nice to see some have mlk off and nothing better to do ----- Original Message ----- From: "SecReview" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <full-disclosure@lists.grok.org.uk> Sent: Monday, January 21, 2008 10:40 AM Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
> Nate, > Your email was constructive and much appreciated. We'll go over > the review a second time and incorporate some of your suggestions. > Thank you for taking the time to provide so much good feedback. > > > > On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters > <[EMAIL PROTECTED]> wrote: >>SecReview, >>My 2 cents on your review, although I will try to be nicer then >>you were to >>the reviewee. I'm completely skipping your section where you >>talked to the >>non-technical person, that's not even fair... sorta like reviewing >>a >>consulting group based on their website alone... oh shit, I forgot >>you guys >>do that too. >> >>Your comments on Question 1: >> >>We're not impressed with Michael's answer. First off we have no >>idea what >>the hell this means: "Depending on time and availability, we will >>work on >>finding any new vulnerability if we generate an anomaly of >>interest." And we >>totally disagree with "Currently, the focus is primarily on >>discovering new >>Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat >>on, >>compared to Oracle." In fact, whatever is being described above >>doesn't >>sound anything like a vulnerability assessment, we're not sure >>what kind of >>service it is. >> >>The first portion "Depending on time and availability..." I don't >>understand >>what your confusion is. Basically the responder is saying that >>he's willing >>to do what the client will pay him for. Consulting is not a >>cookie-cutter >>gig, so sometimes clients want you to spend 5 minutes running >>scans, some >>want you to fuzz a proprietary protocol for as long as it takes. >>I >>personally don't think either end of the extreme is of value to >>the client, >>but you can hardly fault the respondent for delivering what the >>client asks >>for. >> >>The second, I don't agree the overall focus is on Oracle, but if >>you read >>the new (ZDnet, eWeek), or if you follow the conferences (HITB >>Malaysia 2007 >>great Oracle presnetation), then you will know that Oracle is >>catching a bit >>of the limelight. Besides that, I don't think you are qualified >>to say what >>exactly a vulnerability assessment is... if the client is paying >>you to >>assess their database servers, then that is a vulnerability >>assessment of >>their database servers and that is what the work is. Different >>clients have >>different needs, and their are different specialty consulting >>groups to help >>meet those... can hardly fault him if his specialty is databases. >> >>Your Comments on Question 2: >> >>>>trying to be cute with your "Again, carefully!" bullshit? >> >>Come on guys... imagine you get called by a group of people asking >>to assess >>your company and you don't know who they are, wouldn't you try to >>befriend >>them if possible? A little professionalism would go a long way to >>improving >>your reviews. >> >>>>A penetration test is not "Anything Goes!" >> >>Umm... sorry guys, there is plenty of cause for performing a >>Denial of >>Service test. Keep in mind that availability is a large portion >>of what >>security is about. I don't think he's talking about using a bot >>net to try >>to take them down. >> >>>>it doesn't sound like Michael knows how to perform IDS evasion >>testing. >>Using a proxy is >>not going to help anyone evade detection, it >>will just >>help them to hide their IP address. >> >>Hmm... well, you're partially right. I suppose that if he had >>enough proxy >>servers and kept his scans very focused, he "might" be able to get >>around an >>IDS. In any case, not all clients want IDS evasion performed... >>for >>instance, they may want to test their incident response, or, they >>may allow >>the consulting group through the IPS/IDS in an effort to save on >>time and >>costs. >> >>Your response to question 3: >> >>>>From the answer above, it looks like they like the same tools as >>most >>people. That said, >>we've seen no proof of talent from anyone at >>PlanNetGroup yet. So we're near certain that >>their deliverables >>ARE the >>product of automation. >> >>If they are the same tools that everyone use, how can you knock >>them for >>that? It seems to me that a group starts with a score of 0 in >>your book, >>and then if they impress you they get points. If you don't ask >>the right >>questions, I don't see how they could impress you. I concede, it >>is >>certainly possible that they have no skills, and that they use >>automation, >>but I don't think it is fair to say that at this point of the >>review. >> >>Your response to question 4: >> >>>>Woha, it takes too much time to create a fake deliverable? Well >>that's one >>way to get out >>of it, but we don't buy it. Either way, at this >>point we >>don't feel that a sample report would >>help this review, we've >>seen nothing >>impressive yet. >> >>Ever tried to do so? It does take awhile, and it is risky. If >>you miss >>sanitization and release results of one of your clients you could >>get sued. >> Perhaps given the context of the investigation he didn't want to >>give you >>an old