So this entry goes to support my previous post about Insecure Security Technologies and some of the confusion that these vendors can cause. Recently Networkworld published an article namedÂ “Penetration Testing: Dead in 2009″ and cited Brian Chess, the CTO of Fortify Software as the expert source.Â The first thing that I want to point out is that Brian Chess is creating confusion amongst the non-expert people who read the article linked above. Â TheÂ laymenÂ might actually think that Penetration Testing is going to be dead in 2009 and as a result might decide to buy technology as a replacement for the service. Â Well, before you make that mistake read this entire entry. I’ll give you facts (not dreamy opinions) about why Penetration Testing is required and why its here to stay.As a side note, Brian Chess has a vested interest in perpetrating this fantasy because his objective is first and foremost to sell you his technology. Â Technology, like Brian Chess’s technology is a solution to a problem, which by definition means that the problem came first and the technology was always a few steps behind. Â With respect to IT Security, hackers are always creating new methods for penetrating into networks (the problem). Because those methods of attack are new, the technology is not able to defeat them (because the solution doesn’t yet exist). So if technology can’t protect you, then how do you protect yourself?The best way to protect yourself is to use a combination of technology (to solve known problems) and Penetration Testing (to identify the unknown). A properly executed penetration test will reproduce the same or greater threat levels that your infrastructure will likely face in the real world. Â This is akin to testing the armor […]
There is not a single piece of software that exists today that is free from flaws and many of those flaws are security risks. Every time a new security technology is added to an Infrastructure, a host of flaws are also introduced. Â The majority of these flaws are undiscovered but in some cases the vendor already knows about them.As an example, we encountered a Secure Email Gateway during an Advanced External Penetration Test for a customer. When a user sends an email, the email can either be sent from the gateway’s webmail gui, or from outlook. Â If it is sent from outlook then the gateway will intercept the email and store the message contents locally. Then instead of actually sending the sensitive email message to the recipient, the gateway sends a link to the recipient. When the recipient clicks on the link their browser launches and they are able to access the original message content.While this all looked fine, there was something about that gateway that made me want to learn more (a strange jboss version response), so I did… I calledÂ the vendor and ask to speak to a local sales rep. Â When the rep got on the phone I told him that I had an immediate need for 50 gateways but wouldn’t make any purchases until I knew that his technology was compatible with my infrastructure. He got really excited and asked me what I needed in order to verify compatibility. I told the rep that I needed a list of all Open Source libraries and software that had been built into the gateway along with version information. Â The rep said that he didn’t really understand what I was asking him but that he’d […]
Before 2008 nobody had done any high visibility vulnerability research and exploit development against critical systems used to maintain our critical infrastructure. Â In early to mid 2008 that all changed. Â Initially Core Security released a security vulnerability for Citect SCADA. That security vulnerability got media attention because it was one that could be used to penetrate into important control systems that are used to control our infrastructure. (Electricity, Water, Gas, Oil, etc).When the vendor released their statement about the vulnerability they downplayed the criticality of the issue in a very significant way. Â In our opinion that downplay was borderline unethical and was an attempt to save face. Â FortunatelyÂ for all of you who rely on electricity, running water, etc, we weren’t going to stand for that. Â More specifically, Kevin Finisterre our lead researcher wasn’t going to stand for it.Â At first Kevin and I tried talking to the engineers about the criticality of the vulnerability. Â That discussion got us nowhere fast, the engineers simply didn’t want to hear it and didn’t want to assume responsibility for the problem. Â At that point Kevin decided to take the game to the next level, and this time the actual risk for the vulnerability would be proved.Â Kevin decided that he would write an exploit for the Citect SCADA vulnerability, after all the vendor said that it was a low risk issue right? So Kevin did just that, he wrote an exploit and published it to the Metasploit Framework. Â Once word of that got out, the attitudes at Citect and those of the engineers changed so fast that heads spun. Â All of the sudden this non-critical issue was a critical issue and something had to be done.So why was it so important […]
Something that I keep on hearing from engineers (power, water, etc) on the SCADASEC mailing list is that they are more concerned about human error causing an outage than an attack over the internet. Most of the incidents that I hear about are operator error and they involve accidentally shutting down a computer system or perhaps configuring one improperly (The utility guys like to call these “cyber” incidents). When that happens things “go to hell in a hand basket” fast and people can and do die. They seem to be more concerned about those types of “cyber” incidents than they are the hacker threat… but they’re not getting it right?The fact of the matter is that a malicious hacker could trigger any number of these “cyber” incidents either deliberatley or accidently, and the end result is the same. How do we get these guys to take the threat more seriously? I think its happening, but I don’t feel like its happening fast enough.Netragard, LLC. — The Specialist in Anti Hacking.
So I’ve been participating in the penetration testing mailing list that is hosted by securityfocus and I can’t say that I am impressed. In fact, I might even go so far as to say that I am concerned about the caliber of the people that are offering paid services, here’s why.When a customer hires a security professional to perform a Penetration Test, Web Application Security Assessment, or any other service that customer should be getting a real expert. That expert should be able to assess the customers target infrastructure, application, or whatever and should be able to determine points of vulnerability and their respective risks. But that is not what I am seeing.The other day a self proclaimed “expert” asked how dangerous a SQL Injection vulnerability was. They apparently identified a SQL Injection vulnerability in their customer’s website but didn’t know what to do with it!!! They also asked about how to exploit the vulnerability and what successful exploitation might do.Well the first thing that came to mind was “Why the hell are you offering services if you don’t know what you are doing?”. I actually asked that but I didn’t get any response back from the original author. When someone hires a security professional to deliver security services they expect those professionals to be subject matter experts. The unfortunate thing is that in most cases the customer has no way of verifying the professional’s expertise and the customer gets taken for a ride. (Take a look at our white papers!!!)Another example is in a recent vulnerability that one of my team members found. He was researching a product’s webservice and found that it was just chalk full of holes. When […]
I recently gave a speech with Green Hills Software, Inc. in California. The presentation covered the real threat that businesses face as opposed to the theoretical threat that most people seem to worry more about. I also made it a point to uncover some of the more unorthodox attack methods that hackers use like the spreading of infected USB Sticks in parking lots or the use of rapid Distributed Metastasis.Here are some articles that were written as a result of the conference:EEtimesEEtimes.euAstalavistaISANetragard, LLC. — The Specialist in Anti Hacking.