Up front I want to point out that I don't want to make a completely shameless plug for my company and what I do. I did leave some contact info available in case the person in question wanted to contact me. The comments here are my own and not that of my employer, etc. If the person who submitted this Ask Slashdot is happy with another firm, that is fine with me, I'm an engineer _not_ a salesman.
Here are the main questions that I have: Who have you used, and were they any good?
I work for a company that does full service security penetration testing, secure network architecture design and implementation, remote monitoring of IDS and other logs. You can email me through my slashdot user name link if you wish or hit our website www.caci-nsg.com. Therefore I use my own knowledge and that of my co-workers (some of whom work for Attrition.org btw) and yes, we are very good.:)
What should we look for in evaluating who to contact and their proposals?
You should make sure they have experience with the various OSes you run. People who know how to knock over a UNIX system may not do well against Microsoft and vice versa. Make sure they tell you what needs fixing AND how to fix it.
Some companies I've had to compete with only showed up with one system to run the ISS scanner, generated a _very_ thick report of what was wrong, and left.
No single scanner is perfect and if you don't have human intelligence to interpret the results the test may be meaningless. I've seen the ISS scanner tell people they had a Windows NT system that needed to be fixed. When we checked out the system in question it turned out to be HP-UX!
What would you have done differently?
There are things our team learns at every pen-test we do. Some things I want to do differently would be to standardize our methodology more. One problem is that every network has something about it that makes it unique. This is where you can either go cheap for an "off the rack" solution to your testing or pay for a "tailored suit". Be sure that the team has some real experience behind them though. You don't want the tailor fresh out of tailoring school.
What services should we ask for?
You should ask for a complete report of what the team is able to access on your network. You want to know what can they break into from the internet and what can they break into if they were sitting internally. You need to understand the difference between a theoretical exploit based on how your network is configured and a real vulnerability based on a missing service pack. This tells you about what external attackers can do as well as what disgruntled employees can do. It may also tell you how bad a Sys Admin you have running things. I've gotten one Sys Admin fired because of what I found and his poor reaction to my findings. You'll want a report that explains in detail why you are vulnerable, what to do to fix it, and if possible the impact this may have on your day to day operations.
How do we manage the contract to make sure we're not getting a snow-job?
You can have the team demonstrate for you how they got in. Have them leave a file behind, pull down a password file and crack it, etc. Any team should be willing to discuss things very honestly with you. You may wish to start small. An external test only for a small amount of $$ and time. This lets you evaluate them without being burned too badly.
How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
When I broke into a customer that was a credit union and got customer account data, it got their attention. If the test team steals emails or other things from the CEO or other big-wigs, etc. and it doesn't get proper attention with management, I'd look for a new place to work.
How often should we re-do these audits?
Generally twice a year. The main thing is that after the first one you may have a ton of work to do to fix things. You don't want another test until you have had reasonable time to complete your changes. I've had some customers take a year to get fixed up for another test.
Again, I know there's a lot out there by the security firms themselves about this, but I'm really looking for a 'keyboarder-in-the-trenches' view as well. Horror stories are appreciated, since they may give us an idea what to watch out for."
I just hope I was helpful with what I mentioned here. Keep in mind that if you are a government agency you probably have to put the contract out for a bidding process. Write up your expectations as clearly as possible and leave time for a question/response period from the bidding companies. The intelligence of their questioning will tell you a lot. If they don't ask many questions it probably means they don't know what to ask and won't be very good.
I was a grad student in biology for a major university. I was really bad at research. I got my funding cut off from my prof and needed to support myself. The department needed help with their very small (7 machines) computer lab running Win95 and Mac. So I started doing that, I also had accounts on the university VMS and Unix systems for email, irc, news, etc. I started doing HTML for the department website as well. This went for about a year and I decided I loved it compared to banging my head against a wall aka research. I started looking for jobs and got one on campus that was 90% Win9x support and 10% running an Apache webserver on a Solaris 2.5.1 system. I got the job because I had the main background they needed with supporting Win9x (this is 1996). In the interview they asked about any UNIX experience and I said only email BUT I was very interested in learning UNIX and was willing to learn it. They gave me the job and I learned how to do RAID, Apache, Sendmail, POP, and a bunch of other stuff. I did that for a couple of years and since then have moved on to being an admin at the USDA and other things.
