[For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]
I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.
Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a QSA there are testing procedures and standards interpretation that every firm performing these assessments must follow. Simply stated, a PCI DSS assessment might be called a "checklist compliance" because it was designed to be that to attempt to ensure uniformity across QSA's performing the review of the target organization. This process is dictated by the PCI SSC. A PCI DSS assessment is in no way attempting to be a "red team assessment".
Trustwave, like WhiteHat Security, also offers more traditional penetration testing through its SpiderLabs organization. While WhiteHat is focused on web application security (and are respected in the industry for their services here), SpiderLabs has global teams each with a focus on in the various aspects of red team attack vectors. Some organizations opt to just hire us for application, network, or physical testing, but other want the full red team treatment. In any case, we follow a well documented and tested methodology (similar to the Penetration Testing Execution Standard [PTES]) but in no way is the work we do a check-list engagement.
I know it is lame to reply to your own post, but I just found this on DoubleClick's site about Kevin O'Connor (the Co-founder and Chairman at DoubleClick):
"In 1995, O'Connor helped fund and build ISS Group (Nasdaq: ISSX) an Internet security software company in Atlanta, GA. O'Connor continues to serve on the Board of Directors for ISS Group."
is on the Board of Directors at Internet Security Systems (ISS).... You would think that they would have thought to at least run ISS Internet Scanner against their websites or had a third party PenTest of their site in the past 2 years. It would have surely found that backdoor.
On a more serious note, what would be nice is if there was a set-up that noticed a portscan in progress and blocked that IP (plus notified the administrator etc). Anyone know of something like this?
This can be done with Internet Security System's RealSecure.
I had a Ganglioneuroma develop last year because of typing. Probally from IRC, but work related stuff as well. It is a bunch of nerve cells that is caused by the tendons in the wrist moving too fast for too long. It felt like a gumball size lump in the base of my hand on the top of the wrist. Not very painfull, but causes my left hand to type a little slower.
when I am waiting for my girl friend to try on clothes at some store, all I can do is either sit there or wander around. Usually the people working there ask me about 5 times if I need assistance with anything, but they soon realize that I am just some poor joe waiting for his girlfriend when she comes out of the dressing room with 45 pieces of clothing in her arms. I would guess if there were some sorta camera system with intelligence behind it, they would pick me off as a weirdo and I would be dragged to the backroom. People should have a right to do what they want in a public area as long as it doesn't infringe upon the rights of the people around them. Walking in strange patterns and looking suspicious might just be the way a non threatening person really is.
I have used my credit card online to only SSL sites which are run by companies that have really good reputations for online. About five months ago recently I noticed a $353.14 charge on my credit card to a photo company in Texas. I contacted my credit card company and told them I didn't make the purchase and had me fill out the form. The took the charge off my card, and said it was under investigation. It turned out the a whole bunch of people had been calling about the same charges and it was to a fake company using "guessed" (generated) CC#s. Despite that I have still purchased about 80% of my Xmas gifts online as I have for the past 3 holiday seasons.
When you think about it, there is not much to lose if you keep track of what you purchase and look at your statement. I have 1 credit card to make sure things don't get out of hand with multiple bills coming in at different times. Also, it is not a good idea to keep accepting credit increases, if you don't spend 10,000 per month then there is no real reason to have a limit that high. You can always call and request a limit increase it only takes them 2 to 3 days to proccess it (especially if you have passed up increases in the past).
It seems that people from the Midwest US to Canada to Washington DC saw the firewall last night as a bright green streak that lasted for about 15-20 seconds. This is very large area for people to be seeing such an object all at the same time. Someone commented that bright green flame would mean that it was made out of copper. Anyone have any reports on how big it was? Or what it was? Is there a ton of space junk that big just floating around out there waiting to fall to Earth?
I live just outside Chicago and the lights are not very bright. Last night, (6:15pm) I saw what I thought (at the time) was a very large green and gold firework flying across (from west to east). It was very large and lasted for about 20-30 seconds. I didn't realize that it was a piece of a comet until I heard reports on the radio that people from Central Illinois to Wisconsin had seen the same thing. Did anyone else it? Any ideas on the size of it?
About 4 year ago when getting my degree in computer science, my hands started to get a tingling feeling at the tips of my fingers. This was complicated by the fact that I was also playing sax in the marching band about 12 hours a week. All the typing and playing sax seems to be causing CTS. I don't play the sax as often anymore, but I have developed a "ganglionic cyst" in my left wrist (self diagnosed on http://health.yahoo.com/). The CTS symtoms have gone away. This is definitly caused by too much finger action in college.
Slashdot Mirror
[For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]
I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.
Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a QSA there are testing procedures and standards interpretation that every firm performing these assessments must follow. Simply stated, a PCI DSS assessment might be called a "checklist compliance" because it was designed to be that to attempt to ensure uniformity across QSA's performing the review of the target organization. This process is dictated by the PCI SSC. A PCI DSS assessment is in no way attempting to be a "red team assessment".
