<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>not aimed at anyone in general. sorry Nate. just
following a thread...</FONT></DIV>
<DIV><FONT face=Arial size=2>j.d.</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=nate.mcfeters@gmail.com href="mailto:nate.mcfeters@gmail.com">Nate
McFeters</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=jerryde@mc.net
href="mailto:jerryde@mc.net">Jerry dePriest</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=secreview@hushmail.com
href="mailto:secreview@hushmail.com">SecReview</A> ; <A
title=full-disclosure@lists.grok.org.uk
href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, January 21, 2008 11:29
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Full-disclosure]
[Professional IT Security Providers -Exposed] PlanNetGroup ( F )</DIV>
<DIV><BR></DIV>Was that aimed at me or secreview? I do NOT have MLK off,
which is a travesty in and of itself, but I also feel it is important to
challenge secreview on this matter.<BR><BR>
<DIV><SPAN class=gmail_quote>On 1/21/08, <B class=gmail_sendername>Jerry
dePriest</B> <<A href="mailto:jerryde@mc.net">jerryde@mc.net</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">nice
to see some have mlk off and nothing better to do<BR>----- Original Message
-----<BR>From: "SecReview" < <A
href="mailto:secreview@hushmail.com">secreview@hushmail.com</A>><BR>To:
<<A
href="mailto:nate.mcfeters@gmail.com">nate.mcfeters@gmail.com</A>><BR>Cc:
<<A
href="mailto:full-disclosure@lists.grok.org.uk ">full-disclosure@lists.grok.org.uk
</A>><BR>Sent: Monday, January 21, 2008 10:40 AM<BR>Subject: Re:
[Full-disclosure] [Professional IT Security Providers
-Exposed]<BR>PlanNetGroup ( F )<BR><BR><BR>>
Nate,<BR>> Your email was constructive and much
appreciated. We'll go over <BR>> the review a second time and incorporate
some of your suggestions.<BR>> Thank you for taking the time to provide
so much good feedback.<BR>><BR>><BR>><BR>> On Mon, 21 Jan 2008
02:07:50 -0500 Nate McFeters <BR>> <<A
href="mailto:nate.mcfeters@gmail.com">nate.mcfeters@gmail.com</A>>
wrote:<BR>>>SecReview,<BR>>>My 2 cents on your review, although
I will try to be nicer then<BR>>>you were to<BR>>>the
reviewee. I'm completely skipping your section where you
<BR>>>talked to the<BR>>>non-technical person, that's not even
fair... sorta like reviewing<BR>>>a<BR>>>consulting group based
on their website alone... oh shit, I forgot<BR>>>you
guys<BR>>>do that too.<BR>>><BR>>>Your comments on
Question 1:<BR>>><BR>>>We're not impressed with Michael's
answer. First off we have no<BR>>>idea what<BR>>>the hell this
means: "Depending on time and availability, we will <BR>>>work
on<BR>>>finding any new vulnerability if we generate an anomaly
of<BR>>>interest." And we<BR>>>totally disagree with "Currently,
the focus is primarily on<BR>>>discovering new <BR>>>Oracle
vulnerabilities - as MS SQL 2K5 is more difficult to
beat<BR>>>on,<BR>>>compared to Oracle." In fact, whatever is
being described above<BR>>>doesn't<BR>>>sound anything like a
vulnerability assessment, we're not sure <BR>>>what kind
of<BR>>>service it is.<BR>>><BR>>>The first portion
"Depending on time and availability..." I
don't<BR>>>understand<BR>>>what your confusion
is. Basically the responder is saying that <BR>>>he's
willing<BR>>>to do what the client will pay him
for. Consulting is not a<BR>>>cookie-cutter<BR>>>gig,
so sometimes clients want you to spend 5 minutes running<BR>>>scans,
some <BR>>>want you to fuzz a proprietary protocol for as long as it
takes.<BR>>>I<BR>>>personally don't think either end of the
extreme is of value to<BR>>>the client,<BR>>>but you can hardly
fault the respondent for delivering what the <BR>>>client
asks<BR>>>for.<BR>>><BR>>>The second, I don't agree the
overall focus is on Oracle, but if<BR>>>you read<BR>>>the new
(ZDnet, eWeek), or if you follow the conferences (HITB <BR>>>Malaysia
2007<BR>>>great Oracle presnetation), then you will know that Oracle
is<BR>>>catching a bit<BR>>>of the limelight. Besides
that, I don't think you are qualified<BR>>>to say what
<BR>>>exactly a vulnerability assessment is... if the client is
