Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said:

> If programmers are aware of security consequences, they would fix them in the
> first place or try to avoid them.

Unfortunately, there's this problem called "already announced ship date".

Go take a look at Skyrim - they announced 11/11/11 ship date like *months*
beforehand. And yes, it shipped that day - with lots of glitches.  The fact
that lots of the glitches were fixed in patches released whithin days after
release indicates that the programming staff knew full well what caused the
glitch and what to do to fix it - they just didn't have time to actually *do*
it before their freeze date to get stuff onto the DVD.

And security bugs are identical to other bugs as far as making a deadline goes
- at soome point somebody has to say "delay it" or "ship it anyhow".  Usually,
neither choice is a really good option...

> So I vote for the use of kiddies (only in a controlled test environment).
> This could even be a public test site where this list could try to break the
> stuff as long as you tell me how you did it:)

This sort of public test is almost never a good idea.  One of two things 
happens:

1) The kiddies who do it for a lark break it.  Yes, now you know you have
holes. But the rest of the world now knows you couldn't even find the easy
stuff. So you're gonna be dead meat for the vultures once you fix the easy
stuff.

2) The kiddies who do it for a lark don't break it.  Doesn't prove squat,
because they almost certainly didn't check the entire attack surface, or try
very hard to break it. A good professional pen test company could still break
it - as could a really good black hat.  But neither of them are going to
participate in your public test unless you offer a lot bigger prize (equivalent
to what they'd make for a several-week actual engagement).



pgpgqZqbLils8.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Martijn Broos]

Most of the problems start already at education. There is not enough focus 
during school time what security beholds and what consequences are of bad 
design, bad programming, bad architecture and bad security principles.  I know 
schoolbooks that even don't mention security at all or is explained within 2 
chapters (let say 20 pages) of a 1000 pages book. This also includes PKI and 
encryption. Security is only taught by trial and error apparently nowadays. And 
after you have burnt your fingers a few times you hire an expensive guy who 
does less kiddies do but give you more of a good feeling.
If programmers are aware of security consequences, they would fix them in the 
first place or try to avoid them.
Using kiddies is merely showing the terrible state your programmers level is. 
When you have engineers that are security aware, lesser exploits will be found. 
You still would look for them anyway because trust is good, prove is better in 
this scientific world.  In general testers are regarded as lesser people, but 
imho you should encourage them to try to break your code. At least that is what 
I do as a software engineer. After they break down my code, my first response 
is, thanks how did you do it, so I can update my skills as well. But this is 
all before production off course.
Yes, you can use them but make sure you know where their loyalty lies.
So I vote for the use of kiddies (only in a controlled test environment). This 
could even be a public test site where this list could try to break the stuff 
as long as you tell me how you did it:) I know this takes the fun out of it for 
a few, but hey you cannot please all people in the world.

From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of E M
Sent: maandag 16 januari 2012 21:47
To: noloa...@gmail.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

I would say that we need both types: the skiddies and the others.
If you give to the skiddies enough fun at work they won't do something beyond 
the scope.
But their scope should be: I have a site/system(of course, the test one, not 
the production one!) break it!
They do it without being evil, even if they break itthe job was to break it 
in the first place.
Then the other security guy should go to the management with the pwnd dummy 
database/data and show them how bad it would be if it was the real one, and how 
easily it could be done.
Maybe this way the management provides more funding to the security of the 
business.
So, yes, hire the skiddies, but keep the other too.


From: Jeffrey Walton mailto:noloa...@gmail.com>>
To: Laurelai mailto:laure...@oneechan.org>>
Cc: full-disclosure@lists.grok.org.uk<mailto:full-disclosure@lists.grok.org.uk>
Sent: Monday, January 16, 2012 9:58 PM
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On Sat, Jan 7, 2012 at 6:03 PM, Laurelai 
mailto:laure...@oneechan.org>> wrote:
>
> Perhaps these companies should try to hire the kids owning them instead of
> crying to the feds.
Perhaps Stratfor's competition should hire them. Nothing new, there:
the Eastern Telegraph Company hired Nevil Maskelyne after he hacked
Marconi in 1903 during a demonstration of wireless telegraphy. [1]
(Wireless hacking since 1903!).

[1] 
http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




DISCLAIMER : This message is sent in confidence and is only intended for the 
named recipient. If you receive this message by mistake, you may not use, copy, 
distribute or forward this message, or any part of its contents or rely upon 
the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails 
from any computer.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[E M]

I would say that we need both types: the skiddies and the others.
If you give to the skiddies enough fun at work they won't do something beyond 
the scope.
But their scope should be: I have a site/system(of course, the test one, not 
the production one!) break it!
They do it without being evil, even if they break itthe job was to break it 
in the first place. 

Then the other security guy should go to the management with the pwnd dummy 
database/data and show them how bad it would be if it was the real one, and how 
easily it could be done.
Maybe this way the management provides more funding to the security of the 
business.

So, yes, hire the skiddies, but keep the other too.




 From: Jeffrey Walton 
To: Laurelai  
Cc: full-disclosure@lists.grok.org.uk 
Sent: Monday, January 16, 2012 9:58 PM
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
 
On Sat, Jan 7, 2012 at 6:03 PM, Laurelai  wrote:
>
> Perhaps these companies should try to hire the kids owning them instead of
> crying to the feds.
Perhaps Stratfor's competition should hire them. Nothing new, there:
the Eastern Telegraph Company hired Nevil Maskelyne after he hacked
Marconi in 1903 during a demonstration of wireless telegraphy. [1]
(Wireless hacking since 1903!).

[1] 
http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[coderman]

On Wed, Jan 11, 2012 at 9:40 AM, Kyle Creyts  wrote:
> I would also like to point out that "finding the bugs" is not the  same as
> "fixing the bugs," and that for all the focus that is placed on finding
> them, and lauding the people that do, fixing them is usually pretty
> thankless.

finding the bugs before a product or service is released is also
thankless. as is verifying that bugs are never re-introduced due to
carelessness or oversight.

implementing with robustness, vs. implementing with haste, also
thwarted & thankless pursuit in these times.

not a gap in knowledge or skill, but a gap in practice that dooms
infosec so many places.


> I think shifting that dynamic would be more rewarding if
> "advancing the state of the industry" is really what is valued.

keep up the good fight, sir!
  ... and don't hold your breath.
;)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[coderman]

On Thu, Jan 12, 2012 at 1:57 AM, Giles Coochey  wrote:
> ...
> If you have been hired by the company in a security capacity
>... I've always found that you
> are listened to, taken very seriously and usually have a direct route to
> the CEO, CIO, COO or the whole board of directors.

lol

you need to qualify this statement.

do you consider QA part of a security capacity?  what about operations?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

On Sat, Jan 7, 2012 at 6:03 PM, Laurelai  wrote:
>
> Perhaps these companies should try to hire the kids owning them instead of
> crying to the feds.
Perhaps Stratfor's competition should hire them. Nothing new, there:
the Eastern Telegraph Company hired Nevil Maskelyne after he hacked
Marconi in 1903 during a demonstration of wireless telegraphy. [1]
(Wireless hacking since 1903!).

[1] 
http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Paul Schmehl]

--On January 12, 2012 9:01:28 AM -0500 valdis.kletni...@vt.edu wrote:
>
> Bottom line: In most corporations, the CSO *can't* spend more money on
> security unless he can show increased profits by doing so.

Or decreased losses.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Kyle Creyts]

I would also like to point out that "finding the bugs" is not the  same as
"fixing the bugs," and that for all the focus that is placed on finding
them, and lauding the people that do, fixing them is usually pretty
thankless. I think shifting that dynamic would be more rewarding if
"advancing the state of the industry" is really what is valued.
On Jan 11, 2012 7:41 AM, "Laurelai"  wrote:

> On 1/10/12 11:39 PM, Ian Hayes wrote:
> > On Tue, Jan 10, 2012 at 9:18 PM, Laurelai  wrote:
> >> On 1/10/12 10:18 PM, Byron Sonne wrote:
>  Don't piss off a talented adolescent with computer skills.
> >>> Amen! I love me some stylin' pwnage :)
> >>>
> >>> Whether they were skiddies or actual hackers, it's still amusing (and
> >>> frightening to some) that companies who really should know better, in
> >>> fact, don't.
> >>>
> >> And again, if companies hired these people, most of whom come from
> >> disadvantaged backgrounds and are self taught they wouldn't have as much
> >> a reason to be angry anymore. Most of them feel like they don't have any
> >> real opportunities for a career and they are often right.
> > [citation needed]
> >
> >> Microsoft hired some kid who hacked their network, it is a safe bet he
> isn't going
> >> to be causing any trouble anymore.
> > Are you proposing that we reward all such behavior with jobs? I've
> > always wanted to be a firefighter. Forget resumes, job applications
> > and interviews, I'm going to set people's houses on fire. By your
> > logic, an arsonist is not only the best person to combat other
> > arsonists, but due to his obviously unique insight into the nature of
> > fire, simply must know how best to fight a fire as opposed to someone
> > who went to school for years to learn the trade.
> >
> >> Talking about the trust issue, who
> >> would you trust more the person who has all the certs and experience
> >> that told you your network was safe or the 14 year old who proved him
> >> wrong?
> > This is asinine. WHY would I want to hire someone for a position of
> > trust that just committed a crime, or at the very least acted in an
> > unethical manner? More than anything, that person has proven that
> > while he *might* have the technical chops, he certainly lacks the
> > ethics and decision making skills to operate in the grown-up world.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Because the ones with the so called ethics either lack the technical
> chops or lack the enthusiasm to find simple vulnerabilities. Not very
> ethical to take a huge paycheck and not do your job if you ask me.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Dan Ballance]

It was my assumption also - but are we sure this attack was through a
"trivial, well-known attack vector"?


On 11 January 2012 14:40, Laurelai  wrote:
> On 1/11/12 8:39 AM, Ferenc Kovacs wrote:
>>
>>
>> Because the ones with the so called ethics either lack the technical
>> chops or lack the enthusiasm to find simple vulnerabilities. Not very
>> ethical to take a huge paycheck and not do your job if you ask me.
>>
>
> If the only thing missing to secure those systems was somebody being able to
> use sqlmap and xss-me, then that could be fixing without hiring people who
> already proved that they aren't trustworthy.
> from my experience, the lack of security comes from the management, you can
> save money on that (and qa) on the short run.
> so companies tend to hire QSA companies to buy the paper which says that
> they are good, when in fact they aren't.
> most of them don't wanna hear that they are vulnerable and take the risks
> too lightly.
> if they would take it-security seriously it simply couldn't be owned through
> trivial, well-known attack vectors.
>
> --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
>
> :D at least one person here gets it.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Elazar Broad]

"Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about."