Trustwave, like WhiteHat Security, also offers more traditional penetration testing through its SpiderLabs organization. While WhiteHat is focused on web application security (and are respected in the industry for their services here), SpiderLabs has global teams each with a focus on in the various aspects of red team attack vectors. Some organizations opt to just hire us for application, network, or physical testing, but other want the full red team treatment. In any case, we follow a well documented and tested methodology (similar to the Penetration Testing Execution Standard [PTES]) but in no way is the work we do a check-list engagement.
It is a good thing ZD sold TechTV to Vulcan or there would be no more Sumi Das!!!!!
I know it is lame to reply to your own post, but I just found this on DoubleClick's site about Kevin O'Connor (the Co-founder and Chairman at DoubleClick):
"In 1995, O'Connor helped fund and build ISS Group (Nasdaq: ISSX) an Internet security software company in Atlanta, GA. O'Connor continues to serve on the Board of Directors for ISS Group."
is on the Board of Directors at Internet Security Systems (ISS) .... You would think that they would have thought to at least run ISS Internet Scanner against their websites or had a third party PenTest of their site in the past 2 years. It would have surely found that backdoor.
On a more serious note, what would be nice is if there was a set-up that noticed a portscan in progress and blocked that IP (plus notified the administrator etc). Anyone know of something like this?
_ products/intrusion_detection/realsecure_en gine/
This can be done with Internet Security System's RealSecure.
http://www.iss.net/securing_e-business/security
The OS it is running on is open sourced. :-)
Actually, I am also a musician. I play sax. So , I guess, it was most likely caused by a combination of things.
I had a Ganglioneuroma develop last year because of typing. Probally from IRC, but work related stuff as well. It is a bunch of nerve cells that is caused by the tendons in the wrist moving too fast for too long. It felt like a gumball size lump in the base of my hand on the top of the wrist. Not very painfull, but causes my left hand to type a little slower.
when I am waiting for my girl friend to try on clothes at some store, all I can do is either sit there or wander around. Usually the people working there ask me about 5 times if I need assistance with anything, but they soon realize that I am just some poor joe waiting for his girlfriend when she comes out of the dressing room with 45 pieces of clothing in her arms. I would guess if there were some sorta camera system with intelligence behind it, they would pick me off as a weirdo and I would be dragged to the backroom. People should have a right to do what they want in a public area as long as it doesn't infringe upon the rights of the people around them. Walking in strange patterns and looking suspicious might just be the way a non threatening person really is.
I have used my credit card online to only SSL sites which are run by companies that have really good reputations for online. About five months ago recently I noticed a $353.14 charge on my credit card to a photo company in Texas. I contacted my credit card company and told them I didn't make the purchase and had me fill out the form. The took the charge off my card, and said it was under investigation. It turned out the a whole bunch of people had been calling about the same charges and it was to a fake company using "guessed" (generated) CC#s. Despite that I have still purchased about 80% of my Xmas gifts online as I have for the past 3 holiday seasons.
When you think about it, there is not much to lose if you keep track of what you purchase and look at your statement. I have 1 credit card to make sure things don't get out of hand with multiple bills coming in at different times. Also, it is not a good idea to keep accepting credit increases, if you don't spend 10,000 per month then there is no real reason to have a limit that high. You can always call and request a limit increase it only takes them 2 to 3 days to proccess it (especially if you have passed up increases in the past).
It seems that people from the Midwest US to Canada to Washington DC saw the firewall last night as a bright green streak that lasted for about 15-20 seconds. This is very large area for people to be seeing such an object all at the same time. Someone commented that bright green flame would mean that it was made out of copper. Anyone have any reports on how big it was? Or what it was? Is there a ton of space junk that big just floating around out there waiting to fall to Earth?
Yes, it was very bright green with gold trails coming off of it. Anyone know what element would burn bright green?
I live just outside Chicago and the lights are not very bright. Last night, (6:15pm) I saw what I thought (at the time) was a very large green and gold firework flying across (from west to east). It was very large and lasted for about 20-30 seconds. I didn't realize that it was a piece of a comet until I heard reports on the radio that people from Central Illinois to Wisconsin had seen the same thing. Did anyone else it? Any ideas on the size of it?
About 4 year ago when getting my degree in computer science, my hands started to get a tingling feeling at the tips of my fingers. This was complicated by the fact that I was also playing sax in the marching band about 12 hours a week. All the typing and playing sax seems to be causing CTS. I don't play the sax as often anymore, but I have developed a "ganglionic cyst" in my left wrist (self diagnosed on http://health.yahoo.com/). The CTS symtoms have gone away. This is definitly caused by too much finger action in college.
on New Years, just me, my Linux box, some mp3s, and a good ol' bottle of Chimay.
check this out nice
utility.