paying<BR>>>you to<BR>>>assess their database servers, then that
is a vulnerability<BR>>>assessment of<BR>>>their database
servers and that is what the work is. Different
<BR>>>clients have<BR>>>different needs, and their are different
specialty consulting<BR>>>groups to help<BR>>>meet those... can
hardly fault him if his specialty is databases.<BR>>><BR>>>Your
Comments on Question 2: <BR>>><BR>>>>>trying to be cute
with your "Again, carefully!" bullshit?<BR>>><BR>>>Come on
guys... imagine you get called by a group of people asking<BR>>>to
assess<BR>>>your company and you don't know who they are, wouldn't you
try to <BR>>>befriend<BR>>>them if possible? A little
professionalism would go a long way to<BR>>>improving<BR>>>your
reviews.<BR>>><BR>>>>>A penetration test is not "Anything
Goes!" <BR>>><BR>>>Umm... sorry guys, there is plenty of cause
for performing a<BR>>>Denial of<BR>>>Service
test. Keep in mind that availability is a large
portion<BR>>>of what<BR>>>security is about. I don't
think he's talking about using a bot <BR>>>net to try<BR>>>to
take them down.<BR>>><BR>>>>>it doesn't sound like Michael
knows how to perform IDS evasion<BR>>>testing.<BR>>>Using a
proxy is >>not going to help anyone evade detection, it
<BR>>>will just<BR>>>help them to hide their IP
address.<BR>>><BR>>>Hmm... well, you're partially
right. I suppose that if he had<BR>>>enough
proxy<BR>>>servers and kept his scans very focused, he "might" be able
to get <BR>>>around an<BR>>>IDS. In any case, not all
clients want IDS evasion performed...<BR>>>for<BR>>>instance,
they may want to test their incident response, or, they<BR>>>may
allow<BR>>>the consulting group through the IPS/IDS in an effort to
save on <BR>>>time and<BR>>>costs.<BR>>><BR>>>Your
response to question 3:<BR>>><BR>>>>>From the answer
above, it looks like they like the same tools
as<BR>>>most<BR>>>people. That said, >>we've seen no proof
of talent from anyone at <BR>>>PlanNetGroup yet. So we're near certain
that >>their deliverables<BR>>>ARE the<BR>>>product of
automation.<BR>>><BR>>>If they are the same tools that everyone
use, how can you knock <BR>>>them for<BR>>>that? It
seems to me that a group starts with a score of 0 in<BR>>>your
book,<BR>>>and then if they impress you they get points. If
you don't ask<BR>>>the right<BR>>>questions, I don't see how
they could impress you. I concede, it
<BR>>>is<BR>>>certainly possible that they have no skills, and
that they use<BR>>>automation,<BR>>>but I don't think it is fair
to say that at this point of
the<BR>>>review.<BR>>><BR>>>Your response to question
4:<BR>>><BR>>>>>Woha, it takes too much time to create a
fake deliverable? Well<BR>>>that's one<BR>>>way to get out
>>of it, but we don't buy it. Either way, at this <BR>>>point
we<BR>>>don't feel that a sample report would >>help this
review, we've<BR>>>seen nothing<BR>>>impressive
yet.<BR>>><BR>>>Ever tried to do so? It does take
awhile, and it is risky. If <BR>>>you
miss<BR>>>sanitization and release results of one of your clients you
could<BR>>>get sued.<BR>>> Perhaps given the context of the
investigation he didn't want to<BR>>>give you<BR>>>an old report
and it would take to long and too much of his<BR>>>billable time
to<BR>>>actually get this to you. That's not
unreasonable. You aren't<BR>>>paying him.<BR>>> Again
with the comments of nothing impressive yet. You are
<BR>>>asking generic<BR>>>questions, how could anything be
impressive? It's a phone call or<BR>>>email
and<BR>>>you are asking questions that almost all consulting groups
should<BR>>>have <BR>>>relatively the same answers to... I see
nothing impressive in that<BR>>>at all.<BR>>><BR>>>Your
response to question 5:<BR>>><BR>>>>>It sounds like
Michael has a difficult time sticking to the <BR>>>scope of
work.<BR>>>Any time anyone >>performs Distributed Metastasis it
should be<BR>>>built into a<BR>>>scope of work first. If it is
not, >>then do not perform the<BR>>>testing because
<BR>>>it is invasive and will get you into trouble. This is >>a
big<BR>>>negative point<BR>>>in our eyes as its critical that
providers are able to adhere to<BR>>>the scope<BR>>>>>of
