From: Jerry Shenk (jshenk@decommunications.com)
Date: Mon Sep 13 2004 - 21:44:08 EDT
I'm a little late jumping on here but I think we in the security
business need to realize exactly this...we've got to be able to make a
business case for our existance. We also need to avoid calling
everything a horrible setup.
I recently reviewed a vulnerability assessment where they failed a site
because one of their Ips responded to a ping request. They also gave
the highest failure mark they had to a "firewall that allowed remote
management". After reading that one a little closer, what they were
complaining about was not that they accessed the firewall but that they
could have. Ok, perhaps that should be closed but then they went on to
say that they could gain access within 4 weeks. How do they know that?
They didn't do it. It has a 16 char password with mixed upper/lower
case, numbers and symbols. I have tried remotely accessing devices and
if they can brute force a password like that (any actually as the made
no qualifications), I'd like to know how. They have no adjectives left
for say, having the password be "password". They lost credibility with
me and with the client by overstating their case.
-----Original Message-----
From: Chuck Fullerton [mailto:chuckf69@ceinetworks.com]
Sent: Friday, September 10, 2004 8:58 AM
To: Dave Aitel; Matt Hargett
Cc: Clement Dupuis; 'Clarke, Tyronne (Contractor)';
focus-ms@securityfocus.com; pen-test@securityfocus.com;
dailydave@lists.immunitysec.com
Subject: RE: [Dailydave] RE: Network Exploitation Tools
akaExploitationEngines & FUD
Dave,
I must respectfully disagree with something you've said.
I believe the reason why most business executives don't take Security
seriously is because of security professionals using FUD or Fear,
Uncertainty, and Doubt.
If we act like Used Car Salesmen we should expect to be treated like
Used
Car Salesmen.
The decision to use Information Security must be a Business decision,
not an
emotional one.
Sincerely,
Chuck Fullerton
CEH,OPST,CISSP,CSS1,CCNP,CCDA,CNA,A+
-----Original Message-----
From: Dave Aitel [mailto:dave@immunitysec.com]
Sent: Sunday, September 05, 2004 1:58 PM
To: Matt Hargett
Cc: Clement Dupuis; 'Clarke, Tyronne (Contractor)';
focus-ms@securityfocus.com; pen-test@securityfocus.com;
dailydave@lists.immunitysec.com
Subject: Re: [Dailydave] RE: Network Exploitation Tools
akaExploitationEngines
On Sun, 2004-09-05 at 06:24, Matt Hargett wrote:
> Clement Dupuis wrote:
> > Ask both vendors for a demo. See for yourself, try it yourself,
that's
> > probably the best way to find out which one better fill your needs.
>
> This is what I always tell prospects who ask me about BugScan versus
> some other solution. They seem to appreciate the lack of negativity
and
> dick-waving from our side, so far. (Though they apparantly can't say
the
> same for some of the other players in the market.)
>
> Does Immunity and CORE play that nicely? Or does one spread FUD about
> the other?
>
I'm constantly spreading FUD. Like, the other day, someone called me up
and I said, "Hey, the Impact 'Tip of the Day' in version 4.0 has nothing
on our Exploit Fortunes (tm). With 'Tip of the Day' you'll get useful
hints on how to adjust their GUI to look exactly how you want it. With
Exploit Fortunes (tm) you'll get the latest Immunity in-jokes and
humorous comments, but only if you manage to successfully exploit a
host. So you have to be truly elite to even see them.
Honestly, though, it'd be hard for me to spread FUD, cause the last time
I saw their product was at G-Con when Gera did a short demo, so
everything I know about it is here-say or based off marketing material
on their web page.
Who are some of the other players in the BugScan market? @stake SRA?
> On a side note, some of the XP/Python weenies say that test-driven
> development and a suite of unit tests can enforce types, getting the
> best of both worlds. Anyone have an opinion on this?
Sounds nutty - cause the great thing about Python is that you don't care
what Type you're using. A duck is something that quacks, and going
beyond that is putting on handcuffs when you don't have to. This general
concept is why Python is so much faster to use than .Net. I mean, it
goes beyond that, into a language that makes broad generalization
doable, rather than a huge nightmare the way C++ does. :>
-dave
------------------------------------------------------------------------
---- -- Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --- ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT