Was that aimed at me or secreview? I do NOT have MLK off, which is a travesty in and of itself, but I also feel it is important to challenge secreview on this matter.<br><br>
<div><span class="gmail_quote">On 1/21/08, <b class="gmail_sendername">Jerry dePriest</b> <<a href="mailto:jerryde@mc.net">jerryde@mc.net</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">nice to see some have mlk off and nothing better to do<br>----- Original Message -----<br>From: "SecReview" <
<a href="mailto:secreview@hushmail.com">secreview@hushmail.com</a>><br>To: <<a href="mailto:nate.mcfeters@gmail.com">nate.mcfeters@gmail.com</a>><br>Cc: <<a href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk
</a>><br>Sent: Monday, January 21, 2008 10:40 AM<br>Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]<br>PlanNetGroup ( F )<br><br><br>> Nate,<br>> Your email was constructive and much appreciated. We'll go over
<br>> the review a second time and incorporate some of your suggestions.<br>> Thank you for taking the time to provide so much good feedback.<br>><br>><br>><br>> On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters
<br>> <<a href="mailto:nate.mcfeters@gmail.com">nate.mcfeters@gmail.com</a>> wrote:<br>>>SecReview,<br>>>My 2 cents on your review, although I will try to be nicer then<br>>>you were to<br>>>the reviewee. I'm completely skipping your section where you
<br>>>talked to the<br>>>non-technical person, that's not even fair... sorta like reviewing<br>>>a<br>>>consulting group based on their website alone... oh shit, I forgot<br>>>you guys<br>
>>do that too.<br>>><br>>>Your comments on Question 1:<br>>><br>>>We're not impressed with Michael's answer. First off we have no<br>>>idea what<br>>>the hell this means: "Depending on time and availability, we will
<br>>>work on<br>>>finding any new vulnerability if we generate an anomaly of<br>>>interest." And we<br>>>totally disagree with "Currently, the focus is primarily on<br>>>discovering new
<br>>>Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat<br>>>on,<br>>>compared to Oracle." In fact, whatever is being described above<br>>>doesn't<br>>>sound anything like a vulnerability assessment, we're not sure
<br>>>what kind of<br>>>service it is.<br>>><br>>>The first portion "Depending on time and availability..." I don't<br>>>understand<br>>>what your confusion is. Basically the responder is saying that
<br>>>he's willing<br>>>to do what the client will pay him for. Consulting is not a<br>>>cookie-cutter<br>>>gig, so sometimes clients want you to spend 5 minutes running<br>>>scans, some
<br>>>want you to fuzz a proprietary protocol for as long as it takes.<br>>>I<br>>>personally don't think either end of the extreme is of value to<br>>>the client,<br>>>but you can hardly fault the respondent for delivering what the
<br>>>client asks<br>>>for.<br>>><br>>>The second, I don't agree the overall focus is on Oracle, but if<br>>>you read<br>>>the new (ZDnet, eWeek), or if you follow the conferences (HITB
<br>>>Malaysia 2007<br>>>great Oracle presnetation), then you will know that Oracle is<br>>>catching a bit<br>>>of the limelight. Besides that, I don't think you are qualified<br>>>to say what
<br>>>exactly a vulnerability assessment is... if the client is paying<br>>>you to<br>>>assess their database servers, then that is a vulnerability<br>>>assessment of<br>>>their database servers and that is what the work is. Different
<br>>>clients have<br>>>different needs, and their are different specialty consulting<br>>>groups to help<br>>>meet those... can hardly fault him if his specialty is databases.<br>>><br>>>Your Comments on Question 2:
<br>>><br>>>>>trying to be cute with your "Again, carefully!" bullshit?<br>>><br>>>Come on guys... imagine you get called by a group of people asking<br>>>to assess<br>>>your company and you don't know who they are, wouldn't you try to
<br>>>befriend<br>>>them if possible? A little professionalism would go a long way to<br>>>improving<br>>>your reviews.<br>>><br>>>>>A penetration test is not "Anything Goes!"
<br>>><br>>>Umm... sorry guys, there is plenty of cause for performing a<br>>>Denial of<br>>>Service test. Keep in mind that availability is a large portion<br>>>of what<br>>>security is about. I don't think he's talking about using a bot
<br>>>net to try<br>>>to take them down.<br>>><br>>>>>it doesn't sound like Michael knows how to perform IDS evasion<br>>>testing.<br>>>Using a proxy is >>not going to help anyone evade detection, it
<br>>>will just<br>>>help them to hide their IP address.<br>>><br>>>Hmm... well, you're partially right. I suppose that if he had<br>>>enough proxy<br>>>servers and kept his scans very focused, he "might" be able to get
<br>>>around an<br>>>IDS. In any case, not all clients want IDS evasion performed...<br>>>for<br>>>instance, they may want to test their incident response, or, they<br>>>may allow<br>>>the consulting group through the IPS/IDS in an effort to save on
<br>>>time and<br>>>costs.<br>>><br>>>Your response to question 3:<br>>><br>>>>>From the answer above, it looks like they like the same tools as<br>>>most<br>>>people. That said, >>we've seen no proof of talent from anyone at
<br>>>PlanNetGroup yet. So we're near certain that >>their deliverables<br>>>ARE the<br>>>product of automation.<br>>><br>>>If they are the same tools that everyone use, how can you knock
<br>>>them for<br>>>that? It seems to me that a group starts with a score of 0 in<br>>>your book,<br>>>and then if they impress you they get points. If you don't ask<br>>>the right<br>>>questions, I don't see how they could impress you. I concede, it
<br>>>is<br>>>certainly possible that they have no skills, and that they use<br>>>automation,<br>>>but I don't think it is fair to say that at this point of the<br>>>review.<br>>><br>
>>Your response to question 4:<br>>><br>>>>>Woha, it takes too much time to create a fake deliverable? Well<br>>>that's one<br>>>way to get out >>of it, but we don't buy it. Either way, at this
<br>>>point we<br>>>don't feel that a sample report would >>help this review, we've<br>>>seen nothing<br>>>impressive yet.<br>>><br>>>Ever tried to do so? It does take awhile, and it is risky. If
<br>>>you miss<br>>>sanitization and release results of one of your clients you could<br>>>get sued.<br>>> Perhaps given the context of the investigation he didn't want to<br>>>give you<br>
>>an old report and it would take to long and too much of his<br>>>billable time to<br>>>actually get this to you. That's not unreasonable. You aren't<br>>>paying him.<br>>> Again with the comments of nothing impressive yet. You are
<br>>>asking generic<br>>>questions, how could anything be impressive? It's a phone call or<br>>>email and<br>>>you are asking questions that almost all consulting groups should<br>>>have
<br>>>relatively the same answers to... I see nothing impressive in that<br>>>at all.<br>>><br>>>Your response to question 5:<br>>><br>>>>>It sounds like Michael has a difficult time sticking to the
<br>>>scope of work.<br>>>Any time anyone >>performs Distributed Metastasis it should be<br>>>built into a<br>>>scope of work first. If it is not, >>then do not perform the<br>>>testing because
<br>>>it is invasive and will get you into trouble. This is >>a big<br>>>negative point<br>>>in our eyes as its critical that providers are able to adhere to<br>>>the scope<br>>>>>of work for each specific engagement.
<br>>><br>>>I actually agree with most of this, but then again, as long as he<br>>>doesn't go<br>>>over the clients budgetary and time constraints and is providing<br>>>the<br>>>customer with value, I have no problem with going outside of scope
<br>>>as long<br>>>as the client does not. Also, I don't know that it is a big<br>>>negative as you<br>>>say.<br>>><br>>>Your response to question 6:<br>>><br>>>>>It sounds like Michael is a corporate security guy and has no
<br>>>experience<br>>>as a hacker.<br>>>Bit of a blanket statement I'd say, but OK, let's assume you are<br>>>correct<br>>>>>Certifications hold little to no water when it comes to real IT
<br>>>security.<br>>>Agreed, but you are totally putting words into his mouth. He<br>>>basically says<br>>>the same thing by calling the CISSP a definition test. Why do<br>>>that? Most<br>
>>people in security have the certs... most realize they are worth<br>>>nothing and<br>>>don't really test tech knowledge, but instead test business<br>>>knowledge.<br>>>>>What does hold water is experience and from what we can tell,
<br>>>Michael has<br>>>no real hacker >>experience.<br>>>Please define "no real hacker experience". If you mean he isn't<br>>>31337 like<br>>>you guys, then OK. BTW, most clients aren't just paying for "real
<br>>>hacker<br>>>experience" they're also paying for the business side, i.e. what<br>>>is my risk,<br>>>how can I mitigate, etc. A good team has both people.<br>>><br>>>On your response to question 7:
<br>>><br>>>Do you resell third party technologies?<br>>><br>>>>>We don't think that it is a good idea that Professional IT<br>>>Security<br>>>Providers sell third party >>technologies. Specifically because
<br>>>they become<br>>>biased towards a specific technology and >>push that technology as<br>>>a method<br>>>of remediation when better methods might already exist.<br>>>Agreed. But that said, what if your third-party tech. has nothing
<br>>>to do<br>>>with the main thrust of your consulting work? The question is<br>>>pretty vague.<br>>><br>>>On your response to question 8 and 9:<br>>><br>>>Ok, I'll buy that you have cookie cutter definitions from google
<br>>>of those<br>>>flaws and that his definitions don't fit. I'll even buy that you<br>>>make a<br>>>good point when you say EIP overwrite is not the only method of<br>>>exploitation
<br>>>(especially these days), but I'm wondering what you expected.<br>>>Should he<br>>>have rattled on and on about how to exploit b0f in an XP SP 2<br>>>environment?<br>>> Talk to you at length about DEP? Bit ridiculous expectations.
<br>>>Hell, while<br>>>your at it, why didn't you ask him about integer overflows? Off-<br>>>by<br>>>one/few/many exploits? Heap overflows? Why not have him recite<br>>>the Heap<br>>>Fung Sheui method to you? What about double free flaws, dangling
<br>>>pointers,<br>>>etc. etc. etc. Let's be serious here, unless you are contracted<br>>>by<br>>>Microsoft or another major software vendor, you probably don't pay<br>>>the bills<br>
>>by doing your own research, so... does this really matter? Sure,<br>>>it's<br>>>great... I'd like to know that consultants I was paying top dollar<br>>>to knew<br>>>about this, but if he comes on site and spends 3 weeks trying to
<br>>>find an<br>>>integer overflow, I'm going to be pissed.<br>>><br>>>Disclaimer:<br>>>I'm not a client of PlanNetGroup. Also, I don't think what you<br>>>are trying<br>>>to do is a terrible thing, there's lots of snake oil being sold in
<br>>>the<br>>>commoditized security market out there, but I disapprove of your<br>>>professionalism and your methods. Also, I believe the list is<br>>>still waiting<br>>>for you to credentialize yourself/yourselves. That still hasn't
<br>>>seem to be<br>>>grasped here. Look, if you're someone people respect, then maybe<br>>>people<br>>>will buy your reviews, but somehow I doubt that is the case. I'm<br>>>basing<br>
>>that view off of the content of your website and the fact that you<br>>>still<br>>>have not credentialized yourself as the list called for so long<br>>>ago. Do<br>>>that, and I will re-review my review of your reviews.
<br>>><br>>>Nate<br>>><br>>>On Jan 20, 2008 7:17 PM, secreview <<a href="mailto:secreview@hushmail.com">secreview@hushmail.com</a>> wrote:<br>>><br>>>> The PlanNetGroup is a Professional IT Security Services Provider
<br>>>located<br>>>> at <a href="http://www.plannetgroup.com">http://www.plannetgroup.com</a>. <<a href="http://www.plannetgroup.com/">http://www.plannetgroup.com/</a>><br>>>One of our<br>>>> readers requested that we perform a review of the PlanNetGroup,
<br>>>so here it<br>>>> is. It is important to state that there isn't all that much<br>>>information<br>>>> available on the web about the PlanNetGroup, so this review is<br>>>based mostly
<br>>>> on the interviews that we performed.<br>>>><br>>>> The PlanNetGroup was founded by Jim Mazotas of Ohio USA<br>>>according to this Affirmative<br>>>> Action Verification Form<
<a href="http://odnapps01.odn.state.oh.us/das-">http://odnapps01.odn.state.oh.us/das-</a><br>>>eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b<br>>>8525735d00607a6d?OpenDocument>.<br>>>> We called Mr. Succotash and spoke with him for about an hour
<br>>>about his<br>>>> company, here's what he had to say.<br>>>><br>>>> When we spoke with Jim Mazotas we asked him how he defined a<br>>>Penetration<br>>>> Test. His answer wasn't really an answer at all but rather was a
<br>>>bunch of<br>>>> technical words strung into sentences that made no sense. Here<br>>>is what he<br>>>> said for the most part. We can't give you an exact quote because<br>>>he<br>
>>> requested that some of the information related to clients, etc<br>>>be kept<br>>>> confidential.<br>>>><br>>>> "We get to target object, where we go with that is based upon
<br>>>the client's<br>>>> comfort level. We grab banner information, backend support<br>>>information, and<br>>>> other kinds of information. During a penetration test we most<br>>>will not
<br>>>> penetrate. Most mid level companies will not want penetration."<br>>>– Sanitized<br>>>> Quote from Jim<br>>>><br>>>> Not only do we not understand what Jim said, but he'd be better
<br>>>off saying<br>>>> "I don't know" next time instead of looking like an idiot and<br>>>making up an<br>>>> answer. This goes for all of you people that get asked technical<br>
>>questions.<br>>>> If you say "I don't know" at least you won't look like a fool.<br>>>Anyway.<br>>>><br>>>> When we asked Jim to define a Vulnerability Assessment, we
<br>>>became even<br>>>> more flustered. Again his answer was like a politician trying to<br>>>evade a<br>>>> question with a bunch of nonsensical noise. Again, we've<br>>>sanitized this at
<br>>>> Jim's request.<br>>>><br>>>> " A Vulnerability Assessment is more a lab based environment<br>>>type test.<br>>>> Analyze servers and all nodes that are a true vital asset to the
<br>>>company and<br>>>> assess the vulnerability In a very planned out manner. This is<br>>>done in a lab<br>>>> based environment." – Sanitized Quote from Jim<br>>>><br>>>> Again, next time say "I don't know" because now you look like an
<br>>>idiot.<br>>>> Nobody expects you to know everything, but when you make shit up<br>>>and try to<br>>>> fool people, its insulting. To be fair to Jim, he did say that<br>>>he was not
<br>>>> technical, but we didn't get technical here. As the founder of<br>>>the business<br>>>> he should at least know what his different service boundaries<br>>>are and how<br>>>> his services are defined.
<br>>>><br>>>> When we asked Jim if his team performed Vulnerability Research<br>>>and<br>>>> Development, he said that they did not have the time because<br>>>they were<br>>>> "fully booked". His primary customer base includes state
<br>>>government and a<br>>>> few private sector businesses. Unfortunately, we can't disclose<br>>>who his<br>>>> exact customers are. He did say that he provides Network<br>>>Management Services
<br>>>> and Wireless Management services for many of his clients. Sounds<br>>>more IT<br>>>> related than Professional Security related.<br>>>><br>>>> When we finished with our call to Jim we asked him if he'd be
<br>>>kind enough<br>>>> to give us contact information for someone more technical in his<br>>>company. He<br>>>> told us that he'd be happy to arrange a call with someone. At<br>>>the end, we
<br>>>> didn't end up calling anyone but instead shot a few emails back<br>>>and fourth.<br>>>> The rest of this review is based on those emails.<br>>>><br>>>> We decided to ask the same questions to Jim's technical expert.
<br>>>We know<br>>>> who his expert is, but we assume that he wants to stay anonymous<br>>>because he<br>>>> signed his email with "Jason Bourne". So for the sake of this<br>>>interview
<br>>>> we'll call him Michael. Here's the email from Michael:<br>>>><br>>>> -) How do you perform your vulnerability assessments?<br>>>><br>>>> "* Carefully! :) Typically, we will work with the customer to
<br>>>define the<br>>>> scope of the assessment; limitations to OS, Network Equipment,<br>>>Web<br>>>> Server, etc. This could be a combination of components<br>>>(depending on<br>>>> scope), the real goal ultimately with this is to assess the
<br>>>patching<br>>>> effort of a customer. Depending on time and availability, we<br>>>will work<br>>>> on finding any new vulnerability if we generate an anomaly of<br>>>interest.<br>
>>> Currently, the focus is primarily on discovering new Oracle<br>>>> vulnerabilities - as MS SQL 2K5 is more difficult to beat on,<br>>>compared<br>>>> to Oracle. Within vulnerability assessments, we disregard any
<br>>>attempts<br>>>> to evade IDS, IPS, etc."<br>>>><br>>>> We're not impressed with Michael's answer. First off we have no<br>>>idea what<br>>>> the hell this means: "Depending on time and availability, we
<br>>>will work on<br>>>> finding any new vulnerability if we generate an anomaly of<br>>>interest." And we<br>>>> totally disagree with "Currently, the focus is primarily on<br>>>discovering new
<br>>>> Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat<br>>>on,<br>>>> compared to Oracle." In fact, whatever is being described above<br>>>doesn't<br>>>> sound anything like a vulnerability assessment, we're not sure
<br>>>what kind of<br>>>> service it is.<br>>>><br>>>> -) How do you perform your penetration testing?<br>>>><br>>>> * Again, carefully! The definition that I use with customers is -
<br>>><br>>>> Anything Goes! In addition to attempting to locate missing<br>>>patches,<br>>>> vulnerable IOS's, applications, etc - we will perform an<br>>>assortment of<br>>>> timed attacks, attempt to spoof trusted connections, or even
<br>>>perform<br>>>> social engineering - like dropping a few pre-trojan'd usb data<br>>>sticks<br>>>> outside of a customer service area, a data center, etc. The only<br>>>thing<br>
>>> that we do not perform, typically, is denial of service style or<br>>>type of<br>>>> attacks. We have had only one customer that we felt was in the<br>>>position<br>>>> to handle such a test and it was performed against their
<br>>>disaster<br>>>> recovery infrastructure, not production."<br>>>><br>>>> Michael, why are you trying to be cute with your "Again,<br>>>carefully!"<br>>>> bullshit? A penetration test is not "Anything Goes!", if that's
<br>>>how you<br>>>> define it then I don't want you anywhere near any of my<br>>>networks. And why<br>>>> the hell would you perform a Denial of Service attack against<br>>>anyone?
<br>>>> Everybody can be knocked off line if you fill up their pipe. You<br>>>scare us<br>>>> man!<br>>>><br>>>><br>>>> -) How do you perform evasive IDS testing?<br>>>>
<br>>>> "* We use a series of proxy servers to attempt to perform basic<br>>>hacking<br>>>> techniques; port scans, blatant attacks, etc. We are typically<br>>>going to<br>>>> look for TCP resets as a means to evaluate if IDS is present and
<br>>>> possibly to find if IDS performs blocking activity. Often times,<br>>>if a<br>>>> system in a trusted DMZ can be compromised and used as a proxy<br>>>> (exploiting a relationship or rule within a firewall) or an SSH,
<br>>>SSL,<br>>>> encrypted tunnel can be established to a server behind the IDS<br>>>sensor<br>>>> than we can successfully pull off an attack without the<br>>>customers<br>>>> security staff even knowing."
<br>>>><br>>>> It doesn't sound like Michael knows how to perform IDS evasion<br>>>testing.<br>>>> Using a proxy is not going to help anyone evade detection, it<br>>>will just help
<br>>>> them to hide their IP address. If the target network or<br>>>application is being<br>>>> protected by an IPS device, then the IP that they are attacking<br>>>from will be<br>>>> shunned just the same. So, we understand that the PlanNetGroup's
<br>>>expert<br>>>> hasn't a clue as to how to evade IDS. (Michael, did you get your<br>>>answer from<br>>>> Google?)<br>>>><br>>>> -) What tools do you favor?<br>>>>
<br>>>> "* We really do not favor any tools. The focus of our effort<br>>>(Assuming we<br>>>> are performing a pen-test or assessment) is to analyze a<br>>>situation and<br>>>> choose the best tool for the end result or compromise. I will
<br>>>use commercial<br>>>> applications, such as AppScan, WebInspect, even ISS. There are<br>>>however<br>>>> plenty of freeware, low-cost tools that we use; nmap, nessus,<br>>>metasploit -
<br>>>> ultimately, I find that an internet browser and a telnet prompt<br>>>will suffice<br>>>> for much of the testing. It ultimately gets back to interpreting<br>>>the results<br>>>> and adjusting the testing accordingly. We make it a point to try
<br>>>out new<br>>>> freeware tools on every assignment. The more tools that we know<br>>>of and can<br>>>> test with opens our options if in the future a situation best<br>>>suited for a
<br>>>> tool presents itself."<br>>>><br>>>> Every business that delivers security services has a set of<br>>>tools that<br>>>> they use. These tools change from business to business, but
<br>>>common ones are<br>>>> nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From<br>>>the answer<br>>>> above, it looks like they like the same tools as most people.<br>>>That said,
<br>>>> we've seen no proof of talent from anyone at PlanNetGroup yet.<br>>>So we're near<br>>>> certain that their deliverables ARE the product of automation.<br>>>><br>>>> -) Can you provide us with sample deliverables? (sanitized)
<br>>>><br>>>> "* No, too much time. Even to sanitize creates an opportunity<br>>>for a<br>>>> liability in the event that a customer name is exposed ...<br>>>accidents do<br>>>> happen! I will say that we do not take dumps from applications
<br>>>and<br>>>> regurgitations the information on paper. We limit our executive<br>>>summary to 6<br>>>> pages at most and attempt to keep the entire report limited to<br>>>25 pages in
<br>>>> total. Our goal with a deliverable is to get the precise<br>>>information to the<br>>>> key stake holders so that they can make a decision."<br>>>><br>>>> Woha, it takes too much time to create a fake deliverable? Well
<br>>>that's one<br>>>> way to get out of it, but we don't buy it. Either way, at this<br>>>point we<br>>>> don't feel that a sample report would help this review, we've<br>>>seen nothing
<br>>>> impressive yet.<br>>>><br>>>> -) Do you offer the option of performing Distributed Metastasis?<br>>>><br>>>> "* No, not really. This is my decision as in a previous life I
<br>>>got walked<br>>>> out of Bell Atlantic Mobile (Verizon Wireless) using this<br>>>technique when I<br>>>> compromised their Unix infrastructure by compromising the rlogin<br>>>function
<br>>>> (on all Unix servers, across all data centers). There is no<br>>>substitute for<br>>>> experience, especially bad ones!"<br>>>><br>>>> It sounds like Michael has a difficult time sticking to the
<br>>>scope of work.<br>>>> Any time anyone performs Distributed Metastasis it should be<br>>>built into a<br>>>> scope of work first. If it is not, then do not perform the<br>>>testing because
<br>>>> it is invasive and will get you into trouble. This is a big<br>>>negative point<br>>>> in our eyes as its critical that providers are able to adhere to<br>>>the scope<br>>>> of work for each specific engagement.
<br>>>><br>>>> -) What is your background with relation to information<br>>>security?<br>>>><br>>>> "* Too long, too boring. Yeah got the CISSP (nice vocabulary<br>>>test), but
<br>>>> had to as I worked for DOD. Got a number of Certifications (I<br>>>have a stack<br>>>> almost an inch thick and only get into them about once a year to<br>>>throw<br>>>> another couple on top of the previous ones - too much alphabet
<br>>>soup for me,<br>>>> but bosses and customers like it. Spoke at a number of<br>>>> European conferences, but found too many people did not<br>>>understand a word<br>>>> I was talking about, so I got tired of that and quit that scene.
<br>>>My outlook<br>>>> on security has changed, to the point that I will advise<br>>>customers of their<br>>>> risk, attempt to make it practical - but if they make a<br>>>conscious choice not
<br>>>> to listen - I do not fret over it.?"<br>>>><br>>>> It sounds like Michael is a corporate security guy and has no<br>>>experience<br>>>> as a hacker. Certifications hold little to no water when it
<br>>>comes to real IT<br>>>> security. What does hold water is experience and from what we<br>>>can tell,<br>>>> Michael has no real hacker experience.<br>>>><br>>>> -) Do you resell third party technologies?
<br>>>><br>>>> "* No, but kind of wished that we would. I think that it would<br>>>help with<br>>>> sales."<br>>>><br>>>> We don't think that it is a good idea that Professional IT
<br>>>Security<br>>>> Providers sell third party technologies. Specifically because<br>>>they become<br>>>> biased towards a specific technology and push that technology as<br>>>a method of
<br>>>> remediation when better methods might already exist.<br>>>><br>>>> -) Can you tell me why the EIP is important?<br>>>><br>>>> "* The EIP controls an applications execution. If an attacker
<br>>>can modify<br>>>> the EIP while it is being pushed on the stack then the attacker<br>>>*could*<br>>>> execute their own code and create a thread (aka. a buffer<br>>>overflow condition
<br>>>> exists). I had a good refresher this past year at Blackhat with<br>>>a course run<br>>>> by Saumil Shah - he had an interesting buffer overflow<br>>>> for the Linked-In client."
<br>>>><br>>>> The EIP is the Instruction Pointer for the x86 architecture. The<br>>>purpose<br>>>> of the EIP is to point to the next instruction in a particular<br>>>code segment.<br>
>>> If the EIP can be overwritten then the flow of control of an<br>>>application can<br>>>> be changed. In most cases this can lead to the execution of<br>>>arbitrary code<br>>>> on the targeted system. Hackers use this to penetrate vulnerable
<br>>>systems.<br>>>><br>>>> -) Can you define a format string exploit?<br>>>><br>>>> "* A format string exploit leverages what is considered a<br>>>programming<br>>>> bug. If input is not sanitized, an attacker can perform calls to
<br>>>the<br>>>> stack; read, write, etc without knowing details about the EIP."<br>>>><br>>>> Unfortunately this answer isn't accurate or detailed enough as<br>>>almost all
<br>>>> software vulnerabilities are the result of user input that is<br>>>not properly<br>>>> sanitized or validated. A format string condition occurs when a<br>>>user inserts<br>>>> a format token into a C based application and that input is not
<br>>>properly<br>>>> sanitized. Hence why it is called a format string vulnerability.<br>>>When that<br>>>> input hits a function that performs formatting, such as printf()<br>>>the input
<br>>>> is interpreted in accordance with the format tokens. Sometimes<br>>>this can be<br>>>> used to write arbitrary data to arbitrary memory locations. The<br>>>EIP isn't<br>>>> the only valuable memory location.
<br>>>><br>>>><br>>>><br>>>><br>>>> If you've managed to get this far, then you've survived reading<br>>>Michael's<br>>>> answers to our questions. We're not going to spend much more
<br>>>time writing<br>>>> this review because by now we've formed our opinion. We did take<br>>>a quick<br>>>> look at the PlanNetGroup's website and as with their people, we<br>>>were not the
<br>>>> least bit impressed.<br>>>><br>>>> Our opinion of the PlanNetGroup is that they'd have a hard time<br>>>hacking<br>>>> their way out of a wet paper bag. Their security expert is not
<br>>>an expert by<br>>>> our standards, as he did not properly answer any of our<br>>>questions or help to<br>>>> define any of their services. We're pretty sure that the<br>>>PlanNetGroup could
<br>>>> run nessus and offer basic vulnerability assessment services.<br>>>We're also<br>>>> pretty sure that they could offer IT services at some level. But<br>>>we'd hardly<br>>>> call them subject matter experts and wouldn't recommend their
<br>>>services to<br>>>> anyone.<br>>>><br>>>> If you are using the PlanNetGroup services and feel that we have<br>>>not given<br>>>> them a fair review then please comment on this post. We will
<br>>>consider your<br>>>> comments. We have to say that Jim and Michael were both very<br>>>polite,<br>>>> friendly, and respectful, but we can't let their kind nature<br>>>impact our
<br>>>> opinion of their service delivery capabilities. We think that<br>>>they should<br>>>> sit down and try to define their services properly. We also<br>>>think that they<br>>>> should hire an ethical hacker with real world experience if they
<br>>>intend to<br>>>> protect anyone.<br>>>><br>>>> Score Card (Click to Enlarge)<br>>>><br>>>><br>>>><br>>><<a href="http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS">
http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS</a><br>>>QlSXs/s1600-h/96YV5X.jpeg><br>>>><br>>>> --<br>>>> Posted By secreview to Professional IT Security Providers -
<br>>>Exposed<<a href="http://secreview.blogspot.com/2008/01/plannetgroup-">http://secreview.blogspot.com/2008/01/plannetgroup-</a><br>>>f.html>at 1/20/2008 04:21:00 PM<br>>>> _______________________________________________
<br>>>> Full-Disclosure - We believe in it.<br>>>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>>>> Hosted and sponsored by Secunia -
<a href="http://secunia.com/">http://secunia.com/</a><br>>>><br>> Regards,<br>> The Secreview Team<br>> <a href="http://secreview.blogspot.com">http://secreview.blogspot.com</a><br>><br>> --
<br>> Love Graphic Design? Find a school near you. Click Now.<br>> <a href="http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/">http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/
</a><br>> Professional IT Security Service Providers - Exposed<br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br><br></blockquote></div><br>