The fact is that technology is, and will always be
> fallible unless it is proved to be secure with mathematics.
>
> I'm not saying that technology is useless because it isn't. I am
> saying that technology should be augmented with frequent security
> testing. Those tests should be delivered by a quality security
> provider capable of creating a threat that is at least as intense as
> what customers will face in the real world. Once testing is done at
> that "real" level the resulting deliverable will enable people to
> build good defenses that are based on solid recommendations.
>
> Continuing with the pdf customer... One of the recommendations that we
> made to our customer was that they install a proxy to control outbound
> http and https traffic. We also recommended that they drop all
> outbound traffic that is not necessary for day-to-day business
> operations. We made that recommendation because of how easily we
> penetrated their network with PDF and the reverse http connection.
>
> The customer implemented our recommendations and when we retested
> their network were unable to get anything to call home. As a result of
> our work worms like Conficker can not function properly on our
> customer's network because they can not call home. Instead, if they do
> get in they sit on the network isolated and useless until they are
> eliminated by the anti-virus technology.
>
> Feel free to comment on the blog, much appreciated.
> http://snosoft.blogspot.com
>
>
>       Adriel T. Desautels
>       ad_lists () netragard com
>          --------------------------------------
>
>       Subscribe to our blog
>          http://snosoft.blogspot.com
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> No time or budget for traveling to a training course in this fiscal year?
> Check out the online penetration testing courses available at InfoSec
> Institute. More than a boring "talking head", train in our virtual labs for
> a total hands-on training experience. Get the certs you need as well: CEH,
> CPT, CEPT, ECSA, LPT.
>
> http://www.infosecinstitute.com/request_online_training.html
> ------------------------------------------------------------------------

-- 
Sent from Gmail for mobile | mobile.google.com



Kalgecin
http://kalgecin.110mb.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------