Many years ago I bought an ATI expert@play card because it had good Quake benchmark numbers. Guess what, they had written the drivers for that benchmark and the card itself couldn't actually play games at the speed the benchmark indicated. Nothing new here. This is also why I stopped buying ATI cards.
I have worked for SANS in the past but I have to disagree with the way they compiled this list. The fact that there are a larger number of "vulnerabilities" for *NIX than Windows is misleading. I just bet the M$ people latch onto this "See, Windows is less vulnerable!" Even though most of the *NIX stuff is so old you rarely find it occuring in the real world.
What is more useful IMO is to have a ranking of these "vulnerabilities". Right now an unpatched IIS box can be hit even though you have it firewalled so only port 80 is open. With the *NIX stuff, the only way to hit a sytem via port 80 is bad CGI or a new exploit to the webserver software. And when was the last time an Apache exploit was released?
Look at the CVE numbers. That tells a tale of what is going on _now_. The number has the year and there are many of the *NIX exploits that are 2 years old or more. Many of the Win exploits are within the last year.
How does M$ get away with this?
If Ford/Chevy/Dodge made buyers sign an agreement that said you can't bad-mouth their car/suv after you bought it they'd be in a world of trouble.
>
> Isn't it rich?
>We're a matched pair.
>Waving our lightsabers
>Around in the air.
>Attack of the clones.
>
>Lucas gone mad
>We've all been had
>After the first one was so
>Incredibly bad.
>Attack of the clones?
>Does he think that we're drones?
>
>Just when I'd stopped
>Trashing Jar-Jar
>Lucas is going
>Even further afar.
>Making a loser again
>With his usual flair
>Expecting big lines...
>They'll probably be there.
>
>Oh, what a farce.
>Our fault, we hear.
>We're supposed to like what he shows
>Year after year.
>And where are the clones?
>("Attack of the Clones"???)
>It's too late, they're here.
>
>Isn't it bad?
>Isn't it dull?
>And the worst part of all is that
>The theater'll be full.
>And so it's the clones...
>"Attack of the Clones"
>Will open next year.
><<<<
>
Do you pay every time you view the page? How about hitting refresh? When a new AC posts to/. and the content has now changed do you get charged again? I can see lots of people with $1000s of bills for these micropayments. Just like 900 numbers, sure it is only $1.95 for the first 3 minutes but then watch out! And they'll do things to make you stay on the phone longer. So then websites will do things to charge you as well.
The web is in many ways a new media type. It incorporates parts of other media types like the print of newspaper and the broadcast ability of TV. We pay a little for a newspaper or magazine but not anywhere near the cost of creation. The exta cost is paid by ads. On TV, we don't pay directly to _any_ of the programming. We pay our service provider for cable or satellite but broadcast is free to recieve with an antenna. Same with radio. In the broadcast area we are willing to have a certain amout of time dedicated to "paying the bills" and interrupting the broadcast.
The web has tried both of these methods with little success. I think the banner ads on Slashdot are what I like best but they don't seem to generate the revenue companies need. Popups just annoy me. I think the culture is different enough to justify a new approach. People viewing websites expect things to be instant and fast.
So, basically what I'm saying is the new media needs a unique way to advertise that works with the culture of the people that use it.
I live in MD and got nothing but run around from Bell Atlantic (Now Verizon) about DSL. They claimed not to be able to get me hooked up yet another provider running off Covad did no problem.
Try these things:
1. www.dslreports.com
this is a great website to tell you more than you ever wanted to know about dsl.
2. Check with various other providers in the area. Mine is capu.net. They have been awesome for me, great support with people who really know networking. Also, they allow me to run anything I like on my end as long as it isn't a business web site or other high traffic site.
3. Keep calling Verizon and asking about DSL. Make them tired of hearing from you. It is their fault we don't have more access to high speed connections to the home anyway since they are/were one of the baby bells that screwed up the competition in the market place.
The fact there are both more targets and more kids at home playing around with trying to hack. Therefore the number of defacements rises regarless of attention from attrition.
Also, the typical script kiddies do it more for the attention of their percieved peer group in IRC than what they get from attrition. This much I know from speaking directly with attrition staff.
And just what bullshit proof do you have of this? Do you have any real knowledge of the type of people that do this? Just consider for one minute the other factors in web page defacements.
1) The _world wide_ increase in the number of PCs available to the kids that deface web pages.
2) The _world wide_ increase in the number of stupid websites put up for businesses, etc. by "administrators" who only know how to click the "next" button during an installation.