work for each specific engagement. <BR>>><BR>>>I actually agree
with most of this, but then again, as long as he<BR>>>doesn't
go<BR>>>over the clients budgetary and time constraints and is
providing<BR>>>the<BR>>>customer with value, I have no problem
with going outside of scope <BR>>>as long<BR>>>as the client
does not. Also, I don't know that it is a big<BR>>>negative
as you<BR>>>say.<BR>>><BR>>>Your response to question
6:<BR>>><BR>>>>>It sounds like Michael is a corporate
security guy and has no <BR>>>experience<BR>>>as a
hacker.<BR>>>Bit of a blanket statement I'd say, but OK, let's assume
you are<BR>>>correct<BR>>>>>Certifications hold little to
no water when it comes to real IT <BR>>>security.<BR>>>Agreed,
but you are totally putting words into his
mouth. He<BR>>>basically says<BR>>>the same thing by
calling the CISSP a definition test. Why
do<BR>>>that? Most<BR>>>people in security have the
certs... most realize they are worth<BR>>>nothing and<BR>>>don't
really test tech knowledge, but instead test
business<BR>>>knowledge.<BR>>>>>What does hold water is
experience and from what we can tell, <BR>>>Michael has<BR>>>no
real hacker >>experience.<BR>>>Please define "no real hacker
experience". If you mean he isn't<BR>>>31337
like<BR>>>you guys, then OK. BTW, most clients aren't just
paying for "real <BR>>>hacker<BR>>>experience" they're also
paying for the business side, i.e. what<BR>>>is my
risk,<BR>>>how can I mitigate, etc. A good team has both
people.<BR>>><BR>>>On your response to question 7:
<BR>>><BR>>>Do you resell third party
technologies?<BR>>><BR>>>>>We don't think that it is a
good idea that Professional IT<BR>>>Security<BR>>>Providers sell
third party >>technologies. Specifically because <BR>>>they
become<BR>>>biased towards a specific technology and >>push that
technology as<BR>>>a method<BR>>>of remediation when better
methods might already exist.<BR>>>Agreed. But that said,
what if your third-party tech. has nothing <BR>>>to do<BR>>>with
the main thrust of your consulting work? The question
is<BR>>>pretty vague.<BR>>><BR>>>On your response to
question 8 and 9:<BR>>><BR>>>Ok, I'll buy that you have cookie
cutter definitions from google <BR>>>of those<BR>>>flaws and
that his definitions don't fit. I'll even buy that
you<BR>>>make a<BR>>>good point when you say EIP overwrite is
not the only method of<BR>>>exploitation <BR>>>(especially these
days), but I'm wondering what you expected.<BR>>>Should
he<BR>>>have rattled on and on about how to exploit b0f in an XP SP
2<BR>>>environment?<BR>>> Talk to you at length about
DEP? Bit ridiculous expectations. <BR>>>Hell,
while<BR>>>your at it, why didn't you ask him about integer
overflows? Off-<BR>>>by<BR>>>one/few/many
exploits? Heap overflows? Why not have him
recite<BR>>>the Heap<BR>>>Fung Sheui method to
you? What about double free flaws, dangling
<BR>>>pointers,<BR>>>etc. etc. etc. Let's be serious
here, unless you are contracted<BR>>>by<BR>>>Microsoft or
another major software vendor, you probably don't pay<BR>>>the
bills<BR>>>by doing your own research, so... does this really
matter? Sure,<BR>>>it's<BR>>>great... I'd like to
know that consultants I was paying top dollar<BR>>>to
knew<BR>>>about this, but if he comes on site and spends 3 weeks
trying to <BR>>>find an<BR>>>integer overflow, I'm going to be
pissed.<BR>>><BR>>>Disclaimer:<BR>>>I'm not a client of
PlanNetGroup. Also, I don't think what you<BR>>>are
trying<BR>>>to do is a terrible thing, there's lots of snake oil being
sold in <BR>>>the<BR>>>commoditized security market out there,
but I disapprove of your<BR>>>professionalism and your
methods. Also, I believe the list is<BR>>>still
waiting<BR>>>for you to credentialize
yourself/yourselves. That still hasn't <BR>>>seem to
be<BR>>>grasped here. Look, if you're someone people
respect, then maybe<BR>>>people<BR>>>will buy your reviews, but
somehow I doubt that is the
case. I'm<BR>>>basing<BR>>>that view off of the
content of your website and the fact that
you<BR>>>still<BR>>>have not credentialized yourself as the list
called for so long<BR>>>ago. Do<BR>>>that, and I will
re-review my review of your reviews.