That's because these kids don't have mouths to feed and a paycheck to
worry about. Ethics and ethos are all very nice when you have nothing
to lose, all to gain and no one depending on you...

On Thursday, January 12, 2012 at 4:43 AM, Laurelai  wrote:
  On 1/12/12 3:34 AM, doc mombasa wrote:i dont know if
you ever worked for a big corporate entity?   like kovacs wrote
its not about whether you can do it or not as an employee its
more about if your manager allows you the time to do it  
pentesting doesnt change anything on the profits excel sheet  
   we can agree it looks bad when shit happens but they usually   
 dont think that far ahead   i tried once reporting a very simple
sql injection flaw to my manager and including a proposed fix
which would take all of 5 minutes to implement   18 months
went by before that flaw was fixed because there was no
profits in allocating resources to fix it   and that webapp was
the #1 money generator for that company
   Den 12. jan. 2012 10.29 skrev Laurelai :
 On 1/12/12 3:27 AM,
doc mombasa wrote:
just one question why should they hire the
"skiddies" if most of   them only know how to fire
up sqlmap or whatever   current app is hot right
now? doesnt really seem like enough reason to hire
  anyone besides im not buying
the whole "they do it   because they are angry at
society" plop ive been there.. they do it for the
lulz
  Den 11.
jan. 2012 06.18 skrev Laurelai :
On 1/10/12 10:18 PM, Byron
Sonne wrote:
 >> Don't piss off a talented adolescent  
  with computer skills.
 > Amen! I love me some stylin' pwnage :)
 >
 > Whether they were skiddies or actual   
 hackers, it's still amusing (and
 > frightening to some) that companies who
really should know better, in
 > fact, don't.
 >
  And again, if companies
hired these people, most   of whom come from
   disadvantaged backgrounds and are self taught
they   wouldn't have as much
   a reason to be angry anymore. Most of them feel
  like they don't have any
   real opportunities for a career and they are
often   right. Microsoft
   hired some kid who hacked their network, it is
a   safe bet he isn't going
   to be causing any trouble anymore. Talking
about   the trust issue, who
   would you trust more the person who has all the
  certs and experience
   that told you your network was safe or the 14
year   old who proved him
   wrong? We all know if that kid had approached  
microsoft with his exploit
   in a responsible manner they would have
outright   ignored him, that's why
   this mailing list exists, because companies
will   ignore security issues
   until it bites them in the ass to save a buck.
   People are way too obsessed with having
  certifications that don't
   actually teach practical intrusion techniques.
If   a system is so fragile
   that teenagers can take it down with minimal   
   effort then there is a
   serious problem with the IT security industry. 
 Think about it how long
   has sql injection been around? There is
absolutely   no excuse for being
   vulnerable to it. None what so ever. These kids
  are showing people the
   truth about the state of security online and
that   is whats making people
   afraid of them. They aren't writing 0 days
every   week, they are using
   vulnerabilities that are public

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 2:00 PM, Elazar Broad wrote:
"Sounds like this industry could benefit from these kids even more 
since they are driving home the points you all are supposed to be 
warning them about."


That's because these kids don't have mouths to feed and a paycheck to 
worry about. Ethics and ethos are all very nice when you have nothing 
to lose, all to gain and no one depending on you...


On Thursday, January 12, 2012 at 4:43 AM, Laurelai 
 wrote:


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not
as an employee its more about if your manager allows you the
time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead
i tried once reporting a very simple sql injection flaw to my
manager and including a proposed fix which would take all of 5
minutes to implement
18 months went by before that flaw was fixed because there was
no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai :

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them
only know how to fire up sqlmap or whatever current
app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because
they are angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with
computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers,
it's still amusing (and
> frightening to some) that companies who really
should know better, in
> fact, don't.
>
And again, if companies hired these people, most
of whom come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a
safe bet he isn't going
to be causing any trouble anymore. Talking about
the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14 year
old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have outright
ignored him, that's why
this mailing list exists, because companies will
ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques. If
a system is so fragile
that teenagers can take it down with minimal
effort then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is absolutely
no excuse for being
vulnerable to it. None what so ever. These kids
are showing people the
truth about the state of security online and that
is whats making people
afraid of them. They aren't writing 0 days every
week, they are using
vulnerabilities that are publicly available. Using
tools that are
publicly available, tools that were meant to be
used by the people
protecting the systems. Clearly the people in
charge of protecting these
system aren't using these tools to scan their
   

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Thu, 12 Jan 2012 03:41:48 CST, Laurelai said:

> Well that's what you get when you let profit margins dictate security
> policy.

You *do* realie that in the US, most corporations are legally *required* to let
profit margins dictate *all* policy, security and otherwise?  The corporate
officers are required to maximise shareholder value, and in fact can be (and
often *are*) sued if they decide "Project XYZ would make a boatload of money,
but we're killing it off because it's morally wrong" or similar.  The exception
is if they reincorporate as a "benefit corporation", which has only been
available for a year or two, in only several states, and apparently only 100
corporations (out of the hundreds of thousands in the US) have taken this path 
so far...

http://www.latimes.com/business/la-fi-benefit-corporations-20120104,0,5492616,print.story

Bottom line: In most corporations, the CSO *can't* spend more money on security
unless he can show increased profits by doing so.   So if you're the CSO and 
want
to spend $15M more on security, you have to show how doing so will result in
a better return for the shareholders.  And as I pointed out earlier in this 
thread,
even the big hacks at Sony and TJX didn't affect *the shareholders*, so under 
current
US corporate law, those companies actually did what they were *required* to do.


pgpwXmWpwdC7e.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

in this case the whole we have an inhouse pentester was more for show than
anything else
noone wanted to really follow laid down security guidelines as it would
have an impact on development schedules and so on
needless to say its a highly frustating position to be in.. its like
punching a pillow

Den 12. jan. 2012 10.57 skrev Giles Coochey :

> On Thu, January 12, 2012 10:47, doc mombasa wrote:
> > ok obviously you never worked for a big corporate entity :)
> > sure standing up to them is fine
> > after shouting about the bug for 4 months i thought bah why bother its
> > their asses not mine
> > just going in and fixing a bug without the mandate is usually not a good
> > idea (if you want to keep your job so you can pay your bills that is..)
> >
>
> If you have been hired by the company in a security capacity (because they
> budgeted for that need, for whatever reason), and you have not lost your
> credibility with them (because you're some spotty script kiddie and can
> converse with them at a business level), then I've always found that you
> are listened to, taken very seriously and usually have a direct route to
> the CEO, CIO, COO or the whole board of directors.
> If you're not listened to on the matters of security, then security is
> probably a passtime of yours and not the main role of your employment, or
> you're just one of those annoying geeky spotty script kiddies who moans
> about whatever is getting the bad press at the moment.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

like i said
standing up for good policy does not mean it will be enforced


Den 12. jan. 2012 10.55 skrev Laurelai :

>  On 1/12/12 3:54 AM, doc mombasa wrote:
>
> and you are obviously blindly stuck on a point and has no idea how it
> actually works out there in "the real world"
>
> in small companies you have freedom and ability to execute
> in big companies not so much..
>
>  Den 12. jan. 2012 10.52 skrev Laurelai :
>
>>   On 1/12/12 3:47 AM, doc mombasa wrote:
>>
>> ok obviously you never worked for a big corporate entity :)
>> sure standing up to them is fine
>> after shouting about the bug for 4 months i thought bah why bother its
>> their asses not mine
>> just going in and fixing a bug without the mandate is usually not a good
>> idea (if you want to keep your job so you can pay your bills that is..)
>>
>>  Den 12. jan. 2012 10.41 skrev Laurelai :
>>
>>>   On 1/12/12 3:34 AM, doc mombasa wrote:
>>>
>>> i dont know if you ever worked for a big corporate entity?
>>> like kovacs wrote its not about whether you can do it or not as an
>>> employee its more about if your manager allows you the time to do it
>>> pentesting doesnt change anything on the profits excel sheet
>>> we can agree it looks bad when shit happens but they usually dont think
>>> that far ahead
>>> i tried once reporting a very simple sql injection flaw to my manager
>>> and including a proposed fix which would take all of 5 minutes to implement
>>> 18 months went by before that flaw was fixed because there was no
>>> profits in allocating resources to fix it
>>> and that webapp was the #1 money generator for that company
>>>
>>>  Den 12. jan. 2012 10.29 skrev Laurelai :
>>>
   On 1/12/12 3:27 AM, doc mombasa wrote:

  just one question
 why should they hire the "skiddies" if most of them only know how to
 fire up sqlmap or whatever current app is hot right now?
 doesnt really seem like enough reason to hire anyone
 besides im not buying the whole "they do it because they are angry at
 society" plop
 ive been there.. they do it for the lulz


  Den 11. jan. 2012 06.18 skrev Laurelai :

> On 1/10/12 10:18 PM, Byron Sonne wrote:
> >> Don't piss off a talented adolescent with computer skills.
> > Amen! I love me some stylin' pwnage :)
> >
> > Whether they were skiddies or actual hackers, it's still amusing (and
> > frightening to some) that companies who really should know better, in
> > fact, don't.
> >
>  And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as
> much
> a reason to be angry anymore. Most of them feel like they don't have
> any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't
> going
> to be causing any trouble anymore. Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong? We all know if that kid had approached microsoft with his
> exploit
> in a responsible manner they would have outright ignored him, that's
> why
> this mailing list exists, because companies will ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so
> fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it how long
> has sql injection been around? There is absolutely no excuse for being
> vulnerable to it. None what so ever. These kids are showing people the
> truth about the state of security online and that is whats making
> people
> afraid of them. They aren't writing 0 days every week, they are using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of protecting
> these
> system aren't using these tools to scan their systems or else they
> would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just goes to
> show the level of hypocrisy inherent to the situation. Especially when
> their solution to the problem is to just pass more and more restrictive
> laws (as if that's going to stop them). These kids are showing people
> that the emperor has no clothes and that's whats making people angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Giles Coochey]

On Thu, January 12, 2012 10:47, doc mombasa wrote:
> ok obviously you never worked for a big corporate entity :)
> sure standing up to them is fine
> after shouting about the bug for 4 months i thought bah why bother its
> their asses not mine
> just going in and fixing a bug without the mandate is usually not a good
> idea (if you want to keep your job so you can pay your bills that is..)
>

If you have been hired by the company in a security capacity (because they
budgeted for that need, for whatever reason), and you have not lost your
credibility with them (because you're some spotty script kiddie and can
converse with them at a business level), then I've always found that you
are listened to, taken very seriously and usually have a direct route to
the CEO, CIO, COO or the whole board of directors.
If you're not listened to on the matters of security, then security is
probably a passtime of yours and not the main role of your employment, or
you're just one of those annoying geeky spotty script kiddies who moans
about whatever is getting the bad press at the moment.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Thu, Jan 12, 2012 at 10:53 AM, Laurelai  wrote:

>  On 1/12/12 3:49 AM, Ferenc Kovacs wrote:
>
>
>>   Well that's what you get when you let profit margins dictate security
>> policy. You guys act pretty tough when you argue with each other online but
>> you can't stand up to some corporate idiots? Sounds like this industry
>> could benefit from these kids even more since they are driving home the
>> points you all are supposed to be warning them about.
>>
>
>  Maybe you should try out at your company to hire a kiddie, and tell us
> how it turned out.
> Usually the ones shittalking here are those without a decent job imo...
>
>  --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
>
> I have a great job.
>

so you think that you are shittalking?
or how else could be your job relevant here?