report and it would take to long and too much of his >>billable time to >>actually get this to you. That's not unreasonable. You aren't >>paying him. >> Again with the comments of nothing impressive yet. You are >>asking generic >>questions, how could anything be impressive? It's a phone call or >>email and >>you are asking questions that almost all consulting groups should >>have >>relatively the same answers to... I see nothing impressive in that >>at all. >> >>Your response to question 5: >> >>>>It sounds like Michael has a difficult time sticking to the >>scope of work. >>Any time anyone >>performs Distributed Metastasis it should be >>built into a >>scope of work first. If it is not, >>then do not perform the >>testing because >>it is invasive and will get you into trouble. This is >>a big >>negative point >>in our eyes as its critical that providers are able to adhere to >>the scope >>>>of work for each specific engagement. >> >>I actually agree with most of this, but then again, as long as he >>doesn't go >>over the clients budgetary and time constraints and is providing >>the >>customer with value, I have no problem with going outside of scope >>as long >>as the client does not. Also, I don't know that it is a big >>negative as you >>say. >> >>Your response to question 6: >> >>>>It sounds like Michael is a corporate security guy and has no >>experience >>as a hacker. >>Bit of a blanket statement I'd say, but OK, let's assume you are >>correct >>>>Certifications hold little to no water when it comes to real IT >>security. >>Agreed, but you are totally putting words into his mouth. He >>basically says >>the same thing by calling the CISSP a definition test. Why do >>that? Most >>people in security have the certs... most realize they are worth >>nothing and >>don't really test tech knowledge, but instead test business >>knowledge. >>>>What does hold water is experience and from what we can tell, >>Michael has >>no real hacker >>experience. >>Please define "no real hacker experience". If you mean he isn't >>31337 like >>you guys, then OK. BTW, most clients aren't just paying for "real >>hacker >>experience" they're also paying for the business side, i.e. what >>is my risk, >>how can I mitigate, etc. A good team has both people. >> >>On your response to question 7: >> >>Do you resell third party technologies? >> >>>>We don't think that it is a good idea that Professional IT >>Security >>Providers sell third party >>technologies. Specifically because >>they become >>biased towards a specific technology and >>push that technology as >>a method >>of remediation when better methods might already exist. >>Agreed. But that said, what if your third-party tech. has nothing >>to do >>with the main thrust of your consulting work? The question is >>pretty vague. >> >>On your response to question 8 and 9: >> >>Ok, I'll buy that you have cookie cutter definitions from google >>of those >>flaws and that his definitions don't fit. I'll even buy that you >>make a >>good point when you say EIP overwrite is not the only method of >>exploitation >>(especially these days), but I'm wondering what you expected. >>Should he >>have rattled on and on about how to exploit b0f in an XP SP 2 >>environment? >> Talk to you at length about DEP? Bit ridiculous expectations. >>Hell, while >>your at it, why didn't you ask him about integer overflows? Off- >>by >>one/few/many exploits? Heap overflows? Why not have him recite >>the Heap >>Fung Sheui method to you? What about double free flaws, dangling >>pointers, >>etc. etc. etc. Let's be serious here, unless you are contracted >>by >>Microsoft or another major software vendor, you probably don't pay >>the bills >>by doing your own research, so... does this really matter? Sure, >>it's >>great... I'd like to know that consultants I was paying top dollar >>to knew >>about this, but if he comes on site and spends 3 weeks trying to >>find an >>integer overflow, I'm going to be pissed. >> >>Disclaimer: >>I'm not a client of PlanNetGroup. Also, I don't think what you >>are trying >>to do is a terrible thing, there's lots of snake oil being sold in >>the >>commoditized security market out there, but I disapprove of your >>professionalism and your methods. Also, I believe the list is >>still waiting >>for you to credentialize yourself/yourselves. That still hasn't >>seem to be >>grasped here. Look, if you're someone people respect, then maybe >>people >>will buy your reviews, but somehow I doubt that is the case. I'm >>basing >>that view off of the content of your website and the fact that you >>still >>have not credentialized yourself as the list called for so long >>ago. Do >>that, and I will re-review my review of your reviews. >> >>Nate >> >>On Jan 20, 2008 7:17 PM, secreview <[EMAIL PROTECTED]> wrote: >> >>> The PlanNetGroup is a Professional IT Security Services Provider >>located >>> at http://www.plannetgroup.com. <http://www.plannetgroup.com/> >>One of our >>> readers requested that we perform a review of the PlanNetGroup, >>so here it >>> is. It is important to state that there isn't all that much >>information >>> available on the web about the PlanNetGroup, so this review is >>based mostly >>> on the interviews that we performed. >>> >>> The PlanNetGroup was founded by Jim Mazotas of Ohio USA >>according