<BR>>><BR>>>Nate<BR>>><BR>>>On Jan 20, 2008 7:17 PM,
secreview <<A
href="mailto:secreview@hushmail.com">secreview@hushmail.com</A>>
wrote:<BR>>><BR>>>> The PlanNetGroup is a Professional IT
Security Services Provider <BR>>>located<BR>>>> at <A
href="http://www.plannetgroup.com">http://www.plannetgroup.com</A>. <<A
href="http://www.plannetgroup.com/">http://www.plannetgroup.com/</A>><BR>>>One
of our<BR>>>> readers requested that we perform a review of the
PlanNetGroup, <BR>>>so here it<BR>>>> is. It is important to
state that there isn't all that much<BR>>>information<BR>>>>
available on the web about the PlanNetGroup, so this review
is<BR>>>based mostly <BR>>>> on the interviews that we
performed.<BR>>>><BR>>>> The PlanNetGroup was founded by
Jim Mazotas of Ohio USA<BR>>>according to this
Affirmative<BR>>>> Action Verification Form< <A
href="http://odnapps01.odn.state.oh.us/das-">http://odnapps01.odn.state.oh.us/das-</A><BR>>>eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b<BR>>>8525735d00607a6d?OpenDocument>.<BR>>>>
We called Mr. Succotash and spoke with him for about an hour
<BR>>>about his<BR>>>> company, here's what he had to
say.<BR>>>><BR>>>> When we spoke with Jim Mazotas we asked
him how he defined a<BR>>>Penetration<BR>>>> Test. His answer
wasn't really an answer at all but rather was a <BR>>>bunch
of<BR>>>> technical words strung into sentences that made no sense.
Here<BR>>>is what he<BR>>>> said for the most part. We can't
give you an exact quote because<BR>>>he<BR>>>> requested that
some of the information related to clients, etc<BR>>>be
kept<BR>>>> confidential.<BR>>>><BR>>>> "We get
to target object, where we go with that is based upon <BR>>>the
client's<BR>>>> comfort level. We grab banner information, backend
support<BR>>>information, and<BR>>>> other kinds of
information. During a penetration test we most<BR>>>will not
<BR>>>> penetrate. Most mid level companies will not want
penetration."<BR>>>– Sanitized<BR>>>> Quote from
Jim<BR>>>><BR>>>> Not only do we not understand what Jim
said, but he'd be better <BR>>>off saying<BR>>>> "I don't
know" next time instead of looking like an idiot and<BR>>>making up
an<BR>>>> answer. This goes for all of you people that get asked
technical<BR>>>questions.<BR>>>> If you say "I don't know" at
least you won't look like a
fool.<BR>>>Anyway.<BR>>>><BR>>>> When we asked Jim
to define a Vulnerability Assessment, we <BR>>>became
even<BR>>>> more flustered. Again his answer was like a politician
trying to<BR>>>evade a<BR>>>> question with a bunch of
nonsensical noise. Again, we've<BR>>>sanitized this at
<BR>>>> Jim's request.<BR>>>><BR>>>> " A
Vulnerability Assessment is more a lab based environment<BR>>>type
test.<BR>>>> Analyze servers and all nodes that are a true vital
asset to the <BR>>>company and<BR>>>> assess the
vulnerability In a very planned out manner. This is<BR>>>done in a
lab<BR>>>> based environment." – Sanitized Quote from
Jim<BR>>>><BR>>>> Again, next time say "I don't know"
because now you look like an <BR>>>idiot.<BR>>>> Nobody
expects you to know everything, but when you make shit up<BR>>>and try
to<BR>>>> fool people, its insulting. To be fair to Jim, he did say
that<BR>>>he was not <BR>>>> technical, but we didn't get
technical here. As the founder of<BR>>>the business<BR>>>> he
should at least know what his different service boundaries<BR>>>are
and how<BR>>>> his services are defined.