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:54 AM, doc mombasa wrote:
and you are obviously blindly stuck on a point and has no idea how it 
actually works out there in "the real world"

in small companies you have freedom and ability to execute
in big companies not so much..

Den 12. jan. 2012 10.52 skrev Laurelai >:


On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why
bother its their asses not mine
just going in and fixing a bug without the mandate is usually not
a good idea (if you want to keep your job so you can pay your
bills that is..)

Den 12. jan. 2012 10.41 skrev Laurelai mailto:laure...@oneechan.org>>:

On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not
as an employee its more about if your manager allows you the
time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually
dont think that far ahead
i tried once reporting a very simple sql injection flaw to
my manager and including a proposed fix which would take all
of 5 minutes to implement
18 months went by before that flaw was fixed because there
was no profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai
mailto:laure...@oneechan.org>>:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them
only know how to fire up sqlmap or whatever current app
is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because
they are angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
mailto:laure...@oneechan.org>>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with
computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers,
it's still amusing (and
> frightening to some) that companies who really
should know better, in
> fact, don't.
>
And again, if companies hired these people, most of
whom come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel
like they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a
safe bet he isn't going
to be causing any trouble anymore. Talking about
the trust issue, who
would you trust more the person who has all the
certs and experience
that told you your network was safe or the 14 year
old who proved him
wrong? We all know if that kid had approached
microsoft with his exploit
in a responsible manner they would have outright
ignored him, that's why
this mailing list exists, because companies will
ignore security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having
certifications that don't
actually teach practical intrusion techniques. If a
system is so fragile
that teenagers can take it down with minimal effort
then there is a
serious problem with the IT security industry.
Think about it how long
has sql injection been around? There is absolutely
no excuse for being
vulnerable to it. None what so ever. These kids are
showing people the
truth about the state of security online and that
is whats making people
afraid of them. They aren't writing 0 days every
week, they are using
vulnerabilities that are publicly available. Using
tools that are
publicly available, tools that were meant to be
used by the people
protecting the systems

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

i never said you didnt

Den 12. jan. 2012 10.53 skrev Laurelai :

>  On 1/12/12 3:49 AM, Ferenc Kovacs wrote:
>
>
>>   Well that's what you get when you let profit margins dictate security
>> policy. You guys act pretty tough when you argue with each other online but
>> you can't stand up to some corporate idiots? Sounds like this industry
>> could benefit from these kids even more since they are driving home the
>> points you all are supposed to be warning them about.
>>
>
>  Maybe you should try out at your company to hire a kiddie, and tell us
> how it turned out.
> Usually the ones shittalking here are those without a decent job imo...
>
>  --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
>
> I have a great job.
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

and you are obviously blindly stuck on a point and has no idea how it
actually works out there in "the real world"

in small companies you have freedom and ability to execute
in big companies not so much..

Den 12. jan. 2012 10.52 skrev Laurelai :

>  On 1/12/12 3:47 AM, doc mombasa wrote:
>
> ok obviously you never worked for a big corporate entity :)
> sure standing up to them is fine
> after shouting about the bug for 4 months i thought bah why bother its
> their asses not mine
> just going in and fixing a bug without the mandate is usually not a good
> idea (if you want to keep your job so you can pay your bills that is..)
>
>  Den 12. jan. 2012 10.41 skrev Laurelai :
>
>>   On 1/12/12 3:34 AM, doc mombasa wrote:
>>
>> i dont know if you ever worked for a big corporate entity?
>> like kovacs wrote its not about whether you can do it or not as an
>> employee its more about if your manager allows you the time to do it
>> pentesting doesnt change anything on the profits excel sheet
>> we can agree it looks bad when shit happens but they usually dont think
>> that far ahead
>> i tried once reporting a very simple sql injection flaw to my manager and
>> including a proposed fix which would take all of 5 minutes to implement
>> 18 months went by before that flaw was fixed because there was no profits
>> in allocating resources to fix it
>> and that webapp was the #1 money generator for that company
>>
>>  Den 12. jan. 2012 10.29 skrev Laurelai :
>>
>>>   On 1/12/12 3:27 AM, doc mombasa wrote:
>>>
>>>  just one question
>>> why should they hire the "skiddies" if most of them only know how to
>>> fire up sqlmap or whatever current app is hot right now?
>>> doesnt really seem like enough reason to hire anyone
>>> besides im not buying the whole "they do it because they are angry at
>>> society" plop
>>> ive been there.. they do it for the lulz
>>>
>>>
>>>  Den 11. jan. 2012 06.18 skrev Laurelai :
>>>
 On 1/10/12 10:18 PM, Byron Sonne wrote:
 >> Don't piss off a talented adolescent with computer skills.
 > Amen! I love me some stylin' pwnage :)
 >
 > Whether they were skiddies or actual hackers, it's still amusing (and
 > frightening to some) that companies who really should know better, in
 > fact, don't.
 >
  And again, if companies hired these people, most of whom come from
 disadvantaged backgrounds and are self taught they wouldn't have as much
 a reason to be angry anymore. Most of them feel like they don't have any
 real opportunities for a career and they are often right. Microsoft
 hired some kid who hacked their network, it is a safe bet he isn't going
 to be causing any trouble anymore. Talking about the trust issue, who
 would you trust more the person who has all the certs and experience
 that told you your network was safe or the 14 year old who proved him
 wrong? We all know if that kid had approached microsoft with his exploit
 in a responsible manner they would have outright ignored him, that's why
 this mailing list exists, because companies will ignore security issues
 until it bites them in the ass to save a buck.

 People are way too obsessed with having certifications that don't
 actually teach practical intrusion techniques. If a system is so fragile
 that teenagers can take it down with minimal effort then there is a
 serious problem with the IT security industry. Think about it how long
 has sql injection been around? There is absolutely no excuse for being
 vulnerable to it. None what so ever. These kids are showing people the
 truth about the state of security online and that is whats making people
 afraid of them. They aren't writing 0 days every week, they are using
 vulnerabilities that are publicly available. Using tools that are
 publicly available, tools that were meant to be used by the people
 protecting the systems. Clearly the people in charge of protecting these
 system aren't using these tools to scan their systems or else they would
 have found the weaknesses first.

 The fact that government organizations and large name companies and
 government contractors fall prey to these types of attacks just goes to
 show the level of hypocrisy inherent to the situation. Especially when
 their solution to the problem is to just pass more and more restrictive
 laws (as if that's going to stop them). These kids are showing people
 that the emperor has no clothes and that's whats making people angry,
 they are putting someones paycheck in danger. Why don't we solve the
 problem by actually addressing the real problem and fixing systems that
 need to be fixed? Why not hire these kids with the time and energy on
 their hands to probe for these weaknesses on a large scale? The ones
 currently in the job slots to do this clearly aren't doing it.  I bet if
 they started replacing these people with these ki

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

not my company anymore :) i walked out laughing a long time ago
part of my position was to pentest the different apps
i did and reported flaws but like i said there is no money here and now in
fixing flaws
so resources are allocated for new development instead

hiring a kiddie wouldnt help
youre missing the point
in any profit driven company its ORDER BY $$$
which means your kiddie would be coding crappy wepapps because of random
manager ideas
and usually introducing those very same flaws they like to exploit so much
just going in GUNG HO and fixing flaws outside of release cycles and so on
is also a bad idea for big companies as chaos would ensue

Den 12. jan. 2012 10.49 skrev Ferenc Kovacs :

>
>>  Well that's what you get when you let profit margins dictate security
>> policy. You guys act pretty tough when you argue with each other online but
>> you can't stand up to some corporate idiots? Sounds like this industry
>> could benefit from these kids even more since they are driving home the
>> points you all are supposed to be warning them about.
>>
>
> Maybe you should try out at your company to hire a kiddie, and tell us how
> it turned out.
> Usually the ones shittalking here are those without a decent job imo...
>
> --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:49 AM, Ferenc Kovacs wrote:





Well that's what you get when you let profit margins dictate
security policy. You guys act pretty tough when you argue with
each other online but you can't stand up to some corporate idiots?
Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about.


Maybe you should try out at your company to hire a kiddie, and tell us 
how it turned out.

Usually the ones shittalking here are those without a decent job imo...

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

I have a great job.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:47 AM, doc mombasa wrote:

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its 
their asses not mine
just going in and fixing a bug without the mandate is usually not a 
good idea (if you want to keep your job so you can pay your bills that 
is..)