3) The fact that even just a couple of years ago, many of these scripts and tools that make it so easy didn't exist.
There are other factors as well. The truth is, we don't really know what will happen. Defacements might go up since people won't think their message is being seen as much otherwise. Maybe now these people will get more daring to get this supposed attention and actually start doing real damage.
Yikes, I hadn't looked at their pricing, we have one of their systems for work. I know you can find just the bare cases for around $3000 and then build the PC yourself. This will get a kick butt system for <$5k. I can't stand laptops because of the lack of upgrade path.
Another site
forensic-computers has lunchbox stuff as well. There are many others. The advantage of a lunch box over a laptop is that it will be upgradeable with new chip, graphics, etc. The price should be about the same as a mid-high laptop. They aren't as portable as a laptop but give better performance for gaming and are more portable than a standard PC. I have one at work and can vouch for the performance capabilities.
I can't remember the author but TIME had an article in the recent issue with Dale Earnhardt on the cover. The point of the article is that non of our wonderful technology really works all that wonderfully. People have come to realize that waiting for v2.0 to come is not a way to run things. Things like steel and refridgerators are stable and dependable. Things like cell phone service are not. An analogy used in the article was that if a 1" steel rod were priced like cell phones it would only really be a 1" steel rod on weekend nights and holidays but the rest of the time it would be only 1/3". And if you tried to use your steel rod outside your area it would cost 6 times as much!
Yes, all the whiz bang technology is cool to play with but no one has been really able to do anything with it! The web doesn't provide significant advantage over brick and morter stores in most cases. Who wants to buy stuff online for less, make up the difference in shipping, and wait for it to arrive a week later when you can go to Target and get it today?
Slashdot Mirror
Up front I want to point out that I don't want to make a completely shameless plug for my company and what I do. I did leave some contact info available in case the person in question wanted to contact me. The comments here are my own and not that of my employer, etc. If the person who submitted this Ask Slashdot is happy with another firm, that is fine with me, I'm an engineer _not_ a salesman.
:)
Here are the main questions that I have:
Who have you used, and were they any good?
I work for a company that does full service security penetration testing, secure network architecture design and implementation, remote monitoring of IDS and other logs. You can email me through my slashdot user name link if you wish or hit our website www.caci-nsg.com. Therefore I use my own knowledge and that of my co-workers (some of whom work for Attrition.org btw) and yes, we are very good.
What should we look for in evaluating who to contact and their proposals?
You should make sure they have experience with the various OSes you run. People who know how to knock over a UNIX system may not do well against Microsoft and vice versa. Make sure they tell you what needs fixing AND how to fix it.
Some companies I've had to compete with only showed up with one system to run the ISS scanner, generated a _very_ thick report of what was wrong, and left.
No single scanner is perfect and if you don't have human intelligence to interpret the results the test may be meaningless. I've seen the ISS scanner tell people they had a Windows NT system that needed to be fixed. When we checked out the system in question it turned out to be HP-UX!
What would you have done differently?
There are things our team learns at every pen-test we do. Some things I want to do differently would be to standardize our methodology more. One problem is that every network has something about it that makes it unique. This is where you can either go cheap for an "off the rack" solution to your testing or pay for a "tailored suit". Be sure that the team has some real experience behind them though. You don't want the tailor fresh out of tailoring school.
What services should we ask for?
You should ask for a complete report of what the team is able to access on your network. You want to know what can they break into from the internet and what can they break into if they were sitting internally. You need to understand the difference between a theoretical exploit based on how your network is configured and a real vulnerability based on a missing service pack. This tells you about what external attackers can do as well as what disgruntled employees can do. It may also tell you how bad a Sys Admin you have running things. I've gotten one Sys Admin fired because of what I found and his poor reaction to my findings. You'll want a report that explains in detail why you are vulnerable, what to do to fix it, and if possible the impact this may have on your day to day operations.
How do we manage the contract to make sure we're not getting a snow-job?
You can have the team demonstrate for you how they got in. Have them leave a file behind, pull down a password file and crack it, etc. Any team should be willing to discuss things very honestly with you. You may wish to start small. An external test only for a small amount of $$ and time. This lets you evaluate them without being burned too badly.
How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
When I broke into a customer that was a credit union and got customer account data, it got their attention. If the test team steals emails or other things from the CEO or other big-wigs, etc. and it doesn't get proper attention with management, I'd look for a new place to work.
