Nate, Your email was constructive and much appreciated. We'll go over the review a second time and incorporate some of your suggestions. Thank you for taking the time to provide so much good feedback.
On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters <[EMAIL PROTECTED]> wrote: >SecReview, >My 2 cents on your review, although I will try to be nicer then >you were to >the reviewee. I'm completely skipping your section where you >talked to the >non-technical person, that's not even fair... sorta like reviewing >a >consulting group based on their website alone... oh shit, I forgot >you guys >do that too. > >Your comments on Question 1: > >We're not impressed with Michael's answer. First off we have no >idea what >the hell this means: "Depending on time and availability, we will >work on >finding any new vulnerability if we generate an anomaly of >interest." And we >totally disagree with "Currently, the focus is primarily on >discovering new >Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat >on, >compared to Oracle." In fact, whatever is being described above >doesn't >sound anything like a vulnerability assessment, we're not sure >what kind of >service it is. > >The first portion "Depending on time and availability..." I don't >understand >what your confusion is. Basically the responder is saying that >he's willing >to do what the client will pay him for. Consulting is not a >cookie-cutter >gig, so sometimes clients want you to spend 5 minutes running >scans, some >want you to fuzz a proprietary protocol for as long as it takes. >I >personally don't think either end of the extreme is of value to >the client, >but you can hardly fault the respondent for delivering what the >client asks >for. > >The second, I don't agree the overall focus is on Oracle, but if >you read >the new (ZDnet, eWeek), or if you follow the conferences (HITB >Malaysia 2007 >great Oracle presnetation), then you will know that Oracle is >catching a bit >of the limelight. Besides that, I don't think you are qualified >to say what >exactly a vulnerability assessment is... if the client is paying >you to >assess their database servers, then that is a vulnerability >assessment of >their database servers and that is what the work is. Different >clients have >different needs, and their are different specialty consulting >groups to help >meet those... can hardly fault him if his specialty is databases. > >Your Comments on Question 2: > >>>trying to be cute with your "Again, carefully!" bullshit? > >Come on guys... imagine you get called by a group of people asking >to assess >your company and you don't know who they are, wouldn't you try to >befriend >them if possible? A little professionalism would go a long way to >improving >your reviews. > >>>A penetration test is not "Anything Goes!" > >Umm... sorry guys, there is plenty of cause for performing a >Denial of >Service test. Keep in mind that availability is a large portion >of what >security is about. I don't think he's talking about using a bot >net to try >to take them down. > >>>it doesn't sound like Michael knows how to perform IDS evasion >testing. >Using a proxy is >>not going to help anyone evade detection, it >will just >help them to hide their IP address. > >Hmm... well, you're partially right. I suppose that if he had >enough proxy >servers and kept his scans very focused, he "might" be able to get >around an >IDS. In any case, not all clients want IDS evasion performed... >for >instance, they may want to test their incident response, or, they >may allow >the consulting group through the IPS/IDS in an effort to save on >time and >costs. > >Your response to question 3: > >>>From the answer above, it looks like they like the same tools as >most >people. That said, >>we've seen no proof of talent from anyone at >PlanNetGroup yet. So we're near certain that >>their deliverables >ARE the >product of automation. > >If they are the same tools that everyone use, how can you knock >them for >that? It seems to me that a group starts with a score of 0 in >your book, >and then if they impress you they get points. If you don't ask >the right >questions, I don't see how they could impress you. I concede, it >is >certainly possible that they have no skills, and that they use >automation, >but I don't think it is fair to say that at this point of the >review. > >Your response to question 4: > >>>Woha, it takes too much time to create a fake deliverable? Well >that's one >way to get out >>of it, but we don't buy it. Either way, at this >point we >don't feel that a sample report would >>help this review, we've >seen nothing >impressive yet. > >Ever tried to do so? It does take awhile, and it is risky. If >you miss >sanitization and release results of one of your clients you could >get sued. > Perhaps given the context of the investigation he didn't want to >give you >an old report and it would take to long and too much of his >billable time to >actually get this to you. That's not unreasonable. You aren't >paying him. > Again with the comments of nothing impressive yet. You are >asking generic >questions, how