Den 12. jan. 2012 10.41 skrev Laurelai >:


On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as
an employee its more about if your manager allows you the time to
do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont
think that far ahead
i tried once reporting a very simple sql injection flaw to my
manager and including a proposed fix which would take all of 5
minutes to implement
18 months went by before that flaw was fixed because there was no
profits in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai mailto:laure...@oneechan.org>>:

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only
know how to fire up sqlmap or whatever current app is hot
right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are
angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai
mailto:laure...@oneechan.org>>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer
skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's
still amusing (and
> frightening to some) that companies who really should
know better, in
> fact, don't.
>
And again, if companies hired these people, most of whom
come from
disadvantaged backgrounds and are self taught they
wouldn't have as much
a reason to be angry anymore. Most of them feel like
they don't have any
real opportunities for a career and they are often
right. Microsoft
hired some kid who hacked their network, it is a safe
bet he isn't going
to be causing any trouble anymore. Talking about the
trust issue, who
would you trust more the person who has all the certs
and experience
that told you your network was safe or the 14 year old
who proved him
wrong? We all know if that kid had approached microsoft
with his exploit
in a responsible manner they would have outright ignored
him, that's why
this mailing list exists, because companies will ignore
security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications
that don't
actually teach practical intrusion techniques. If a
system is so fragile
that teenagers can take it down with minimal effort then
there is a
serious problem with the IT security industry. Think
about it how long
has sql injection been around? There is absolutely no
excuse for being
vulnerable to it. None what so ever. These kids are
showing people the
truth about the state of security online and that is
whats making people
afraid of them. They aren't writing 0 days every week,
they are using
vulnerabilities that are publicly available. Using tools
that are
publicly available, tools that were meant to be used by
the people
protecting the systems. Clearly the people in charge of
protecting these
system aren't using these tools to scan their systems or
else they would
have found the weaknesses first.

The fact that government organizations and large name
companies and
government contractors fall prey to these types of
attacks just goes to
show the level of hypocrisy inherent to the situation.
Especially when
their solution to the problem is to just pass more and
more restrictive
laws (as if that's going to stop them). These kids are
showing people

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

>
>
>  Well that's what you get when you let profit margins dictate security
> policy. You guys act pretty tough when you argue with each other online but
> you can't stand up to some corporate idiots? Sounds like this industry
> could benefit from these kids even more since they are driving home the
> points you all are supposed to be warning them about.
>

Maybe you should try out at your company to hire a kiddie, and tell us how
it turned out.
Usually the ones shittalking here are those without a decent job imo...

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

ok obviously you never worked for a big corporate entity :)
sure standing up to them is fine
after shouting about the bug for 4 months i thought bah why bother its
their asses not mine
just going in and fixing a bug without the mandate is usually not a good
idea (if you want to keep your job so you can pay your bills that is..)

Den 12. jan. 2012 10.41 skrev Laurelai :

>  On 1/12/12 3:34 AM, doc mombasa wrote:
>
> i dont know if you ever worked for a big corporate entity?
> like kovacs wrote its not about whether you can do it or not as an
> employee its more about if your manager allows you the time to do it
> pentesting doesnt change anything on the profits excel sheet
> we can agree it looks bad when shit happens but they usually dont think
> that far ahead
> i tried once reporting a very simple sql injection flaw to my manager and
> including a proposed fix which would take all of 5 minutes to implement
> 18 months went by before that flaw was fixed because there was no profits
> in allocating resources to fix it
> and that webapp was the #1 money generator for that company
>
>  Den 12. jan. 2012 10.29 skrev Laurelai :
>
>>   On 1/12/12 3:27 AM, doc mombasa wrote:
>>
>>  just one question
>> why should they hire the "skiddies" if most of them only know how to fire
>> up sqlmap or whatever current app is hot right now?
>> doesnt really seem like enough reason to hire anyone
>> besides im not buying the whole "they do it because they are angry at
>> society" plop
>> ive been there.. they do it for the lulz
>>
>>
>>  Den 11. jan. 2012 06.18 skrev Laurelai :
>>
>>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> >> Don't piss off a talented adolescent with computer skills.
>>> > Amen! I love me some stylin' pwnage :)
>>> >
>>> > Whether they were skiddies or actual hackers, it's still amusing (and
>>> > frightening to some) that companies who really should know better, in
>>> > fact, don't.
>>> >
>>>  And again, if companies hired these people, most of whom come from
>>> disadvantaged backgrounds and are self taught they wouldn't have as much
>>> a reason to be angry anymore. Most of them feel like they don't have any
>>> real opportunities for a career and they are often right. Microsoft
>>> hired some kid who hacked their network, it is a safe bet he isn't going
>>> to be causing any trouble anymore. Talking about the trust issue, who
>>> would you trust more the person who has all the certs and experience
>>> that told you your network was safe or the 14 year old who proved him
>>> wrong? We all know if that kid had approached microsoft with his exploit
>>> in a responsible manner they would have outright ignored him, that's why
>>> this mailing list exists, because companies will ignore security issues
>>> until it bites them in the ass to save a buck.
>>>
>>> People are way too obsessed with having certifications that don't
>>> actually teach practical intrusion techniques. If a system is so fragile
>>> that teenagers can take it down with minimal effort then there is a
>>> serious problem with the IT security industry. Think about it how long
>>> has sql injection been around? There is absolutely no excuse for being
>>> vulnerable to it. None what so ever. These kids are showing people the
>>> truth about the state of security online and that is whats making people
>>> afraid of them. They aren't writing 0 days every week, they are using
>>> vulnerabilities that are publicly available. Using tools that are
>>> publicly available, tools that were meant to be used by the people
>>> protecting the systems. Clearly the people in charge of protecting these
>>> system aren't using these tools to scan their systems or else they would
>>> have found the weaknesses first.
>>>
>>> The fact that government organizations and large name companies and
>>> government contractors fall prey to these types of attacks just goes to
>>> show the level of hypocrisy inherent to the situation. Especially when
>>> their solution to the problem is to just pass more and more restrictive
>>> laws (as if that's going to stop them). These kids are showing people
>>> that the emperor has no clothes and that's whats making people angry,
>>> they are putting someones paycheck in danger. Why don't we solve the
>>> problem by actually addressing the real problem and fixing systems that
>>> need to be fixed? Why not hire these kids with the time and energy on
>>> their hands to probe for these weaknesses on a large scale? The ones
>>> currently in the job slots to do this clearly aren't doing it.  I bet if
>>> they started replacing these people with these kids it would shake the
>>> lethargy out of the rest of them and you would see a general increase in
>>> competence and security. Knowing that if you get your network owned by a
>>> teenager will not only get you fired, but replaced with said teenager is
>>> one hell of an incentive to make sure you get it right.
>>>
>>>
>>> Yes they would have to be taught additional skills to round ou

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:34 AM, doc mombasa wrote:

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as an 
employee its more about if your manager allows you the time to do it

pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont 
think that far ahead
i tried once reporting a very simple sql injection flaw to my manager 
and including a proposed fix which would take all of 5 minutes to 
implement
18 months went by before that flaw was fixed because there was no 
profits in allocating resources to fix it

and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai >:


On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only know how
to fire up sqlmap or whatever current app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are
angry at society" plop
ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai mailto:laure...@oneechan.org>>:

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still
amusing (and
> frightening to some) that companies who really should know
better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come
from
disadvantaged backgrounds and are self taught they wouldn't
have as much
a reason to be angry anymore. Most of them feel like they
don't have any
real opportunities for a career and they are often right.
Microsoft
hired some kid who hacked their network, it is a safe bet he
isn't going
to be causing any trouble anymore. Talking about the trust
issue, who
would you trust more the person who has all the certs and
experience
that told you your network was safe or the 14 year old who
proved him
wrong? We all know if that kid had approached microsoft with
his exploit
in a responsible manner they would have outright ignored him,
that's why
this mailing list exists, because companies will ignore
security issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is
so fragile
that teenagers can take it down with minimal effort then
there is a
serious problem with the IT security industry. Think about it
how long
has sql injection been around? There is absolutely no excuse
for being
vulnerable to it. None what so ever. These kids are showing
people the
truth about the state of security online and that is whats
making people
afraid of them. They aren't writing 0 days every week, they
are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the
people
protecting the systems. Clearly the people in charge of
protecting these
system aren't using these tools to scan their systems or else
they would
have found the weaknesses first.

The fact that government organizations and large name
companies and
government contractors fall prey to these types of attacks
just goes to
show the level of hypocrisy inherent to the situation.
Especially when
their solution to the problem is to just pass more and more
restrictive
laws (as if that's going to stop them). These kids are
showing people
that the emperor has no clothes and that's whats making
people angry,
they are putting someones paycheck in danger. Why don't we
solve the
problem by actually addressing the real problem and fixing
systems that
need to be fixed? Why not hire these kids with the time and
energy on
their hands to probe for these weaknesses on a large scale?
The ones
currently in the job slots to do this clearly aren't doing
it.  I bet if
they started replacing these people with these kids it would
shake the
lethargy out of the rest of them and you would see a general
increase in
competence and security. Knowing that if you get your network
owned by a
teenager will not only get you fired, but replaced with said
   

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

i dont know if you ever worked for a big corporate entity?
like kovacs wrote its not about whether you can do it or not as an employee
its more about if your manager allows you the time to do it
pentesting doesnt change anything on the profits excel sheet
we can agree it looks bad when shit happens but they usually dont think
that far ahead
i tried once reporting a very simple sql injection flaw to my manager and
including a proposed fix which would take all of 5 minutes to implement
18 months went by before that flaw was fixed because there was no profits
in allocating resources to fix it
and that webapp was the #1 money generator for that company

Den 12. jan. 2012 10.29 skrev Laurelai :