<BR>>>><BR>>>> When we asked Jim if his team performed
Vulnerability Research<BR>>>and<BR>>>> Development, he said
that they did not have the time because<BR>>>they were<BR>>>>
"fully booked". His primary customer base includes state
<BR>>>government and a<BR>>>> few private sector businesses.
Unfortunately, we can't disclose<BR>>>who his<BR>>>> exact
customers are. He did say that he provides Network<BR>>>Management
Services <BR>>>> and Wireless Management services for many of his
clients. Sounds<BR>>>more IT<BR>>>> related than Professional
Security related.<BR>>>><BR>>>> When we finished with our
call to Jim we asked him if he'd be <BR>>>kind enough<BR>>>>
to give us contact information for someone more technical in
his<BR>>>company. He<BR>>>> told us that he'd be happy to
arrange a call with someone. At<BR>>>the end, we <BR>>>>
didn't end up calling anyone but instead shot a few emails
back<BR>>>and fourth.<BR>>>> The rest of this review is based
on those emails.<BR>>>><BR>>>> We decided to ask the same
questions to Jim's technical expert. <BR>>>We know<BR>>>> who
his expert is, but we assume that he wants to stay
anonymous<BR>>>because he<BR>>>> signed his email with "Jason
Bourne". So for the sake of this<BR>>>interview <BR>>>> we'll
call him Michael. Here's the email from
Michael:<BR>>>><BR>>>> -) How do you perform your
vulnerability assessments?<BR>>>><BR>>>> "* Carefully! :)
Typically, we will work with the customer to <BR>>>define
the<BR>>>> scope of the assessment; limitations to OS, Network
Equipment,<BR>>>Web<BR>>>> Server, etc. This could be a
combination of components<BR>>>(depending on<BR>>>> scope),
the real goal ultimately with this is to assess the
<BR>>>patching<BR>>>> effort of a customer. Depending on time
and availability, we<BR>>>will work<BR>>>> on finding any new
vulnerability if we generate an anomaly
of<BR>>>interest.<BR>>>> Currently, the focus is primarily on
discovering new Oracle<BR>>>> vulnerabilities - as MS SQL 2K5 is
more difficult to beat on,<BR>>>compared<BR>>>> to Oracle.
Within vulnerability assessments, we disregard any
<BR>>>attempts<BR>>>> to evade IDS, IPS,
etc."<BR>>>><BR>>>> We're not impressed with Michael's
answer. First off we have no<BR>>>idea what<BR>>>> the hell
this means: "Depending on time and availability, we <BR>>>will work
on<BR>>>> finding any new vulnerability if we generate an anomaly
of<BR>>>interest." And we<BR>>>> totally disagree with
"Currently, the focus is primarily on<BR>>>discovering new
<BR>>>> Oracle vulnerabilities - as MS SQL 2K5 is more difficult to
beat<BR>>>on,<BR>>>> compared to Oracle." In fact, whatever
is being described above<BR>>>doesn't<BR>>>> sound anything
like a vulnerability assessment, we're not sure <BR>>>what kind
of<BR>>>> service it is.<BR>>>><BR>>>> -) How do
you perform your penetration testing?<BR>>>><BR>>>> *
Again, carefully! The definition that I use with customers is -
<BR>>><BR>>>> Anything Goes! In addition to attempting to
locate missing<BR>>>patches,<BR>>>> vulnerable IOS's,
applications, etc - we will perform an<BR>>>assortment
of<BR>>>> timed attacks, attempt to spoof trusted connections, or
even <BR>>>perform<BR>>>> social engineering - like dropping
a few pre-trojan'd usb data<BR>>>sticks<BR>>>> outside of a
customer service area, a data center, etc. The
only<BR>>>thing<BR>>>> that we do not perform, typically, is
denial of service style or<BR>>>type of<BR>>>> attacks. We
have had only one customer that we felt was in
the<BR>>>position<BR>>>> to handle such a test and it was
performed against their <BR>>>disaster<BR>>>> recovery
infrastructure, not production."<BR>>>><BR>>>> Michael,
why are you trying to be cute with your
"Again,<BR>>>carefully!"<BR>>>> bullshit? A penetration test
is not "Anything Goes!", if that's <BR>>>how you<BR>>>>
define it then I don't want you anywhere near any of my<BR>>>networks.
