From: Erin Carroll (amoeba@amoebazone.com)
Date: Fri May 18 2007 - 15:04:56 EDT
Thor,
Some comments below inline
> While I agree that one should try to leave conjecture alone
> and just "answer the question," it's not always that easy to
> do. Most of the people on this list (well, ones that post
> anyway) are detail oriented, technical, pedantic people. It
> comes with the job. So when you see a question that's just
> "not quite right," you have to ask the obvious "how did you
> get here from there"
> questions, particularly when the scenarios smack of white lie.
I'm not disagreeing with your viewpoint, I personally agree. You do have to
bear in mind however that as the list moderator my main focus is to foster
new and interesting discussions and keep the flaming to a minimum. So you'll
see me let through even one-line responses or repeats of information because
at least they took the time (however small) to respond. With somewhere above
15k subscribers to pen-test there are a *lot* of different ways one could
answer what seems a simple question and I'm hoping that the lurkers out
there will chime in. Besides, there are only so many times I can see another
"how do I do X" without groaning when a simple list archive search or 5
minutes on google would have answered. But, since the answers may be new
info to list newcomers I let those go through. I've been in the industry a
long time but every now and then someone points out a tool/method/view that
is illuminating or intriguing in response to a question that had been asked
and answered many times before.
> The simple "what would you do" question brings a lot with it.
> Personally, it is painfully obvious (or should be) to anyone
> that people will use unsecured, public networks in insecure
> ways. Being surprised by seeing a
> POP3 username/password on a wlan is a "red flag" in itself.
> To have an apparent pen-tester working for PWC post to a list
> asking what he should do in such a case is simply suspect (to
> me, anyway) - so I think it is natural for people to ask WTF?
True. But my effort is to have WTF addressed constructively and avoid
responses which consist of only the WTF ;)
> I would much rather see someone say "I was sniffing traffic
> on a wireless network." If the "my laptop came out of hibernation"
> scenario is true, then the real lesson should be "if you are
> a professional pen-tester for PWC, you should not, under any
> circumstances, have your laptop set to automatically connect
> to the first unsecured wireless lan it comes across." The OP
> was (obviously) performing a sniff on another wireless
> network before, presumably as part of a pen-test, and just
> put his lappy into hibernation. In such a case,
> automatically having his laptop connect to an unsecured
> network could actually have resulted in a breech of
> the data he was previously testing. The question therefore
> is not "what do
> I do when, gasp, I see a pop3 password" but rather "is this
> the way PWC trains their pen-testers, and is this the way PWC
> goes about protecting their customer's confidential data?"
And the above is a great response and example of going beyond the WTF. Other
list member may now have a "oh, that's a good point. I should pay attention
and not do this in the future because of those reasons". These are things
people with a lot of experience take for granted as obvious but as you know,
sometimes you have to point out the pink elephant in the room... Or in this
case provide a diagram of what a pink elephant looks like.
> That being said, when you see POP3 password, SMTP mail data,
> HTTP base64 encoded basic authentication data on an unsecured
> wlan, the obvious thing to do is see if it gets you free porn somehow.
Heh. I thought that was standard operating procedure in the pen-tester
manual listed right after "Find nearest source of caffeine and hook up the
IV."
-- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:48 EDT