>  On 1/12/12 3:27 AM, doc mombasa wrote:
>
>  just one question
> why should they hire the "skiddies" if most of them only know how to fire
> up sqlmap or whatever current app is hot right now?
> doesnt really seem like enough reason to hire anyone
> besides im not buying the whole "they do it because they are angry at
> society" plop
> ive been there.. they do it for the lulz
>
>
>  Den 11. jan. 2012 06.18 skrev Laurelai :
>
>> On 1/10/12 10:18 PM, Byron Sonne wrote:
>> >> Don't piss off a talented adolescent with computer skills.
>> > Amen! I love me some stylin' pwnage :)
>> >
>> > Whether they were skiddies or actual hackers, it's still amusing (and
>> > frightening to some) that companies who really should know better, in
>> > fact, don't.
>> >
>>  And again, if companies hired these people, most of whom come from
>> disadvantaged backgrounds and are self taught they wouldn't have as much
>> a reason to be angry anymore. Most of them feel like they don't have any
>> real opportunities for a career and they are often right. Microsoft
>> hired some kid who hacked their network, it is a safe bet he isn't going
>> to be causing any trouble anymore. Talking about the trust issue, who
>> would you trust more the person who has all the certs and experience
>> that told you your network was safe or the 14 year old who proved him
>> wrong? We all know if that kid had approached microsoft with his exploit
>> in a responsible manner they would have outright ignored him, that's why
>> this mailing list exists, because companies will ignore security issues
>> until it bites them in the ass to save a buck.
>>
>> People are way too obsessed with having certifications that don't
>> actually teach practical intrusion techniques. If a system is so fragile
>> that teenagers can take it down with minimal effort then there is a
>> serious problem with the IT security industry. Think about it how long
>> has sql injection been around? There is absolutely no excuse for being
>> vulnerable to it. None what so ever. These kids are showing people the
>> truth about the state of security online and that is whats making people
>> afraid of them. They aren't writing 0 days every week, they are using
>> vulnerabilities that are publicly available. Using tools that are
>> publicly available, tools that were meant to be used by the people
>> protecting the systems. Clearly the people in charge of protecting these
>> system aren't using these tools to scan their systems or else they would
>> have found the weaknesses first.
>>
>> The fact that government organizations and large name companies and
>> government contractors fall prey to these types of attacks just goes to
>> show the level of hypocrisy inherent to the situation. Especially when
>> their solution to the problem is to just pass more and more restrictive
>> laws (as if that's going to stop them). These kids are showing people
>> that the emperor has no clothes and that's whats making people angry,
>> they are putting someones paycheck in danger. Why don't we solve the
>> problem by actually addressing the real problem and fixing systems that
>> need to be fixed? Why not hire these kids with the time and energy on
>> their hands to probe for these weaknesses on a large scale? The ones
>> currently in the job slots to do this clearly aren't doing it.  I bet if
>> they started replacing these people with these kids it would shake the
>> lethargy out of the rest of them and you would see a general increase in
>> competence and security. Knowing that if you get your network owned by a
>> teenager will not only get you fired, but replaced with said teenager is
>> one hell of an incentive to make sure you get it right.
>>
>>
>> Yes they would have to be taught additional skills to round out what
>> they know, but every job requires some level of training and there are
>> quite a few workplaces that will help their employees continue their
>> education because it benefits the company to do so. This would be no
>> different except that the employees would be younger, and younger people
>> do tend to learn faster so it would likely take less time to teach these
>> kids the needed skills to round out what they already know than it would
>> to teach someone older the same thing. It is the same pr

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/12/12 3:27 AM, doc mombasa wrote:

just one question
why should they hire the "skiddies" if most of them only know how to 
fire up sqlmap or whatever current app is hot right now?

doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are angry at 
society" plop

ive been there.. they do it for the lulz

Den 11. jan. 2012 06.18 skrev Laurelai >:


On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still amusing
(and
> frightening to some) that companies who really should know
better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come from
disadvantaged backgrounds and are self taught they wouldn't have
as much
a reason to be angry anymore. Most of them feel like they don't
have any
real opportunities for a career and they are often right. Microsoft
hired some kid who hacked their network, it is a safe bet he isn't
going
to be causing any trouble anymore. Talking about the trust issue, who
would you trust more the person who has all the certs and experience
that told you your network was safe or the 14 year old who proved him
wrong? We all know if that kid had approached microsoft with his
exploit
in a responsible manner they would have outright ignored him,
that's why
this mailing list exists, because companies will ignore security
issues
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't
actually teach practical intrusion techniques. If a system is so
fragile
that teenagers can take it down with minimal effort then there is a
serious problem with the IT security industry. Think about it how long
has sql injection been around? There is absolutely no excuse for being
vulnerable to it. None what so ever. These kids are showing people the
truth about the state of security online and that is whats making
people
afraid of them. They aren't writing 0 days every week, they are using
vulnerabilities that are publicly available. Using tools that are
publicly available, tools that were meant to be used by the people
protecting the systems. Clearly the people in charge of protecting
these
system aren't using these tools to scan their systems or else they
would
have found the weaknesses first.

The fact that government organizations and large name companies and
government contractors fall prey to these types of attacks just
goes to
show the level of hypocrisy inherent to the situation. Especially when
their solution to the problem is to just pass more and more
restrictive
laws (as if that's going to stop them). These kids are showing people
that the emperor has no clothes and that's whats making people angry,
they are putting someones paycheck in danger. Why don't we solve the
problem by actually addressing the real problem and fixing systems
that
need to be fixed? Why not hire these kids with the time and energy on
their hands to probe for these weaknesses on a large scale? The ones
currently in the job slots to do this clearly aren't doing it.  I
bet if
they started replacing these people with these kids it would shake the
lethargy out of the rest of them and you would see a general
increase in
competence and security. Knowing that if you get your network
owned by a
teenager will not only get you fired, but replaced with said
teenager is
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what
they know, but every job requires some level of training and there are
quite a few workplaces that will help their employees continue their
education because it benefits the company to do so. This would be no
different except that the employees would be younger, and younger
people
do tend to learn faster so it would likely take less time to teach
these
kids the needed skills to round out what they already know than it
would
to teach someone older the same thing. It is the same principal behind
teaching young children multiple languages, they learn them better
than
adults.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Because the ones in charge right now can't even seem to fire up sqlmap 
now and then to see if they are vuln. And if you really believe that 
they just do it for the lulz line...
___

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[doc mombasa]

just one question
why should they hire the "skiddies" if most of them only know how to fire
up sqlmap or whatever current app is hot right now?
doesnt really seem like enough reason to hire anyone
besides im not buying the whole "they do it because they are angry at
society" plop
ive been there.. they do it for the lulz


Den 11. jan. 2012 06.18 skrev Laurelai :

> On 1/10/12 10:18 PM, Byron Sonne wrote:
> >> Don't piss off a talented adolescent with computer skills.
> > Amen! I love me some stylin' pwnage :)
> >
> > Whether they were skiddies or actual hackers, it's still amusing (and
> > frightening to some) that companies who really should know better, in
> > fact, don't.
> >
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as much
> a reason to be angry anymore. Most of them feel like they don't have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore. Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong? We all know if that kid had approached microsoft with his exploit
> in a responsible manner they would have outright ignored him, that's why
> this mailing list exists, because companies will ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it how long
> has sql injection been around? There is absolutely no excuse for being
> vulnerable to it. None what so ever. These kids are showing people the
> truth about the state of security online and that is whats making people
> afraid of them. They aren't writing 0 days every week, they are using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of protecting these
> system aren't using these tools to scan their systems or else they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just goes to
> show the level of hypocrisy inherent to the situation. Especially when
> their solution to the problem is to just pass more and more restrictive
> laws (as if that's going to stop them). These kids are showing people
> that the emperor has no clothes and that's whats making people angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing systems that
> need to be fixed? Why not hire these kids with the time and energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.  I bet if
> they started replacing these people with these kids it would shake the
> lethargy out of the rest of them and you would see a general increase in
> competence and security. Knowing that if you get your network owned by a
> teenager will not only get you fired, but replaced with said teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out what
> they know, but every job requires some level of training and there are
> quite a few workplaces that will help their employees continue their
> education because it benefits the company to do so. This would be no
> different except that the employees would be younger, and younger people
> do tend to learn faster so it would likely take less time to teach these
> kids the needed skills to round out what they already know than it would
> to teach someone older the same thing. It is the same principal behind
> teaching young children multiple languages, they learn them better than
> adults.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Wed, 11 Jan 2012 01:33:18 CST, Laurelai said:

> If you guys cant scan for basic sql injection and these kids can then
> theres a real problem, thats my point here.

That may or may not be true.  Doesn't mean you have the right solution.
Also, you seem to keeo forgetting that this is an asymmetric problem.

The security guy has to scan *every single* entry point of *every single* app
for an SQL injection, which could take a while for a large company.  They are 
usually
limited in how much time they have (two to four weeks, usually).  And then scan
for *every other* thing on the OWASP Top 10.

One script kiddie gets lucky and finds one hole, they get their name in the 
news.

> As the ancient proverb says "Set a thief to catch a thief"

The fact it's a proverb doesn't make it correct or useful in today's world.

http://www.answers.com/topic/set-a-thief-to-catch-a-thief

Maybe in 1665 it was the best way to do it.  I'd certainly hope that today with
modern techniques like fingerprints and DNA and surveillance cameras, a
detective is better at chatching thieves than another thief would be.

Remember - the fact the guy knows how to pick a 5-tumbler lock doesn't mean he
knows how to lift the prints off said lock after somebody else did it.



pgpnz9dbzSTI1.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/11/12 8:39 AM, Ferenc Kovacs wrote:



Because the ones with the so called ethics either lack the technical
chops or lack the enthusiasm to find simple vulnerabilities. Not very
ethical to take a huge paycheck and not do your job if you ask me.