And why<BR>>>> the hell would you perform a Denial of Service
attack against<BR>>>anyone? <BR>>>> Everybody can be knocked
off line if you fill up their pipe. You<BR>>>scare us<BR>>>>
man!<BR>>>><BR>>>><BR>>>> -) How do you perform
evasive IDS testing?<BR>>>> <BR>>>> "* We use a series of
proxy servers to attempt to perform basic<BR>>>hacking<BR>>>>
techniques; port scans, blatant attacks, etc. We are
typically<BR>>>going to<BR>>>> look for TCP resets as a means
to evaluate if IDS is present and <BR>>>> possibly to find if IDS
performs blocking activity. Often times,<BR>>>if a<BR>>>>
system in a trusted DMZ can be compromised and used as a
proxy<BR>>>> (exploiting a relationship or rule within a firewall)
or an SSH, <BR>>>SSL,<BR>>>> encrypted tunnel can be
established to a server behind the IDS<BR>>>sensor<BR>>>>
than we can successfully pull off an attack without
the<BR>>>customers<BR>>>> security staff even knowing."
<BR>>>><BR>>>> It doesn't sound like Michael knows how to
perform IDS evasion<BR>>>testing.<BR>>>> Using a proxy is not
going to help anyone evade detection, it<BR>>>will just help
<BR>>>> them to hide their IP address. If the target network
or<BR>>>application is being<BR>>>> protected by an IPS
device, then the IP that they are attacking<BR>>>from will
be<BR>>>> shunned just the same. So, we understand that the
PlanNetGroup's <BR>>>expert<BR>>>> hasn't a clue as to how to
evade IDS. (Michael, did you get your<BR>>>answer from<BR>>>>
Google?)<BR>>>><BR>>>> -) What tools do you
favor?<BR>>>> <BR>>>> "* We really do not favor any tools.
The focus of our effort<BR>>>(Assuming we<BR>>>> are
performing a pen-test or assessment) is to analyze a<BR>>>situation
and<BR>>>> choose the best tool for the end result or compromise. I
will <BR>>>use commercial<BR>>>> applications, such as
AppScan, WebInspect, even ISS. There are<BR>>>however<BR>>>>
plenty of freeware, low-cost tools that we use; nmap,
nessus,<BR>>>metasploit - <BR>>>> ultimately, I find that an
internet browser and a telnet prompt<BR>>>will suffice<BR>>>>
for much of the testing. It ultimately gets back to
interpreting<BR>>>the results<BR>>>> and adjusting the
testing accordingly. We make it a point to try <BR>>>out
new<BR>>>> freeware tools on every assignment. The more tools that
we know<BR>>>of and can<BR>>>> test with opens our options if
in the future a situation best<BR>>>suited for a <BR>>>> tool
presents itself."<BR>>>><BR>>>> Every business that
delivers security services has a set of<BR>>>tools
that<BR>>>> they use. These tools change from business to business,
but <BR>>>common ones are<BR>>>> nessus, webinspect, CANVAS,
Core Impact, Metaspoloit, etc. From<BR>>>the answer<BR>>>>
above, it looks like they like the same tools as most
people.<BR>>>That said, <BR>>>> we've seen no proof of talent
from anyone at PlanNetGroup yet.<BR>>>So we're near<BR>>>>
certain that their deliverables ARE the product of
automation.<BR>>>><BR>>>> -) Can you provide us with
sample deliverables? (sanitized) <BR>>>><BR>>>> "* No, too
much time. Even to sanitize creates an opportunity<BR>>>for
a<BR>>>> liability in the event that a customer name is exposed
...<BR>>>accidents do<BR>>>> happen! I will say that we do
not take dumps from applications <BR>>>and<BR>>>>
regurgitations the information on paper. We limit our
executive<BR>>>summary to 6<BR>>>> pages at most and attempt
to keep the entire report limited to<BR>>>25 pages in <BR>>>>
total. Our goal with a deliverable is to get the
