[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)

Daniel daniel at ugc-labs.co.uk
Tue Nov 14 14:10:24 Local tim 2006 

David,

Say your on a test for a large financial bank and you use a 0hday to  
take down their core IIS web farm. How do you explain to the CSO how  
to remedy the problem. Do you explain the risk value you have  
assigned for a vulnerability which has no solution/patch?.

A prime example of this would be a 0hday in IIS6.0

David: your IIS 6.0 is vulnerable to a unpublished, unknown  
vulnerability
CSO: So what do we do David??
David: secure your network
CSO: How?
David: ????
CSO: Microsoft has no patch for this, they cannot help. I've paid you  
to do an assessment, what is the risk of the vulnerability versus the  
loss of business if I have to shut down our front-end trading system

See what I mean?


On 14 Nov 2006, at 19:55, David Maynor wrote:

> Using 0day in pentests I still very valid, IMHO. The goal of designing
> a secure environment is that it could survive and repel an assault
> from a determined attacker. Since the debate about whether 0day is
> used in real world attacks seems to finally be over thanks to thing
> like IE and office bugs, a person has to take the 0day angle into
> account while designing an infrastructure. Of course people that leave
> password lists on open shares will care about this less than people
> who have been through a pentest process and implemented the
> suggestions.
>
> On 11/14/06, Nicolas RUFF <nruff at security-labs.org> wrote:
>>>> When I was a consultant my shtick was that a "pen-test" is a  
>>>> complete
>>>> waste of time if you don't have
>>>> your other ducks in line.  This was based on the un-scientific  
>>>> research
>>>> conducted by myself that
>>>> basically concluded that 99/100 pen-tests are almost always  
>>>> successful.
>> [...]
>>> That's a misleading way to frame the conversation, don't you  
>>> think?  A
>>> pen-test isn't supposed to answer the yes/no question, "Can you  
>>> be hacked?"
>>> It's supposed to ask the open-ended questions, "How can you be  
>>> hacked?" and
>>> "How can you fix it?"
>>
>> In my experience, "99/100 internal pen-tests are successful during  
>> the
>> first 10 minutes, without using any 0day attack".
>>
>> (I don't even own a CANVAS licence :)
>>
>> This means:
>> - Domain admin account created with a trivial password, for  
>> someone who
>> never logged in.
>> - "Password.xls" file found on a public share.
>> - Variations: the share is hidden ('$' sign), the Excel file is
>> password-protected.
>> - Local admin password is the same on every workstation - once you  
>> get
>> yours, you can connect to any admin workstation.
>> - Service accounts can be used to log in anywhere, and passwords are
>> stored on every workstation (=> LSADUMP).
>> - VNC/PCAnywhere/... using the same password on all mission-critical
>> legacy NT4 servers.
>> - Blank "SA" password, especially in case of 3rd party  
>> applications that
>> silently installed a MSDE database.
>> - ...
>>
>> How can you fix it ? Certainly not by fuzzing and flaw-finding :)
>>
>> Regards,
>> - Nicolas RUFF
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list