If the only thing missing to secure those systems was somebody being 
able to use sqlmap and xss-me, then that could be fixing without 
hiring people who already proved that they aren't trustworthy.
from my experience, the lack of security comes from the management, 
you can save money on that (and qa) on the short run.
so companies tend to hire QSA companies to buy the paper which says 
that they are good, when in fact they aren't.
most of them don't wanna hear that they are vulnerable and take the 
risks too lightly.
if they would take it-security seriously it simply couldn't be owned 
through trivial, well-known attack vectors.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

:D at least one person here gets it.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

>
>
> Because the ones with the so called ethics either lack the technical
> chops or lack the enthusiasm to find simple vulnerabilities. Not very
> ethical to take a huge paycheck and not do your job if you ask me.
>
>
If the only thing missing to secure those systems was somebody being able
to use sqlmap and xss-me, then that could be fixing without hiring people
who already proved that they aren't trustworthy.
from my experience, the lack of security comes from the management, you can
save money on that (and qa) on the short run.
so companies tend to hire QSA companies to buy the paper which says that
they are good, when in fact they aren't.
most of them don't wanna hear that they are vulnerable and take the risks
too lightly.
if they would take it-security seriously it simply couldn't be owned
through trivial, well-known attack vectors.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/10/12 11:39 PM, Ian Hayes wrote:
> On Tue, Jan 10, 2012 at 9:18 PM, Laurelai  wrote:
>> On 1/10/12 10:18 PM, Byron Sonne wrote:
 Don't piss off a talented adolescent with computer skills.
>>> Amen! I love me some stylin' pwnage :)
>>>
>>> Whether they were skiddies or actual hackers, it's still amusing (and
>>> frightening to some) that companies who really should know better, in
>>> fact, don't.
>>>
>> And again, if companies hired these people, most of whom come from
>> disadvantaged backgrounds and are self taught they wouldn't have as much
>> a reason to be angry anymore. Most of them feel like they don't have any
>> real opportunities for a career and they are often right.
> [citation needed]
>
>> Microsoft hired some kid who hacked their network, it is a safe bet he isn't 
>> going
>> to be causing any trouble anymore.
> Are you proposing that we reward all such behavior with jobs? I've
> always wanted to be a firefighter. Forget resumes, job applications
> and interviews, I'm going to set people's houses on fire. By your
> logic, an arsonist is not only the best person to combat other
> arsonists, but due to his obviously unique insight into the nature of
> fire, simply must know how best to fight a fire as opposed to someone
> who went to school for years to learn the trade.
>
>> Talking about the trust issue, who
>> would you trust more the person who has all the certs and experience
>> that told you your network was safe or the 14 year old who proved him
>> wrong?
> This is asinine. WHY would I want to hire someone for a position of
> trust that just committed a crime, or at the very least acted in an
> unethical manner? More than anything, that person has proven that
> while he *might* have the technical chops, he certainly lacks the
> ethics and decision making skills to operate in the grown-up world.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Because the ones with the so called ethics either lack the technical 
chops or lack the enthusiasm to find simple vulnerabilities. Not very 
ethical to take a huge paycheck and not do your job if you ask me.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Kyle Creyts]

How many of those engaged in these attacks _could_ actually fix the vulns
they exploit? What is a good "rough estimate" in your opinion?
On Jan 11, 2012 12:47 AM, "Laurelai"  wrote:

> On 1/10/12 11:32 PM, James Smith wrote:
> > Well I do agree with what you are stating. As I have seen incidents
> > like this happen to many times.
> > This mailing list is a big part of the IT Security community.
> >
> >
> >
> > -Original Message- From: Laurelai
> > Sent: Wednesday, January 11, 2012 1:18 AM
> > To: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
> >
> > On 1/10/12 10:18 PM, Byron Sonne wrote:
> >>> Don't piss off a talented adolescent with computer skills.
> >> Amen! I love me some stylin' pwnage :)
> >>
> >> Whether they were skiddies or actual hackers, it's still amusing (and
> >> frightening to some) that companies who really should know better, in
> >> fact, don't.
> >>
> > And again, if companies hired these people, most of whom come from
> > disadvantaged backgrounds and are self taught they wouldn't have as much
> > a reason to be angry anymore. Most of them feel like they don't have any
> > real opportunities for a career and they are often right. Microsoft
> > hired some kid who hacked their network, it is a safe bet he isn't going
> > to be causing any trouble anymore. Talking about the trust issue, who
> > would you trust more the person who has all the certs and experience
> > that told you your network was safe or the 14 year old who proved him
> > wrong? We all know if that kid had approached microsoft with his exploit
> > in a responsible manner they would have outright ignored him, that's why
> > this mailing list exists, because companies will ignore security issues
> > until it bites them in the ass to save a buck.
> >
> > People are way too obsessed with having certifications that don't
> > actually teach practical intrusion techniques. If a system is so fragile
> > that teenagers can take it down with minimal effort then there is a
> > serious problem with the IT security industry. Think about it how long
> > has sql injection been around? There is absolutely no excuse for being
> > vulnerable to it. None what so ever. These kids are showing people the
> > truth about the state of security online and that is whats making people
> > afraid of them. They aren't writing 0 days every week, they are using
> > vulnerabilities that are publicly available. Using tools that are
> > publicly available, tools that were meant to be used by the people
> > protecting the systems. Clearly the people in charge of protecting these
> > system aren't using these tools to scan their systems or else they would
> > have found the weaknesses first.
> >
> > The fact that government organizations and large name companies and
> > government contractors fall prey to these types of attacks just goes to
> > show the level of hypocrisy inherent to the situation. Especially when
> > their solution to the problem is to just pass more and more restrictive
> > laws (as if that's going to stop them). These kids are showing people
> > that the emperor has no clothes and that's whats making people angry,
> > they are putting someones paycheck in danger. Why don't we solve the
> > problem by actually addressing the real problem and fixing systems that
> > need to be fixed? Why not hire these kids with the time and energy on
> > their hands to probe for these weaknesses on a large scale? The ones
> > currently in the job slots to do this clearly aren't doing it.  I bet if
> > they started replacing these people with these kids it would shake the
> > lethargy out of the rest of them and you would see a general increase in
> > competence and security. Knowing that if you get your network owned by a
> > teenager will not only get you fired, but replaced with said teenager is
> > one hell of an incentive to make sure you get it right.
> >
> >
> > Yes they would have to be taught additional skills to round out what
> > they know, but every job requires some level of training and there are
> > quite a few workplaces that will help their employees continue their
> > education because it benefits the company to do so. This would be no
> > different except that the employees would be younger, and younger people
> > do tend to learn faster so it would likely take less time to teach these
> > kids the needed skills to round 

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ian Hayes]

On Tue, Jan 10, 2012 at 9:18 PM, Laurelai  wrote:
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still amusing (and
>> frightening to some) that companies who really should know better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as much
> a reason to be angry anymore. Most of them feel like they don't have any
> real opportunities for a career and they are often right.

[citation needed]

> Microsoft hired some kid who hacked their network, it is a safe bet he isn't 
> going
> to be causing any trouble anymore.

Are you proposing that we reward all such behavior with jobs? I've
always wanted to be a firefighter. Forget resumes, job applications
and interviews, I'm going to set people's houses on fire. By your
logic, an arsonist is not only the best person to combat other
arsonists, but due to his obviously unique insight into the nature of
fire, simply must know how best to fight a fire as opposed to someone
who went to school for years to learn the trade.

> Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong?

This is asinine. WHY would I want to hire someone for a position of
trust that just committed a crime, or at the very least acted in an
unethical manner? More than anything, that person has proven that
while he *might* have the technical chops, he certainly lacks the
ethics and decision making skills to operate in the grown-up world.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[James Smith]

Well I have been in their irc chat rooms. A few of them are very Intelligent in 
Information Security. Well if you are only defining say #AntiSec- I would say 
about less then a third.
As for the other 97% they just know how to attack and exploit vulnerabilities.

From: Laurelai 
Sent: Wednesday, January 11, 2012 3:17 AM
To: Kyle Creyts 
Cc: full-disclosure@lists.grok.org.uk ; James Smith 
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On 1/11/12 1:15 AM, Kyle Creyts wrote: 
  How many of those engaged in these attacks _could_ actually fix the vulns 
they exploit? What is a good "rough estimate" in your opinion?

  On Jan 11, 2012 12:47 AM, "Laurelai"  wrote:

On 1/10/12 11:32 PM, James Smith wrote:
> Well I do agree with what you are stating. As I have seen incidents
> like this happen to many times.
> This mailing list is a big part of the IT Security community.
>
>
>
> -Original Message- From: Laurelai
> Sent: Wednesday, January 11, 2012 1:18 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still amusing (and
>> frightening to some) that companies who really should know better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as much
> a reason to be angry anymore. Most of them feel like they don't have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore. Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong? We all know if that kid had approached microsoft with his exploit
> in a responsible manner they would have outright ignored him, that's why
> this mailing list exists, because companies will ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it how long
> has sql injection been around? There is absolutely no excuse for being
> vulnerable to it. None what so ever. These kids are showing people the
> truth about the state of security online and that is whats making people
> afraid of them. They aren't writing 0 days every week, they are using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of protecting these
> system aren't using these tools to scan their systems or else they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just goes to
> show the level of hypocrisy inherent to the situation. Especially when
> their solution to the problem is to just pass more and more restrictive
> laws (as if that's going to stop them). These kids are showing people
> that the emperor has no clothes and that's whats making people angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing systems that
> need to be fixed? Why not hire these kids with the time and energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.  I bet if
> they started replacing these people with these kids it would shake the
> lethargy out of the rest of them and you would see a general increase in
> competence and security. Knowing that if you get your network owned by a
> teenager will not only get you fired, but replaced with said teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out wha

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/11/12 1:21 AM, valdis.kletni...@vt.edu wrote:
> On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said:
>
>> real opportunities for a career and they are often right. Microsoft
>> hired some kid who hacked their network, it is a safe bet he isn't going
>> to be causing any trouble anymore.
> How safe a bet, exactly?  Safe enough to bet your business on it? Microsoft 
> has
> $40B in cash handy to survive on if something goes wrong.  What's *your* Plan 
> B
> if the kid you hired blabs about his gig and one of his buddies rapes your 
> net using
> the credentials you gave the kid to do the pen test?
>
>>  Talking about the trust 
>> issue, who
>> would you trust more the person who has all the certs and experience
>> that told you your network was safe or the 14 year old who proved him
>> wrong?
> A really clever guy by the name of Edsgar Dyjkstra once said "Testing can 
> prove
> the presence of bugs, but not their absence".  If you're getting a pen test
> done by somebody who says your network is safe, you're being ripped off. 
> First,
> all networks have holes - if the pen tester comes up empty, it doesn't mean
> your net is secure, it means finding the holes needs somebody with better
> skills. Second, any pen tester who says "the net is safe" is a rip-off artist.
> At best, they can say "we did not find any of the following vulnerabilities we
> tested for. There may be vulnerabilities present that we were unable to find
> under the rules of engagement, which limit the scope and total time and money
> spent".
>
> Also, It's not just about who do you trust more to find the holes, it's who 
> you
> trust to be professional while they do it.
>
> Or the "put your money where your mouth is (literally)" version - which one
> would you rather have working for your bank when they find a security hole 
> that
> allows them access to your checking account?
>
If you guys cant scan for basic sql injection and these kids can then 
theres a real problem, thats my point here. The attacks are so simple 
children can do it and the so called experts arent finding them or just 
arent looking so im not sure if its incompetence or apathy behind these 
high profile hacks, you can teach these kids the same skillsets the so 
called experts have, but you cant teach incompetent people to be 
competent as its a willful mindset to not learn new things, and theres 
no solution for apathy other than hiring someone who cares.  These kids 
have the motivation to learn new things and the energy to apply them. 
Something the people they are owning lack sorely. As the ancient proverb 
says "Set a thief to catch a thief"


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Tue, 10 Jan 2012 23:18:40 CST, Laurelai said:

> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore.