could anything be impressive? It's a phone call or >email and >you are asking questions that almost all consulting groups should >have >relatively the same answers to... I see nothing impressive in that >at all. > >Your response to question 5: > >>>It sounds like Michael has a difficult time sticking to the >scope of work. >Any time anyone >>performs Distributed Metastasis it should be >built into a >scope of work first. If it is not, >>then do not perform the >testing because >it is invasive and will get you into trouble. This is >>a big >negative point >in our eyes as its critical that providers are able to adhere to >the scope >>>of work for each specific engagement. > >I actually agree with most of this, but then again, as long as he >doesn't go >over the clients budgetary and time constraints and is providing >the >customer with value, I have no problem with going outside of scope >as long >as the client does not. Also, I don't know that it is a big >negative as you >say. > >Your response to question 6: > >>>It sounds like Michael is a corporate security guy and has no >experience >as a hacker. >Bit of a blanket statement I'd say, but OK, let's assume you are >correct >>>Certifications hold little to no water when it comes to real IT >security. >Agreed, but you are totally putting words into his mouth. He >basically says >the same thing by calling the CISSP a definition test. Why do >that? Most >people in security have the certs... most realize they are worth >nothing and >don't really test tech knowledge, but instead test business >knowledge. >>>What does hold water is experience and from what we can tell, >Michael has >no real hacker >>experience. >Please define "no real hacker experience". If you mean he isn't >31337 like >you guys, then OK. BTW, most clients aren't just paying for "real >hacker >experience" they're also paying for the business side, i.e. what >is my risk, >how can I mitigate, etc. A good team has both people. > >On your response to question 7: > >Do you resell third party technologies? > >>>We don't think that it is a good idea that Professional IT >Security >Providers sell third party >>technologies. Specifically because >they become >biased towards a specific technology and >>push that technology as >a method >of remediation when better methods might already exist. >Agreed. But that said, what if your third-party tech. has nothing >to do >with the main thrust of your consulting work? The question is >pretty vague. > >On your response to question 8 and 9: > >Ok, I'll buy that you have cookie cutter definitions from google >of those >flaws and that his definitions don't fit. I'll even buy that you >make a >good point when you say EIP overwrite is not the only method of >exploitation >(especially these days), but I'm wondering what you expected. >Should he >have rattled on and on about how to exploit b0f in an XP SP 2 >environment? > Talk to you at length about DEP? Bit ridiculous expectations. >Hell, while >your at it, why didn't you ask him about integer overflows? Off- >by >one/few/many exploits? Heap overflows? Why not have him recite >the Heap >Fung Sheui method to you? What about double free flaws, dangling >pointers, >etc. etc. etc. Let's be serious here, unless you are contracted >by >Microsoft or another major software vendor, you probably don't pay >the bills >by doing your own research, so... does this really matter? Sure, >it's >great... I'd like to know that consultants I was paying top dollar >to knew >about this, but if he comes on site and spends 3 weeks trying to >find an >integer overflow, I'm going to be pissed. > >Disclaimer: >I'm not a client of PlanNetGroup. Also, I don't think what you >are trying >to do is a terrible thing, there's lots of snake oil being sold in >the >commoditized security market out there, but I disapprove of your >professionalism and your methods. Also, I believe the list is >still waiting >for you to credentialize yourself/yourselves. That still hasn't >seem to be >grasped here. Look, if you're someone people respect, then maybe >people >will buy your reviews, but somehow I doubt that is the case. I'm >basing >that view off of the content of your website and the fact that you >still >have not credentialized yourself as the list called for so long >ago. Do >that, and I will re-review my review of your reviews. > >Nate > >On Jan 20, 2008 7:17 PM, secreview <[EMAIL PROTECTED]> wrote: > >> The PlanNetGroup is a Professional IT Security Services Provider >located >> at http://www.plannetgroup.com. <http://www.plannetgroup.com/> >One of our >> readers requested that we perform a review of the PlanNetGroup, >so here it >> is. It is important to state that there isn't all that much >information >> available on the web about the PlanNetGroup, so this review is >based mostly >> on the interviews that we performed. >> >> The PlanNetGroup was founded by Jim Mazotas of Ohio USA >according to this Affirmative >> Action Verification Form<http://odnapps01.odn.state.oh.us/das- >eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b >8525735d00607a6d?OpenDocument>. >> We