to this Affirmative >>> Action Verification Form<http://odnapps01.odn.state.oh.us/das- >>eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b >>8525735d00607a6d?OpenDocument>. >>> We called Mr. Succotash and spoke with him for about an hour >>about his >>> company, here's what he had to say. >>> >>> When we spoke with Jim Mazotas we asked him how he defined a >>Penetration >>> Test. His answer wasn't really an answer at all but rather was a >>bunch of >>> technical words strung into sentences that made no sense. Here >>is what he >>> said for the most part. We can't give you an exact quote because >>he >>> requested that some of the information related to clients, etc >>be kept >>> confidential. >>> >>> "We get to target object, where we go with that is based upon >>the client's >>> comfort level. We grab banner information, backend support >>information, and >>> other kinds of information. During a penetration test we most >>will not >>> penetrate. Most mid level companies will not want penetration." >>– Sanitized >>> Quote from Jim >>> >>> Not only do we not understand what Jim said, but he'd be better >>off saying >>> "I don't know" next time instead of looking like an idiot and >>making up an >>> answer. This goes for all of you people that get asked technical >>questions. >>> If you say "I don't know" at least you won't look like a fool. >>Anyway. >>> >>> When we asked Jim to define a Vulnerability Assessment, we >>became even >>> more flustered. Again his answer was like a politician trying to >>evade a >>> question with a bunch of nonsensical noise. Again, we've >>sanitized this at >>> Jim's request. >>> >>> " A Vulnerability Assessment is more a lab based environment >>type test. >>> Analyze servers and all nodes that are a true vital asset to the >>company and >>> assess the vulnerability In a very planned out manner. This is >>done in a lab >>> based environment." – Sanitized Quote from Jim >>> >>> Again, next time say "I don't know" because now you look like an >>idiot. >>> Nobody expects you to know everything, but when you make shit up >>and try to >>> fool people, its insulting. To be fair to Jim, he did say that >>he was not >>> technical, but we didn't get technical here. As the founder of >>the business >>> he should at least know what his different service boundaries >>are and how >>> his services are defined. >>> >>> When we asked Jim if his team performed Vulnerability Research >>and >>> Development, he said that they did not have the time because >>they were >>> "fully booked". His primary customer base includes state >>government and a >>> few private sector businesses. Unfortunately, we can't disclose >>who his >>> exact customers are. He did say that he provides Network >>Management Services >>> and Wireless Management services for many of his clients. Sounds >>more IT >>> related than Professional Security related. >>> >>> When we finished with our call to Jim we asked him if he'd be >>kind enough >>> to give us contact information for someone more technical in his >>company. He >>> told us that he'd be happy to arrange a call with someone. At >>the end, we >>> didn't end up calling anyone but instead shot a few emails back >>and fourth. >>> The rest of this review is based on those emails. >>> >>> We decided to ask the same questions to Jim's technical expert. >>We know >>> who his expert is, but we assume that he wants to stay anonymous >>because he >>> signed his email with "Jason Bourne". So for the sake of this >>interview >>> we'll call him Michael. Here's the email from Michael: >>> >>> -) How do you perform your vulnerability assessments? >>> >>> "* Carefully! :) Typically, we will work with the customer to >>define the >>> scope of the assessment; limitations to OS, Network Equipment, >>Web >>> Server, etc. This could be a combination of components >>(depending on >>> scope), the real goal ultimately with this is to assess the >>patching >>> effort of a customer. Depending on time and availability, we >>will work >>> on finding any new vulnerability if we generate an anomaly of >>interest. >>> Currently, the focus is primarily on discovering new Oracle >>> vulnerabilities - as MS SQL 2K5 is more difficult to beat on, >>compared >>> to Oracle. Within vulnerability assessments, we disregard any >>attempts >>> to evade IDS, IPS, etc." >>> >>> We're not impressed with Michael's answer. First off we have no >>idea what >>> the hell this means: "Depending on time and availability, we >>will work on >>> finding any new vulnerability if we generate an anomaly of >>interest." And we >>> totally disagree with "Currently, the focus is primarily on >>discovering new >>> Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat >>on, >>> compared to Oracle." In fact, whatever is being described above >>doesn't >>> sound anything like a vulnerability assessment, we're not sure >>what kind of >>> service it is. >>> >>> -) How do you perform your penetration testing? >>> >>> * Again, carefully! The definition that I use with customers is - >> >>> Anything Goes! In addition to attempting to locate missing >>patches, >>> vulnerable IOS's, applications, etc - we will perform an >>assortment of >>> timed attacks, attempt to spoof trusted connections, or even >>perform >>> social engineering - like dropping a few