Re: Re[2]: Generating awareness amongst IT staff

From: pand0ra (pand0ra.usa@gmail.com)
Date: Sun Dec 03 2006 - 16:57:18 EST

• Next message: Davide Carnevali: "Re: Pen-testing - pricing model"
• Previous message: mjc001@juno.com: "Legal/Non-disclosure example"
• In reply to: Roman Shirokov: "Re[2]: Generating awareness amongst IT staff"
• Next in thread: nick leachman: "Re: Re[2]: Generating awareness amongst IT staff"
• Reply: nick leachman: "Re: Re[2]: Generating awareness amongst IT staff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Why is there a discussion on doing an attack against live systems? The
whole purpose if the topic is to give the administrators a clue on
security. You can demonstrate that without compromising live systems.
It takes little time to setup a VM server and attack that without
risking any live systems. Heck, you could even take the image of a
live system and use that for your VM server if you wanted to make it
more realistic. As for an AS/400 or what not there are images of those
out there as well that will run on VM. But as this is an introduction
doing something with an AS/400 is excessive. The point can be made
with a simple Windows\Linux box. It might even be helpful to give the
admins a hands-on for the demo but that depends on how responsible
they are and if you can trust them with that information (but then
again you should be able to trust them regardless or they should not
be there).

On 12/3/06, Roman Shirokov <insecure@yandex.ru> wrote:
> Hello, Jerome.
>
> You wrote
>
>
> > btw Metasploit could just be used to create a file on a target (a common
> > technique to show that a system is ownable without disturb it)...
>
> > My 3 cents...
> > /JA
> > This message was checked by NOD32 antivirus system.
> > http://www.eset.com
>
> Anyway the stack will be corrupted and unhandled execution may crash a
> system. I think using exploits on the opertional servers which have to
> function 24x7 is too dangerous. First of all agreement should be
> signed.
>
> --
> Best regards,
> Roman
> securitybox@softhome.net
> http://securitybox.org.ru
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Davide Carnevali: "Re: Pen-testing - pricing model"
• Previous message: mjc001@juno.com: "Legal/Non-disclosure example"
• In reply to: Roman Shirokov: "Re[2]: Generating awareness amongst IT staff"
• Next in thread: nick leachman: "Re: Re[2]: Generating awareness amongst IT staff"
• Reply: nick leachman: "Re: Re[2]: Generating awareness amongst IT staff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:24 EDT