How safe a bet, exactly?  Safe enough to bet your business on it? Microsoft has
$40B in cash handy to survive on if something goes wrong.  What's *your* Plan B
if the kid you hired blabs about his gig and one of his buddies rapes your net 
using
the credentials you gave the kid to do the pen test?

> Talking about the trust 
> issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong?

A really clever guy by the name of Edsgar Dyjkstra once said "Testing can prove
the presence of bugs, but not their absence".  If you're getting a pen test
done by somebody who says your network is safe, you're being ripped off. First,
all networks have holes - if the pen tester comes up empty, it doesn't mean
your net is secure, it means finding the holes needs somebody with better
skills. Second, any pen tester who says "the net is safe" is a rip-off artist.
At best, they can say "we did not find any of the following vulnerabilities we
tested for. There may be vulnerabilities present that we were unable to find
under the rules of engagement, which limit the scope and total time and money
spent".

Also, It's not just about who do you trust more to find the holes, it's who you
trust to be professional while they do it.

Or the "put your money where your mouth is (literally)" version - which one
would you rather have working for your bank when they find a security hole that
allows them access to your checking account?



pgpnIlcBGat8b.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/11/12 1:15 AM, Kyle Creyts wrote:


How many of those engaged in these attacks _could_ actually fix the 
vulns they exploit? What is a good "rough estimate" in your opinion?


On Jan 11, 2012 12:47 AM, "Laurelai" <mailto:laure...@oneechan.org>> wrote:


On 1/10/12 11:32 PM, James Smith wrote:
> Well I do agree with what you are stating. As I have seen incidents
> like this happen to many times.
> This mailing list is a big part of the IT Security community.
>
>
>
> -Original Message- From: Laurelai
> Sent: Wednesday, January 11, 2012 1:18 AM
> To: full-disclosure@lists.grok.org.uk
<mailto:full-disclosure@lists.grok.org.uk>
> Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident
Response
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still
amusing (and
>> frightening to some) that companies who really should know
better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have
as much
> a reason to be angry anymore. Most of them feel like they don't
have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he
isn't going
> to be causing any trouble anymore. Talking about the trust
issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who
proved him
> wrong? We all know if that kid had approached microsoft with his
exploit
> in a responsible manner they would have outright ignored him,
that's why
> this mailing list exists, because companies will ignore security
issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so
fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it
how long
> has sql injection been around? There is absolutely no excuse for
being
> vulnerable to it. None what so ever. These kids are showing
people the
> truth about the state of security online and that is whats
making people
> afraid of them. They aren't writing 0 days every week, they are
using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of
protecting these
> system aren't using these tools to scan their systems or else
they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just
goes to
> show the level of hypocrisy inherent to the situation.
Especially when
> their solution to the problem is to just pass more and more
restrictive
> laws (as if that's going to stop them). These kids are showing
people
> that the emperor has no clothes and that's whats making people
angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing
systems that
> need to be fixed? Why not hire these kids with the time and
energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.
 I bet if
> they started replacing these people with these kids it would
shake the
> lethargy out of the rest of them and you would see a general
increase in
> competence and security. Knowing that if you get your network
owned by a
> teenager will not only get you fired, but replaced with said
teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out what
> they know, but every job requires some level of training and
there are
> quite a few workplaces that will help their employees continue their
> education because it benefits the company to do so. This would be no
>

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/10/12 11:32 PM, James Smith wrote:
> Well I do agree with what you are stating. As I have seen incidents 
> like this happen to many times.
> This mailing list is a big part of the IT Security community.
>
>
>
> -Original Message- From: Laurelai
> Sent: Wednesday, January 11, 2012 1:18 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still amusing (and
>> frightening to some) that companies who really should know better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as much
> a reason to be angry anymore. Most of them feel like they don't have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore. Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong? We all know if that kid had approached microsoft with his exploit
> in a responsible manner they would have outright ignored him, that's why
> this mailing list exists, because companies will ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it how long
> has sql injection been around? There is absolutely no excuse for being
> vulnerable to it. None what so ever. These kids are showing people the
> truth about the state of security online and that is whats making people
> afraid of them. They aren't writing 0 days every week, they are using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of protecting these
> system aren't using these tools to scan their systems or else they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just goes to
> show the level of hypocrisy inherent to the situation. Especially when
> their solution to the problem is to just pass more and more restrictive
> laws (as if that's going to stop them). These kids are showing people
> that the emperor has no clothes and that's whats making people angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing systems that
> need to be fixed? Why not hire these kids with the time and energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.  I bet if
> they started replacing these people with these kids it would shake the
> lethargy out of the rest of them and you would see a general increase in
> competence and security. Knowing that if you get your network owned by a
> teenager will not only get you fired, but replaced with said teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out what
> they know, but every job requires some level of training and there are
> quite a few workplaces that will help their employees continue their
> education because it benefits the company to do so. This would be no
> different except that the employees would be younger, and younger people
> do tend to learn faster so it would likely take less time to teach these
> kids the needed skills to round out what they already know than it would
> to teach someone older the same thing. It is the same principal behind
> teaching young children multiple languages, they learn them better than
> adults.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Yes I am aware they are, the ones who cry out that they are just script 
kiddies and such are the ones who are most likely to be 

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/10/12 10:18 PM, Byron Sonne wrote:
>> Don't piss off a talented adolescent with computer skills.
> Amen! I love me some stylin' pwnage :)
>
> Whether they were skiddies or actual hackers, it's still amusing (and
> frightening to some) that companies who really should know better, in
> fact, don't.
>
And again, if companies hired these people, most of whom come from 
disadvantaged backgrounds and are self taught they wouldn't have as much 
a reason to be angry anymore. Most of them feel like they don't have any 
real opportunities for a career and they are often right. Microsoft 
hired some kid who hacked their network, it is a safe bet he isn't going 
to be causing any trouble anymore. Talking about the trust issue, who 
would you trust more the person who has all the certs and experience 
that told you your network was safe or the 14 year old who proved him 
wrong? We all know if that kid had approached microsoft with his exploit 
in a responsible manner they would have outright ignored him, that's why 
this mailing list exists, because companies will ignore security issues 
until it bites them in the ass to save a buck.

People are way too obsessed with having certifications that don't 
actually teach practical intrusion techniques. If a system is so fragile 
that teenagers can take it down with minimal effort then there is a 
serious problem with the IT security industry. Think about it how long 
has sql injection been around? There is absolutely no excuse for being 
vulnerable to it. None what so ever. These kids are showing people the 
truth about the state of security online and that is whats making people 
afraid of them. They aren't writing 0 days every week, they are using 
vulnerabilities that are publicly available. Using tools that are 
publicly available, tools that were meant to be used by the people 
protecting the systems. Clearly the people in charge of protecting these 
system aren't using these tools to scan their systems or else they would 
have found the weaknesses first.

The fact that government organizations and large name companies and 
government contractors fall prey to these types of attacks just goes to 
show the level of hypocrisy inherent to the situation. Especially when 
their solution to the problem is to just pass more and more restrictive 
laws (as if that's going to stop them). These kids are showing people 
that the emperor has no clothes and that's whats making people angry, 
they are putting someones paycheck in danger. Why don't we solve the 
problem by actually addressing the real problem and fixing systems that 
need to be fixed? Why not hire these kids with the time and energy on 
their hands to probe for these weaknesses on a large scale? The ones 
currently in the job slots to do this clearly aren't doing it.  I bet if 
they started replacing these people with these kids it would shake the 
lethargy out of the rest of them and you would see a general increase in 
competence and security. Knowing that if you get your network owned by a 
teenager will not only get you fired, but replaced with said teenager is 
one hell of an incentive to make sure you get it right.


Yes they would have to be taught additional skills to round out what 
they know, but every job requires some level of training and there are 
quite a few workplaces that will help their employees continue their 
education because it benefits the company to do so. This would be no 
different except that the employees would be younger, and younger people 
do tend to learn faster so it would likely take less time to teach these 
kids the needed skills to round out what they already know than it would 
to teach someone older the same thing. It is the same principal behind 
teaching young children multiple languages, they learn them better than 
adults.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Byron Sonne]

> Don't piss off a talented adolescent with computer skills.

Amen! I love me some stylin' pwnage :)

Whether they were skiddies or actual hackers, it's still amusing (and
frightening to some) that companies who really should know better, in
fact, don't.

-- 
 freebyron.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

On Tue, Jan 10, 2012 at 7:58 AM, Ferenc Kovacs  wrote:
> Albeit you didn't addressed to me, but I also called them kiddies, so here
> are my thoughts.
>>
>> Valdis you make me curious - how do you know that most are kids, and
>> script kiddies?
>
> Valdis didn't stated that the majority of the hackers are kids, or script
> kiddies, what he did stated:
>
>>> Perhaps these companies should try to hire the kids owning them instead
>>> of crying to the feds.
>
>> Most of the kids are skript kiddies,
>
> So Laurelai implied that the companies are owned by kids, and Valdis replied
> that those kids are mostly script kiddies.
>>
>> The label 'script kiddies' has been used for over 20
>> years and well, kids do grow old... aren't the script kiddies really
>> "script men" these days?
>
> only if you think that the current kiddies are the exact same people than
> back there.
> imo the vast majority of the kiddies will either mature and/or busted, so
> he/she will give up on the blackhat stuff, and/or grow in skills so he/she
> will be a "real" hacker(in one way, or another).
>>
>> The label "script kiddie" tends to downplay
>> their existence. It has a tone of "strong security officers, men of
>> renown, men with beards" who look down on those petty script kiddies
>> from their high places of arcane knowledge possessed by a mere few.
>
> the term is and always was pejorative/derogatory by definition:
> "A script kiddie or skiddie,[1] occasionally skid, script bunny,[2] script
> kitty,[3] script-running juvenile (SRJ) or similar, is a derogatory term
> used to describe those who use scripts or programs developed by others to
> attack computer systems and networks and deface websites.[4]"
> http://en.wikipedia.org/wiki/Script_Kiddie
>>
>> Isn't it more likely that the people who massively pwned Stratfor are
>> indeed mature and serious?
>
> imo most script kiddies are teens/young adults, and I also think that most
> teens/young adults who are interested in the IT security are only have
> script kiddie skills.
>
> My resons to believe this:
> - learning serious skills take some time, so it is fairly rare to have those
> at such a young age, so most of the young ones usually isn't there yet. of
> course if you have only to master sqlmap and xss-me then it is a different
> story.
> - kids are more likely to take serious risk for the fun or fame only: they
> aren't mature enough to be afraid of the consequences and they don't have an
> existence which they are afraid to lose. on a related note
> see http://www.medicinenet.com/script/main/art.asp?articlekey=51852
>>
>> It's easy to establish that "the lulzboat
>> people" for lack of a better term, are more mature than the
>> technicians at Stratfor will ever be. Better to call them "security
>> kiddies", I can understand that.
>
> in what meaning are you using the word "mature" here?
> they(LulzSec) are/were trolling the industry, they didn't really shown
> anything new, just that the OWASP top10 vulns are still there and even for
> big companies.
> I would be really surprised if it would ever to discovered that the main
> players behind LulzSec ware over 25, or they would have a family to take
> care of.
> even if you could get away with the shit that they put up, a mature person
> wouldn't risk to get busted over what they achieved (fame and fun).
>
> Of course this is only my opinion on the issue, maybe somebody else with
> more experience on the field can come up with a better explanation or
> pointing out the flaws in my logic.
I still remember Steve Gibson and grc.com
(www.crime-research.org/library/grcdos.pdf). He was retaliated upon
for calling folks script kiddies.