How often should we re-do these audits?
Generally twice a year. The main thing is that after the first one you may have a ton of work to do to fix things. You don't want another test until you have had reasonable time to complete your changes. I've had some customers take a year to get fixed up for another test.
Again, I know there's a lot out there by the security firms themselves about this, but I'm really looking for a 'keyboarder-in-the-trenches' view as well. Horror stories are appreciated, since they may give us an idea what to watch out for."
I just hope I was helpful with what I mentioned here. Keep in mind that if you are a government agency you probably have to put the contract out for a bidding process. Write up your expectations as clearly as possible and leave time for a question/response period from the bidding companies. The intelligence of their questioning will tell you a lot. If they don't ask many questions it probably means they don't know what to ask and won't be very good.
Before they get cracked and decide this was not a good idea?
Isn't that the same Adobe lens flare effect that people complained about months ago on /.?
I had what I consider a lucky break as well.
I was a grad student in biology for a major university. I was really bad at research. I got my funding cut off from my prof and needed to support myself. The department needed help with their very small (7 machines) computer lab running Win95 and Mac. So I started doing that, I also had accounts on the university VMS and Unix systems for email, irc, news, etc. I started doing HTML for the department website as well. This went for about a year and I decided I loved it compared to banging my head against a wall aka research. I started looking for jobs and got one on campus that was 90% Win9x support and 10% running an Apache webserver on a Solaris 2.5.1 system. I got the job because I had the main background they needed with supporting Win9x (this is 1996). In the interview they asked about any UNIX experience and I said only email BUT I was very interested in learning UNIX and was willing to learn it. They gave me the job and I learned how to do RAID, Apache, Sendmail, POP, and a bunch of other stuff. I did that for a couple of years and since then have moved on to being an admin at the USDA and other things.
Many years ago I bought an ATI expert@play card because it had good Quake benchmark numbers. Guess what, they had written the drivers for that benchmark and the card itself couldn't actually play games at the speed the benchmark indicated. Nothing new here. This is also why I stopped buying ATI cards.
I have worked for SANS in the past but I have to disagree with the way they compiled this list. The fact that there are a larger number of "vulnerabilities" for *NIX than Windows is misleading. I just bet the M$ people latch onto this "See, Windows is less vulnerable!" Even though most of the *NIX stuff is so old you rarely find it occuring in the real world.
What is more useful IMO is to have a ranking of these "vulnerabilities". Right now an unpatched IIS box can be hit even though you have it firewalled so only port 80 is open. With the *NIX stuff, the only way to hit a sytem via port 80 is bad CGI or a new exploit to the webserver software. And when was the last time an Apache exploit was released?
Look at the CVE numbers. That tells a tale of what is going on _now_. The number has the year and there are many of the *NIX exploits that are 2 years old or more. Many of the Win exploits are within the last year.
How does M$ get away with this?
If Ford/Chevy/Dodge made buyers sign an agreement that said you can't bad-mouth their car/suv after you bought it they'd be in a world of trouble.
This was done by my friend Kevin.
>
> Isn't it rich?
>We're a matched pair.
>Waving our lightsabers
>Around in the air.
>Attack of the clones.
>
>Lucas gone mad
>We've all been had
>After the first one was so
>Incredibly bad.
>Attack of the clones?
>Does he think that we're drones?
>
>Just when I'd stopped
>Trashing Jar-Jar
>Lucas is going
>Even further afar.
>Making a loser again
>With his usual flair
>Expecting big lines...
>They'll probably be there.
>
>Oh, what a farce.
>Our fault, we hear.
>We're supposed to like what he shows
>Year after year.
>And where are the clones?
>("Attack of the Clones"???)
>It's too late, they're here.
>
>Isn't it bad?
>Isn't it dull?
>And the worst part of all is that
>The theater'll be full.
>And so it's the clones...
>"Attack of the Clones"
>Will open next year.
><<<<
>
But how do you do micropayment?
/. and the content has now changed do you get charged again? I can see lots of people with $1000s of bills for these micropayments. Just like 900 numbers, sure it is only $1.95 for the first 3 minutes but then watch out! And they'll do things to make you stay on the phone longer. So then websites will do things to charge you as well.
