From: Mark Teicher (mht3@earthlink.net)
Date: Mon May 15 2006 - 08:49:24 EDT
Here is question, what is the risk factor or actual damage meter read when a security pen-tester conducts a modem security assessment ??
-----Original Message-----
>From: Art Cooper <acooper@pop.innerwall.com>
>Sent: May 12, 2006 2:07 PM
>To: Karyn Pichnarczyk <karyn@sandstorm.net>, acooper@innerwall.com
>Cc: pen-test@securityfocus.com
>Subject: Re: Pentester convicted..
>
>Well Karyn,
>
> As one who has been in IT for 28 years (Including Intel and IT for the US
>Air Force), and as one who also is published on the matter and has spent the
>last 10 years dedicating myself to Information Security, AND as on who has
>taught at two institutes of so-called "Higher Learning" part-time for many
>years, I will tell you that I say those things BECAUSE a University is
>involved. If you want to see politics, hysteria, and childish behavior on
>EVERY level, go teach. I have taught BS and MS level students, and the BS in
>College IT departments is unsurpassed!
>
>The fact this gentleman had "SOME" sort of realtionship with the University
>tells me there was an axe to grind by one side or the other. The University
>has more cloat and money, therefore they succeed and this gentleman "Sucks-
>Seed".
>
>I have also personally testified at sveral court proceedings concerning these
>very activities, and I can tell you that in 99% of the cases I was involved
>in, there was a "Witch Hunt" and a LOT more involved then we are getting from
>this article. Did he do wrong? YES - no doubt, but I feel the response you
>have made as to DAMAGE is inflated. Are you a lawyer? You sure sound like
>one..
>
>Regards,
>Coop
>
>Arthur B. Cooper Jr. "Coop"
>Senior Network Engineer
>Innerwall, Inc.
>http://www.innerwall.com
>acooper@innerwall.com
>
>"Most men lead lives of quiet desperation
> and go to the grave with the song still in them."
>* Henry David Thoreau *
>
>
>On On Fri, 12 May 2006 13:55:03 -0400, Karyn Pichnarczyk wrote
>> Let me list some actual damage. The company now knows that someone
>> who was not authorized, and did not have the best interests of the
>> company in mind (or else they would have contacted the company with
>> their findings, not the company's customers or journalists) had
>> access to basically Anything and Everything in their computer systems.
>>
>> Therefore, the Actual Damage is the re-evaluation of all systems, and
>> verification of all data on those compromised systems, to ensure that
>> the company's data has not been twiddled with/changed/modified.
>>
>> What assurance does the company have that this criminal (and yes,
>> it it criminal to break into a system without authorization) didn't
>> fiddle with the data, perhaps even putting in code that will either
>> cause the company to automatically send out payments to someone who
>> doesn't deserve them, or erase records of expected payments, etc.?
>> What if the criminal set up something on these computers to make it
>> appear as if the company itself was performing a criminal activity,
>> that will later cause the leaders of the company to be arrested?
>>
>> A defense of "I didn't do anything" does not lead much credence to
>> a criminal's testimony.
>>
>> It costs lots of money to pay employees (and likely expert
>> consultants as well) for their time to clean up and verify the
>> systems. And what if they aren't as diligent as the original
>> criminal thinks they should be? If something was planted by the
>> criminal, this Criminal can now come back and once again report to
>> the media and the company's customers that the cleanup was not done
>> properly. Thus the company has to spend more money being diligent
>> in their response.
>>
>> Money is Actual Damage, Mr. Cooper.
>>
>> Art Cooper wrote:
>>
>> > Because I BELIEVE there is a "LOT" more here than meets the eye.. I
>wonder
>> > if he took the evidence to the Univ. and they ignore him.. If so, then
>> > perhaps he had an axe to grind.. My point is this - what ACTUAL DAMAGE
>was
>> > caused? Most lawyers will tell you that you MUST prove there was malice
>and
>> > ACTUAL DAMAGE.
>
>
>------------------------------------------------------------------------------
>This List Sponsored by: Cenzic
>
>Concerned about Web Application Security?
>Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
>Choice Award from eWeek. As attacks through web applications continue to rise,
>you need to proactively protect your applications from hackers. Cenzic has the
>most comprehensive solutions to meet your application security penetration
>testing and vulnerability management needs. You have an option to go with a
>managed service (Cenzic ClickToSecure) or an enterprise software
>(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
>help you: http://www.cenzic.com/news_events/wpappsec.php
>And, now for a limited time we can do a FREE audit for you to confirm your
>results from other product. Contact us at request@cenzic.com for details.
>------------------------------------------------------------------------------
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:58 EDT