precise<BR>>>information to the<BR>>>> key stake holders so
that they can make a decision."<BR>>>><BR>>>> Woha, it
takes too much time to create a fake deliverable? Well <BR>>>that's
one<BR>>>> way to get out of it, but we don't buy it. Either way,
at this<BR>>>point we<BR>>>> don't feel that a sample report
would help this review, we've<BR>>>seen nothing <BR>>>>
impressive yet.<BR>>>><BR>>>> -) Do you offer the option
of performing Distributed Metastasis?<BR>>>><BR>>>> "* No,
not really. This is my decision as in a previous life I <BR>>>got
walked<BR>>>> out of Bell Atlantic Mobile (Verizon Wireless) using
this<BR>>>technique when I<BR>>>> compromised their Unix
infrastructure by compromising the rlogin<BR>>>function
<BR>>>> (on all Unix servers, across all data centers). There is
no<BR>>>substitute for<BR>>>> experience, especially bad
ones!"<BR>>>><BR>>>> It sounds like Michael has a
difficult time sticking to the <BR>>>scope of work.<BR>>>>
Any time anyone performs Distributed Metastasis it should
be<BR>>>built into a<BR>>>> scope of work first. If it is
not, then do not perform the<BR>>>testing because <BR>>>> it
is invasive and will get you into trouble. This is a big<BR>>>negative
point<BR>>>> in our eyes as its critical that providers are able to
adhere to<BR>>>the scope<BR>>>> of work for each specific
engagement. <BR>>>><BR>>>> -) What is your background with
relation to information<BR>>>security?<BR>>>><BR>>>>
"* Too long, too boring. Yeah got the CISSP (nice
vocabulary<BR>>>test), but <BR>>>> had to as I worked for
DOD. Got a number of Certifications (I<BR>>>have a
stack<BR>>>> almost an inch thick and only get into them about once
a year to<BR>>>throw<BR>>>> another couple on top of the
previous ones - too much alphabet <BR>>>soup for me,<BR>>>>
but bosses and customers like it. Spoke at a number of<BR>>>>
European conferences, but found too many people did
not<BR>>>understand a word<BR>>>> I was talking about, so I
got tired of that and quit that scene. <BR>>>My
outlook<BR>>>> on security has changed, to the point that I will
advise<BR>>>customers of their<BR>>>> risk, attempt to make
it practical - but if they make a<BR>>>conscious choice not
<BR>>>> to listen - I do not fret over
it.?"<BR>>>><BR>>>> It sounds like Michael is a corporate
security guy and has no<BR>>>experience<BR>>>> as a hacker.
Certifications hold little to no water when it <BR>>>comes to real
IT<BR>>>> security. What does hold water is experience and from
what we<BR>>>can tell,<BR>>>> Michael has no real hacker
experience.<BR>>>><BR>>>> -) Do you resell third party
technologies? <BR>>>><BR>>>> "* No, but kind of wished
that we would. I think that it would<BR>>>help with<BR>>>>
sales."<BR>>>><BR>>>> We don't think that it is a good
idea that Professional IT <BR>>>Security<BR>>>> Providers
sell third party technologies. Specifically because<BR>>>they
become<BR>>>> biased towards a specific technology and push that
technology as<BR>>>a method of <BR>>>> remediation when
better methods might already exist.<BR>>>><BR>>>> -) Can
you tell me why the EIP is important?<BR>>>><BR>>>> "* The
EIP controls an applications execution. If an attacker <BR>>>can
modify<BR>>>> the EIP while it is being pushed on the stack then
the attacker<BR>>>*could*<BR>>>> execute their own code and
create a thread (aka. a buffer<BR>>>overflow condition
<BR>>>> exists). I had a good refresher this past year at Blackhat
with<BR>>>a course run<BR>>>> by Saumil Shah - he had an
interesting buffer overflow<BR>>>> for the Linked-In client."