pre-trojan'd usb data >>sticks >>> outside of a customer service area, a data center, etc. The only >>thing >>> that we do not perform, typically, is denial of service style or >>type of >>> attacks. We have had only one customer that we felt was in the >>position >>> to handle such a test and it was performed against their >>disaster >>> recovery infrastructure, not production." >>> >>> Michael, why are you trying to be cute with your "Again, >>carefully!" >>> bullshit? A penetration test is not "Anything Goes!", if that's >>how you >>> define it then I don't want you anywhere near any of my >>networks. And why >>> the hell would you perform a Denial of Service attack against >>anyone? >>> Everybody can be knocked off line if you fill up their pipe. You >>scare us >>> man! >>> >>> >>> -) How do you perform evasive IDS testing? >>> >>> "* We use a series of proxy servers to attempt to perform basic >>hacking >>> techniques; port scans, blatant attacks, etc. We are typically >>going to >>> look for TCP resets as a means to evaluate if IDS is present and >>> possibly to find if IDS performs blocking activity. Often times, >>if a >>> system in a trusted DMZ can be compromised and used as a proxy >>> (exploiting a relationship or rule within a firewall) or an SSH, >>SSL, >>> encrypted tunnel can be established to a server behind the IDS >>sensor >>> than we can successfully pull off an attack without the >>customers >>> security staff even knowing." >>> >>> It doesn't sound like Michael knows how to perform IDS evasion >>testing. >>> Using a proxy is not going to help anyone evade detection, it >>will just help >>> them to hide their IP address. If the target network or >>application is being >>> protected by an IPS device, then the IP that they are attacking >>from will be >>> shunned just the same. So, we understand that the PlanNetGroup's >>expert >>> hasn't a clue as to how to evade IDS. (Michael, did you get your >>answer from >>> Google?) >>> >>> -) What tools do you favor? >>> >>> "* We really do not favor any tools. The focus of our effort >>(Assuming we >>> are performing a pen-test or assessment) is to analyze a >>situation and >>> choose the best tool for the end result or compromise. I will >>use commercial >>> applications, such as AppScan, WebInspect, even ISS. There are >>however >>> plenty of freeware, low-cost tools that we use; nmap, nessus, >>metasploit - >>> ultimately, I find that an internet browser and a telnet prompt >>will suffice >>> for much of the testing. It ultimately gets back to interpreting >>the results >>> and adjusting the testing accordingly. We make it a point to try >>out new >>> freeware tools on every assignment. The more tools that we know >>of and can >>> test with opens our options if in the future a situation best >>suited for a >>> tool presents itself." >>> >>> Every business that delivers security services has a set of >>tools that >>> they use. These tools change from business to business, but >>common ones are >>> nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From >>the answer >>> above, it looks like they like the same tools as most people. >>That said, >>> we've seen no proof of talent from anyone at PlanNetGroup yet. >>So we're near >>> certain that their deliverables ARE the product of automation. >>> >>> -) Can you provide us with sample deliverables? (sanitized) >>> >>> "* No, too much time. Even to sanitize creates an opportunity >>for a >>> liability in the event that a customer name is exposed ... >>accidents do >>> happen! I will say that we do not take dumps from applications >>and >>> regurgitations the information on paper. We limit our executive >>summary to 6 >>> pages at most and attempt to keep the entire report limited to >>25 pages in >>> total. Our goal with a deliverable is to get the precise >>information to the >>> key stake holders so that they can make a decision." >>> >>> Woha, it takes too much time to create a fake deliverable? Well >>that's one >>> way to get out of it, but we don't buy it. Either way, at this >>point we >>> don't feel that a sample report would help this review, we've >>seen nothing >>> impressive yet. >>> >>> -) Do you offer the option of performing Distributed Metastasis? >>> >>> "* No, not really. This is my decision as in a previous life I >>got walked >>> out of Bell Atlantic Mobile (Verizon Wireless) using this >>technique when I >>> compromised their Unix infrastructure by compromising the rlogin >>function >>> (on all Unix servers, across all data centers). There is no >>substitute for >>> experience, especially bad ones!" >>> >>> It sounds like Michael has a difficult time sticking to the >>scope of work. >>> Any time anyone performs Distributed Metastasis it should be >>built into a >>> scope of work first. If it is not, then do not perform the >>testing because >>> it is invasive and will get you into trouble. This is a big >>negative point >>> in our eyes as its critical that providers are able to adhere to >>the scope >>> of work for each specific engagement. >>> >>> -) What is your background with relation to information >>security? >>> >>> "* Too long, too boring. Yeah got the CISSP (nice vocabulary >>test), but >>> had to as I worked for DOD. Got a number of Certifications (I >>have a stack >>> almost an inch thick and