called Mr. Succotash and spoke with him for about an hour >about his >> company, here's what he had to say. >> >> When we spoke with Jim Mazotas we asked him how he defined a >Penetration >> Test. His answer wasn't really an answer at all but rather was a >bunch of >> technical words strung into sentences that made no sense. Here >is what he >> said for the most part. We can't give you an exact quote because >he >> requested that some of the information related to clients, etc >be kept >> confidential. >> >> "We get to target object, where we go with that is based upon >the client's >> comfort level. We grab banner information, backend support >information, and >> other kinds of information. During a penetration test we most >will not >> penetrate. Most mid level companies will not want penetration." >– Sanitized >> Quote from Jim >> >> Not only do we not understand what Jim said, but he'd be better >off saying >> "I don't know" next time instead of looking like an idiot and >making up an >> answer. This goes for all of you people that get asked technical >questions. >> If you say "I don't know" at least you won't look like a fool. >Anyway. >> >> When we asked Jim to define a Vulnerability Assessment, we >became even >> more flustered. Again his answer was like a politician trying to >evade a >> question with a bunch of nonsensical noise. Again, we've >sanitized this at >> Jim's request. >> >> " A Vulnerability Assessment is more a lab based environment >type test. >> Analyze servers and all nodes that are a true vital asset to the >company and >> assess the vulnerability In a very planned out manner. This is >done in a lab >> based environment." – Sanitized Quote from Jim >> >> Again, next time say "I don't know" because now you look like an >idiot. >> Nobody expects you to know everything, but when you make shit up >and try to >> fool people, its insulting. To be fair to Jim, he did say that >he was not >> technical, but we didn't get technical here. As the founder of >the business >> he should at least know what his different service boundaries >are and how >> his services are defined. >> >> When we asked Jim if his team performed Vulnerability Research >and >> Development, he said that they did not have the time because >they were >> "fully booked". His primary customer base includes state >government and a >> few private sector businesses. Unfortunately, we can't disclose >who his >> exact customers are. He did say that he provides Network >Management Services >> and Wireless Management services for many of his clients. Sounds >more IT >> related than Professional Security related. >> >> When we finished with our call to Jim we asked him if he'd be >kind enough >> to give us contact information for someone more technical in his >company. He >> told us that he'd be happy to arrange a call with someone. At >the end, we >> didn't end up calling anyone but instead shot a few emails back >and fourth. >> The rest of this review is based on those emails. >> >> We decided to ask the same questions to Jim's technical expert. >We know >> who his expert is, but we assume that he wants to stay anonymous >because he >> signed his email with "Jason Bourne". So for the sake of this >interview >> we'll call him Michael. Here's the email from Michael: >> >> -) How do you perform your vulnerability assessments? >> >> "* Carefully! :) Typically, we will work with the customer to >define the >> scope of the assessment; limitations to OS, Network Equipment, >Web >> Server, etc. This could be a combination of components >(depending on >> scope), the real goal ultimately with this is to assess the >patching >> effort of a customer. Depending on time and availability, we >will work >> on finding any new vulnerability if we generate an anomaly of >interest. >> Currently, the focus is primarily on discovering new Oracle >> vulnerabilities - as MS SQL 2K5 is more difficult to beat on, >compared >> to Oracle. Within vulnerability assessments, we disregard any >attempts >> to evade IDS, IPS, etc." >> >> We're not impressed with Michael's answer. First off we have no >idea what >> the hell this means: "Depending on time and availability, we >will work on >> finding any new vulnerability if we generate an anomaly of >interest." And we >> totally disagree with "Currently, the focus is primarily on >discovering new >> Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat >on, >> compared to Oracle." In fact, whatever is being described above >doesn't >> sound anything like a vulnerability assessment, we're not sure >what kind of >> service it is. >> >> -) How do you perform your penetration testing? >> >> * Again, carefully! The definition that I use with customers is - > >> Anything Goes! In addition to attempting to locate missing >patches, >> vulnerable IOS's, applications, etc - we will perform an >assortment of >> timed attacks, attempt to spoof trusted connections, or even >perform >> social engineering - like dropping a few pre-trojan'd usb data >sticks >> outside of a customer service area, a data center, etc. The only >thing >> that we