Do you pay every time you view the page? How about hitting refresh? When a new AC posts to
The web is in many ways a new media type. It incorporates parts of other media types like the print of newspaper and the broadcast ability of TV. We pay a little for a newspaper or magazine but not anywhere near the cost of creation. The exta cost is paid by ads. On TV, we don't pay directly to _any_ of the programming. We pay our service provider for cable or satellite but broadcast is free to recieve with an antenna. Same with radio. In the broadcast area we are willing to have a certain amout of time dedicated to "paying the bills" and interrupting the broadcast.
The web has tried both of these methods with little success. I think the banner ads on Slashdot are what I like best but they don't seem to generate the revenue companies need. Popups just annoy me. I think the culture is different enough to justify a new approach. People viewing websites expect things to be instant and fast.
So, basically what I'm saying is the new media needs a unique way to advertise that works with the culture of the people that use it.
Next thing you'll tell us is the correct way to say XBOX sounds like exbo-X with a long O and accent on the X.
That when I refreshed Slashdot and got this story the banner ad was for VA.
If magnets are so great to promote long life, why do hard drives DIE!?!
I live in MD and got nothing but run around from Bell Atlantic (Now Verizon) about DSL. They claimed not to be able to get me hooked up yet another provider running off Covad did no problem.
Try these things:
1. www.dslreports.com
this is a great website to tell you more than you ever wanted to know about dsl.
2. Check with various other providers in the area. Mine is capu.net. They have been awesome for me, great support with people who really know networking. Also, they allow me to run anything I like on my end as long as it isn't a business web site or other high traffic site.
3. Keep calling Verizon and asking about DSL. Make them tired of hearing from you. It is their fault we don't have more access to high speed connections to the home anyway since they are/were one of the baby bells that screwed up the competition in the market place.
Good luck!
The fact there are both more targets and more kids at home playing around with trying to hack. Therefore the number of defacements rises regarless of attention from attrition.
Also, the typical script kiddies do it more for the attention of their percieved peer group in IRC than what they get from attrition. This much I know from speaking directly with attrition staff.
Attrition was/is a new form of art to me.
Does it mearly reflect the world around it or does it influence the world into a new direction?
And just what bullshit proof do you have of this? Do you have any real knowledge of the type of people that do this? Just consider for one minute the other factors in web page defacements.
1) The _world wide_ increase in the number of PCs available to the kids that deface web pages.
2) The _world wide_ increase in the number of stupid websites put up for businesses, etc. by "administrators" who only know how to click the "next" button during an installation.
3) The fact that even just a couple of years ago, many of these scripts and tools that make it so easy didn't exist.
There are other factors as well. The truth is, we don't really know what will happen. Defacements might go up since people won't think their message is being seen as much otherwise. Maybe now these people will get more daring to get this supposed attention and actually start doing real damage.
Acme Portable
Yikes, I hadn't looked at their pricing, we have one of their systems for work. I know you can find just the bare cases for around $3000 and then build the PC yourself. This will get a kick butt system for <$5k. I can't stand laptops because of the lack of upgrade path.
Another site forensic-computers has lunchbox stuff as well. There are many others. The advantage of a lunch box over a laptop is that it will be upgradeable with new chip, graphics, etc. The price should be about the same as a mid-high laptop. They aren't as portable as a laptop but give better performance for gaming and are more portable than a standard PC. I have one at work and can vouch for the performance capabilities.
I can't remember the author but TIME had an article in the recent issue with Dale Earnhardt on the cover. The point of the article is that non of our wonderful technology really works all that wonderfully. People have come to realize that waiting for v2.0 to come is not a way to run things. Things like steel and refridgerators are stable and dependable. Things like cell phone service are not. An analogy used in the article was that if a 1" steel rod were priced like cell phones it would only really be a 1" steel rod on weekend nights and holidays but the rest of the time it would be only 1/3". And if you tried to use your steel rod outside your area it would cost 6 times as much!
Yes, all the whiz bang technology is cool to play with but no one has been really able to do anything with it! The web doesn't provide significant advantage over brick and morter stores in most cases. Who wants to buy stuff online for less, make up the difference in shipping, and wait for it to arrive a week later when you can go to Target and get it today?
No, you can have a 0 after the decimal and still have more numbers left to go.
Take 77/25. It comes out to 3.08.
Yeah, we ordered 3 or 4 of them and haven't put them all to gd use, yet. We have a testing lab of sorts here.
I have an ultra10 440Mhz lying around. I'll check it out. Give me about a week.
768/384 for me. I got it just before they went to the 600k down. Somehow I think it wasn't any different though.