only get into them about once a year to >>throw >>> another couple on top of the previous ones - too much alphabet >>soup for me, >>> but bosses and customers like it. Spoke at a number of >>> European conferences, but found too many people did not >>understand a word >>> I was talking about, so I got tired of that and quit that scene. >>My outlook >>> on security has changed, to the point that I will advise >>customers of their >>> risk, attempt to make it practical - but if they make a >>conscious choice not >>> to listen - I do not fret over it.?" >>> >>> It sounds like Michael is a corporate security guy and has no >>experience >>> as a hacker. Certifications hold little to no water when it >>comes to real IT >>> security. What does hold water is experience and from what we >>can tell, >>> Michael has no real hacker experience. >>> >>> -) Do you resell third party technologies? >>> >>> "* No, but kind of wished that we would. I think that it would >>help with >>> sales." >>> >>> We don't think that it is a good idea that Professional IT >>Security >>> Providers sell third party technologies. Specifically because >>they become >>> biased towards a specific technology and push that technology as >>a method of >>> remediation when better methods might already exist. >>> >>> -) Can you tell me why the EIP is important? >>> >>> "* The EIP controls an applications execution. If an attacker >>can modify >>> the EIP while it is being pushed on the stack then the attacker >>*could* >>> execute their own code and create a thread (aka. a buffer >>overflow condition >>> exists). I had a good refresher this past year at Blackhat with >>a course run >>> by Saumil Shah - he had an interesting buffer overflow >>> for the Linked-In client." >>> >>> The EIP is the Instruction Pointer for the x86 architecture. The >>purpose >>> of the EIP is to point to the next instruction in a particular >>code segment. >>> If the EIP can be overwritten then the flow of control of an >>application can >>> be changed. In most cases this can lead to the execution of >>arbitrary code >>> on the targeted system. Hackers use this to penetrate vulnerable >>systems. >>> >>> -) Can you define a format string exploit? >>> >>> "* A format string exploit leverages what is considered a >>programming >>> bug. If input is not sanitized, an attacker can perform calls to >>the >>> stack; read, write, etc without knowing details about the EIP." >>> >>> Unfortunately this answer isn't accurate or detailed enough as >>almost all >>> software vulnerabilities are the result of user input that is >>not properly >>> sanitized or validated. A format string condition occurs when a >>user inserts >>> a format token into a C based application and that input is not >>properly >>> sanitized. Hence why it is called a format string vulnerability. >>When that >>> input hits a function that performs formatting, such as printf() >>the input >>> is interpreted in accordance with the format tokens. Sometimes >>this can be >>> used to write arbitrary data to arbitrary memory locations. The >>EIP isn't >>> the only valuable memory location. >>> >>> >>> >>> >>> If you've managed to get this far, then you've survived reading >>Michael's >>> answers to our questions. We're not going to spend much more >>time writing >>> this review because by now we've formed our opinion. We did take >>a quick >>> look at the PlanNetGroup's website and as with their people, we >>were not the >>> least bit impressed. >>> >>> Our opinion of the PlanNetGroup is that they'd have a hard time >>hacking >>> their way out of a wet paper bag. Their security expert is not >>an expert by >>> our standards, as he did not properly answer any of our >>questions or help to >>> define any of their services. We're pretty sure that the >>PlanNetGroup could >>> run nessus and offer basic vulnerability assessment services. >>We're also >>> pretty sure that they could offer IT services at some level. But >>we'd hardly >>> call them subject matter experts and wouldn't recommend their >>services to >>> anyone. >>> >>> If you are using the PlanNetGroup services and feel that we have >>not given >>> them a fair review then please comment on this post. We will >>consider your >>> comments. We have to say that Jim and Michael were both very >>polite, >>> friendly, and respectful, but we can't let their kind nature >>impact our >>> opinion of their service delivery capabilities. We think that >>they should >>> sit down and try to define their services properly. We also >>think that they >>> should hire an ethical hacker with real world experience if they >>intend to >>> protect anyone. >>> >>> Score Card (Click to Enlarge) >>> >>> >>> >><http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS >>QlSXs/s1600-h/96YV5X.jpeg> >>> >>> -- >>> Posted By secreview to Professional IT Security Providers - >>Exposed<http://secreview.blogspot.com/2008/01/plannetgroup- >>f.html>at 1/20/2008 04:21:00 PM >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> > Regards, > The Secreview Team > http://secreview.blogspot.com > > -- > Love Graphic Design? Find a school near you. Click Now. > http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/ > Professional IT Security Service Providers - Exposed > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