do not perform, typically, is denial of service style or >type of >> attacks. We have had only one customer that we felt was in the >position >> to handle such a test and it was performed against their >disaster >> recovery infrastructure, not production." >> >> Michael, why are you trying to be cute with your "Again, >carefully!" >> bullshit? A penetration test is not "Anything Goes!", if that's >how you >> define it then I don't want you anywhere near any of my >networks. And why >> the hell would you perform a Denial of Service attack against >anyone? >> Everybody can be knocked off line if you fill up their pipe. You >scare us >> man! >> >> >> -) How do you perform evasive IDS testing? >> >> "* We use a series of proxy servers to attempt to perform basic >hacking >> techniques; port scans, blatant attacks, etc. We are typically >going to >> look for TCP resets as a means to evaluate if IDS is present and >> possibly to find if IDS performs blocking activity. Often times, >if a >> system in a trusted DMZ can be compromised and used as a proxy >> (exploiting a relationship or rule within a firewall) or an SSH, >SSL, >> encrypted tunnel can be established to a server behind the IDS >sensor >> than we can successfully pull off an attack without the >customers >> security staff even knowing." >> >> It doesn't sound like Michael knows how to perform IDS evasion >testing. >> Using a proxy is not going to help anyone evade detection, it >will just help >> them to hide their IP address. If the target network or >application is being >> protected by an IPS device, then the IP that they are attacking >from will be >> shunned just the same. So, we understand that the PlanNetGroup's >expert >> hasn't a clue as to how to evade IDS. (Michael, did you get your >answer from >> Google?) >> >> -) What tools do you favor? >> >> "* We really do not favor any tools. The focus of our effort >(Assuming we >> are performing a pen-test or assessment) is to analyze a >situation and >> choose the best tool for the end result or compromise. I will >use commercial >> applications, such as AppScan, WebInspect, even ISS. There are >however >> plenty of freeware, low-cost tools that we use; nmap, nessus, >metasploit - >> ultimately, I find that an internet browser and a telnet prompt >will suffice >> for much of the testing. It ultimately gets back to interpreting >the results >> and adjusting the testing accordingly. We make it a point to try >out new >> freeware tools on every assignment. The more tools that we know >of and can >> test with opens our options if in the future a situation best >suited for a >> tool presents itself." >> >> Every business that delivers security services has a set of >tools that >> they use. These tools change from business to business, but >common ones are >> nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From >the answer >> above, it looks like they like the same tools as most people. >That said, >> we've seen no proof of talent from anyone at PlanNetGroup yet. >So we're near >> certain that their deliverables ARE the product of automation. >> >> -) Can you provide us with sample deliverables? (sanitized) >> >> "* No, too much time. Even to sanitize creates an opportunity >for a >> liability in the event that a customer name is exposed ... >accidents do >> happen! I will say that we do not take dumps from applications >and >> regurgitations the information on paper. We limit our executive >summary to 6 >> pages at most and attempt to keep the entire report limited to >25 pages in >> total. Our goal with a deliverable is to get the precise >information to the >> key stake holders so that they can make a decision." >> >> Woha, it takes too much time to create a fake deliverable? Well >that's one >> way to get out of it, but we don't buy it. Either way, at this >point we >> don't feel that a sample report would help this review, we've >seen nothing >> impressive yet. >> >> -) Do you offer the option of performing Distributed Metastasis? >> >> "* No, not really. This is my decision as in a previous life I >got walked >> out of Bell Atlantic Mobile (Verizon Wireless) using this >technique when I >> compromised their Unix infrastructure by compromising the rlogin >function >> (on all Unix servers, across all data centers). There is no >substitute for >> experience, especially bad ones!" >> >> It sounds like Michael has a difficult time sticking to the >scope of work. >> Any time anyone performs Distributed Metastasis it should be >built into a >> scope of work first. If it is not, then do not perform the >testing because >> it is invasive and will get you into trouble. This is a big >negative point >> in our eyes as its critical that providers are able to adhere to >the scope >> of work for each specific engagement. >> >> -) What is your background with relation to information >security? >> >> "* Too long, too boring. Yeah got the CISSP (nice vocabulary >test), but >> had to as I worked for DOD. Got a number of Certifications (I >have a stack >> almost an inch thick and only get into them about once a year to >throw >> another couple on top of the previous ones - too much alphabet >soup for me, >> but bosses and customers like it. Spoke at a number of >> European conferences, but found too many people did not >understand a word >> I was talking about, so I got tired of that and quit that scene. >My outlook >> on security has changed, to the point that I will advise >customers of their >> risk, attempt to make it practical - but if they make a >conscious choice not >> to listen - I do not fret over it.?" >> >> It sounds like Michael is a corporate security guy and has no >experience >> as a hacker. Certifications hold little to no water when it >comes to real IT >> security. What does hold water is experience and from what we >can tell, >> Michael has no real hacker experience. >> >> -) Do you resell third party technologies? >> >> "* No, but kind of wished that we would. I think that it would >help with >> sales." >> >> We don't think that it is a good idea that Professional IT >Security >> Providers sell third party technologies. Specifically because >they become >> biased towards a specific technology and push that technology as >a method of >> remediation when better methods might already exist. >> >> -) Can you tell me why the EIP is important? >> >> "* The EIP controls an applications execution. If an attacker >can modify >> the EIP while it is being pushed on the stack then the attacker >*could* >> execute their own code and create a thread (aka. a buffer >overflow condition >> exists). I had a good refresher this past year at Blackhat with >a course run >> by Saumil Shah - he had an interesting buffer overflow >> for the Linked-In client." >> >> The EIP is the Instruction Pointer for the x86 architecture. The >purpose >> of the EIP is to point to the next instruction in a particular >code segment. >> If the EIP can be overwritten then the flow of control of an >application can >> be changed. In most cases this can lead to the execution of >arbitrary code >> on the targeted system. Hackers use this to penetrate vulnerable >systems. >> >> -) Can you define a format string exploit? >> >> "* A format string exploit leverages what is considered a >programming >> bug. If input is not sanitized, an attacker can perform calls to >the >> stack; read, write, etc without knowing details about the EIP." >> >> Unfortunately this answer isn't accurate or detailed enough as >almost all >> software vulnerabilities are the result of user input that is >not properly >> sanitized or validated. A format string condition occurs when a >user inserts >> a format token into a C based application and that input is not >properly >> sanitized. Hence why it is called a format string vulnerability. >When that >> input hits a function that performs formatting, such as printf() >the input >> is interpreted in accordance with the format tokens. Sometimes >this can be >> used to write arbitrary data to arbitrary memory locations. The >EIP isn't >> the only valuable memory location. >> >> >> >> >> If you've managed to get this far, then you've survived reading >Michael's >> answers to our questions. We're not going to spend much more >time writing >> this review because by now we've formed our opinion. We did take >a quick >> look at the PlanNetGroup's website and as with their people, we >were not the >> least bit impressed. >> >> Our opinion of the PlanNetGroup is that they'd have a hard time >hacking >> their way out of a wet paper bag. Their security expert is not >an expert by >> our standards, as he did not properly answer any of our >questions or help to >> define any of their services. We're pretty sure that the >PlanNetGroup could >> run nessus and offer basic vulnerability assessment services. >We're also >> pretty sure that they could offer IT services at some level. But >we'd hardly >> call them subject matter experts and wouldn't recommend their >services to >> anyone. >> >> If you are using the PlanNetGroup services and feel that we have >not given >> them a fair review then please comment on this post. We will >consider your >> comments. We have to say that Jim and Michael were both very >polite, >> friendly, and respectful, but we can't let their kind nature >impact our >> opinion of their service delivery capabilities. We think that >they should >> sit down and try to define their services properly. We also >think that they >> should hire an ethical hacker with real world experience if they >intend to >> protect anyone. >> >> Score Card (Click to Enlarge) >> >> >> ><http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS >QlSXs/s1600-h/96YV5X.jpeg> >> >> -- >> Posted By secreview to Professional IT Security Providers - >Exposed<http://secreview.blogspot.com/2008/01/plannetgroup- >f.html>at 1/20/2008 04:21:00 PM >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> Regards, The Secreview Team http://secreview.blogspot.com -- Love Graphic Design? Find a school near you. Click Now. http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/ Professional IT Security Service Providers - Exposed _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/