<BR>>>><BR>>>> The EIP is the Instruction Pointer for the
x86 architecture. The<BR>>>purpose<BR>>>> of the EIP is to
point to the next instruction in a particular<BR>>>code
segment.<BR>>>> If the EIP can be overwritten then the flow of
control of an<BR>>>application can<BR>>>> be changed. In most
cases this can lead to the execution of<BR>>>arbitrary
code<BR>>>> on the targeted system. Hackers use this to penetrate
vulnerable <BR>>>systems.<BR>>>><BR>>>> -) Can you
define a format string exploit?<BR>>>><BR>>>> "* A format
string exploit leverages what is considered
a<BR>>>programming<BR>>>> bug. If input is not sanitized, an
attacker can perform calls to <BR>>>the<BR>>>> stack; read,
write, etc without knowing details about the
EIP."<BR>>>><BR>>>> Unfortunately this answer isn't
accurate or detailed enough as<BR>>>almost all <BR>>>>
software vulnerabilities are the result of user input that is<BR>>>not
properly<BR>>>> sanitized or validated. A format string condition
occurs when a<BR>>>user inserts<BR>>>> a format token into a
C based application and that input is not
<BR>>>properly<BR>>>> sanitized. Hence why it is called a
format string vulnerability.<BR>>>When that<BR>>>> input hits
a function that performs formatting, such as printf()<BR>>>the input
<BR>>>> is interpreted in accordance with the format tokens.
Sometimes<BR>>>this can be<BR>>>> used to write arbitrary
data to arbitrary memory locations. The<BR>>>EIP isn't<BR>>>>
the only valuable memory location.
<BR>>>><BR>>>><BR>>>><BR>>>><BR>>>>
If you've managed to get this far, then you've survived
reading<BR>>>Michael's<BR>>>> answers to our questions. We're
not going to spend much more <BR>>>time writing<BR>>>> this
review because by now we've formed our opinion. We did take<BR>>>a
quick<BR>>>> look at the PlanNetGroup's website and as with their
people, we<BR>>>were not the <BR>>>> least bit
impressed.<BR>>>><BR>>>> Our opinion of the PlanNetGroup
is that they'd have a hard time<BR>>>hacking<BR>>>> their way
out of a wet paper bag. Their security expert is not <BR>>>an expert
by<BR>>>> our standards, as he did not properly answer any of
our<BR>>>questions or help to<BR>>>> define any of their
services. We're pretty sure that the<BR>>>PlanNetGroup could
<BR>>>> run nessus and offer basic vulnerability assessment
services.<BR>>>We're also<BR>>>> pretty sure that they could
offer IT services at some level. But<BR>>>we'd hardly<BR>>>>
call them subject matter experts and wouldn't recommend their
<BR>>>services to<BR>>>>
anyone.<BR>>>><BR>>>> If you are using the PlanNetGroup
services and feel that we have<BR>>>not given<BR>>>> them a
fair review then please comment on this post. We will <BR>>>consider
your<BR>>>> comments. We have to say that Jim and Michael were both
very<BR>>>polite,<BR>>>> friendly, and respectful, but we
can't let their kind nature<BR>>>impact our <BR>>>> opinion
of their service delivery capabilities. We think that<BR>>>they
should<BR>>>> sit down and try to define their services properly.
We also<BR>>>think that they<BR>>>> should hire an ethical
hacker with real world experience if they <BR>>>intend
to<BR>>>> protect anyone.<BR>>>><BR>>>> Score
Card (Click to
Enlarge)<BR>>>><BR>>>><BR>>>><BR>>><<A
href="http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS">
http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS</A><BR>>>QlSXs/s1600-h/96YV5X.jpeg><BR>>>><BR>>>>
--<BR>>>> Posted By secreview to Professional IT Security Providers
- <BR>>>Exposed<<A
href="http://secreview.blogspot.com/2008/01/plannetgroup-">http://secreview.blogspot.com/2008/01/plannetgroup-</A><BR>>>f.html>at
1/20/2008 04:21:00 PM<BR>>>>
_______________________________________________ <BR>>>>
Full-Disclosure - We believe in it.<BR>>>> Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>>>>
Hosted and sponsored by Secunia - <A
href="http://secunia.com/">http://secunia.com/</A><BR>>>><BR>>
Regards,<BR>> The Secreview
Team<BR>> <A
href="http://secreview.blogspot.com">http://secreview.blogspot.com</A><BR>><BR>>
-- <BR>> Love Graphic Design? Find a school near you. Click Now.<BR>>
<A
href="http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/">http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/
</A><BR>> Professional IT Security
Service Providers - Exposed<BR>><BR>>
_______________________________________________<BR>> Full-Disclosure - We
believe in it.<BR>> Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>>
Hosted and sponsored by Secunia - <A
href="http://secunia.com/">http://secunia.com/</A><BR><BR></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>