Don't piss off a talented adolescent with computer skills.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

Albeit you didn't addressed to me, but I also called them kiddies, so here
are my thoughts.


>
> Valdis you make me curious - how do you know that most are kids, and
> script kiddies?


Valdis didn't stated that the majority of the hackers are kids, or script
kiddies, what he did stated:

>> Perhaps these companies should try to hire the kids owning them instead
>> of crying to the feds.

> Most of the kids are skript kiddies,

So Laurelai implied that the companies are owned by kids, and Valdis
replied that those kids are mostly script kiddies.



> The label 'script kiddies' has been used for over 20
> years and well, kids do grow old... aren't the script kiddies really
> "script men" these days?


only if you think that the current kiddies are the exact same people than
back there.
imo the vast majority of the kiddies will either mature and/or busted, so
he/she will give up on the blackhat stuff, and/or grow in skills so he/she
will be a "real" hacker(in one way, or another).


> The label "script kiddie" tends to downplay
> their existence. It has a tone of "strong security officers, men of
> renown, men with beards" who look down on those petty script kiddies
> from their high places of arcane knowledge possessed by a mere few.
>

the term is and always was pejorative/derogatory by definition:
"A script kiddie or skiddie,[1] occasionally skid, script bunny,[2] script
kitty,[3] script-running juvenile (SRJ) or similar, is a derogatory term
used to describe those who use scripts or programs developed by others to
attack computer systems and networks and deface websites.[4]"
http://en.wikipedia.org/wiki/Script_Kiddie


> Isn't it more likely that the people who massively pwned Stratfor are
> indeed mature and serious?


imo most script kiddies are teens/young adults, and I also think that most
teens/young adults who are interested in the IT security are only have
script kiddie skills.

My resons to believe this:
- learning serious skills take some time, so it is fairly rare to have
those at such a young age, so most of the young ones usually isn't there
yet. of course if you have only to master sqlmap and xss-me then it is a
different story.
- kids are more likely to take serious risk for the fun or fame only: they
aren't mature enough to be afraid of the consequences and they don't have
an existence which they are afraid to lose. on a related note see
http://www.medicinenet.com/script/main/art.asp?articlekey=51852



> It's easy to establish that "the lulzboat
> people" for lack of a better term, are more mature than the
> technicians at Stratfor will ever be. Better to call them "security
> kiddies", I can understand that.
>

in what meaning are you using the word "mature" here?
they(LulzSec) are/were trolling the industry, they didn't really shown
anything new, just that the OWASP top10 vulns are still there and even for
big companies.
I would be really surprised if it would ever to discovered that the main
players behind LulzSec ware over 25, or they would have a family to take
care of.
even if you could get away with the shit that they put up, a mature person
wouldn't risk to get busted over what they achieved (fame and fun).

Of course this is only my opinion on the issue, maybe somebody else with
more experience on the field can come up with a better explanation or
pointing out the flaws in my logic.


-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[J. von Balzac]

> Most of the kids are skript kiddies, and don't really understand the *defense*
> end of the security business very well.  Sure, some may be better than skript
> kiddies, and may be *incredible* at finding a memory overlay or an SQL
> injection, but do they know how to *secure* against *everything*?
>
> Does that kid know anything about "continuity of operations"? How to negotiate
> with network providers to guarantee diverse cable paths?  How to set up proper
> audit trails so they can figure out what happened after the fact? How to deal
> with physical security issues (how do you know the guy at the door works for
> Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
> evidence" order?  How to secure systems against insider threats and
> embezzlement (still a big problem, even if hackers get more news time)? How to
> ensure proper backups get done (this can be very non-trivial if you have
> multiple petabytes of storage, and need to do point-in-time recoveries)? How 
> to
> do all the other things involved in actually making a data processing facility
> *secure*?

Warning: my message is about semantics.

Valdis you make me curious - how do you know that most are kids, and
script kiddies? The label 'script kiddies' has been used for over 20
years and well, kids do grow old... aren't the script kiddies really
"script men" these days? The label "script kiddie" tends to downplay
their existence. It has a tone of "strong security officers, men of
renown, men with beards" who look down on those petty script kiddies
from their high places of arcane knowledge possessed by a mere few.

Isn't it more likely that the people who massively pwned Stratfor are
indeed mature and serious? It's easy to establish that "the lulzboat
people" for lack of a better term, are more mature than the
technicians at Stratfor will ever be. Better to call them "security
kiddies", I can understand that.

Of course it's common to refer to script kiddies in mailing lists and
to tech savvy people. As I'm not a pro I wonder if you guys (the
professional pen testers) refer to these people as script kiddies when
you talk with your clients.

Maybe 'penners' would be a better word, because even the word 'hacker'
is too broad. I can't stand it when 'laymen' refer to 'hackers' on
every occasion.

Jan

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Mon, 09 Jan 2012 20:00:11 +0100, "J. von Balzac" said:

> Valdis you make me curious - how do you know that most are kids, and
> script kiddies?

Note that it wasn't me who suggested hiring script kiddies to do pen tests. I
was pointing out why it wouldn't work.

> Isn't it more likely that the people who massively pwned Stratfor are
> indeed mature and serious?

If they're mature, serious, and pwning machines like that, they're heavy duty
black hats (pretty much by definition).  What are the chances they'll want to
take a consulting gig doing a pen test (which would require they come out of
hiding?)

Yes, there's a few people working both sides of the fence. *VERY* few, and
certainly not enough to make it feasible in general to hire one to do your
pentests.  And again, there's that whole "Do you really want to hire a known
black hat" issue to work around.



pgp6HBihzfs37.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Paul Schmehl]

--On January 9, 2012 10:34:40 AM -0800 Bob Dobbs  
wrote:

> On Sat, Jan 7, 2012 at 5:42 PM,  wrote:
>
>
> It matters a lot less than you think.  Go look at Sony's stock price
> while they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with
> no visible
>
>
>
> Indeed. It is surprising to me that customers don't care more about this
> than they do. But the customer, in the end, doesn't seem particularly
> concerned about their personal data. If they did they would stop buying,
> revenue would fall, and stock price would fall.
>

Or, they don't understand the ramifications of the exposure to them 
personally.  (I've been watching my bill for months, and i haven't seen any 
unauthorized charges.  This must not have affected me personally.)  Or they 
never even hear about it to begin with.  (We in IT and Security assume that 
"everyone" knows about breaches.  Nothing could be further from the truth, 
even in the most publicized of cases.)

>
> As high priority as the IT Sec people usually think it should be, or as
> high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>
> I can perfectly understand the cold rationalizing of ROI on issues of
> security expense. I am much less forgiving of companies who constantly
> say (and they all do) that they take great care with your data, won't
> share it with anyone else, implement great security, etc. Then they are
> owned by some stupid means such as a flawed and out of date
> Internet-facing webapp and proven to be liars.
>

Yeah, but you can always blame some low level person for not following 
policy, right?  IOW, they had the right policy in place, but they didn't 
have good procedures for ensuring that the policy was being rigorously 
followed.  Auditing wasn't as robust as it should have been, so it didn't 
find the edge case that brought the whole system down.

> I wish there were far more punitive punishments for customers to pursue
> to help shift the ROI towards providing more security.
>

Except it wouldn't.  It would simply raise the cost of the product to the 
consumer.  Corporations that get "taught lessons" by large fines, simply 
pass that cost on to the consumer.  They seldom learn as much as you think 
they might or should have

There's a gap between policy and procedures and between procedures and 
auditing.  There are always edge cases that fall outside the purview of the 
watchers and escape detection until something bad happens.  Technology is 
getting better at discovering those gaps, but they will always exist.

For example.  Recently a Columbia researcher discovered a way to use an HP 
printer to hack into an enterprise and compromise internal assets.  A good 
security person would have already anticipated the risk and remediated it. 
(We moved all our printers to private IPs about 10 years ago for that very 
reason.)  But many people didn't give it much thought at all.  (After all, 
who's going to hack a printer?  It doesn't really gain you much.)

The same thing was true, back in the old days, of DNS hosts with vulnerable 
versions of sendmail installed.  "No one" ever thought they might be used 
as spam relays - until someone did - and standard install procedures didn't 
disable or secure sendmail because that wasn't the purpose of the box.

That's just human nature.

The really secure places plan ahead for such things, routinely check for 
out of compliance conditions, and enforce an environment where things are 
"done right" all the time.

Very few such places exist.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Bob Dobbs]

On Sat, Jan 7, 2012 at 5:42 PM,  wrote:

> It matters a lot less than you think.  Go look at Sony's stock price while
> they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with no
> visible
>

Indeed. It is surprising to me that customers don't care more about this
than they do. But the customer, in the end, doesn't seem particularly
concerned about their personal data. If they did they would stop buying,
revenue would fall, and stock price would fall.

As high priority as the IT Sec people usually think it should be, or as high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>

I can perfectly understand the cold rationalizing of ROI on issues of
security expense. I am much less forgiving of companies who constantly say
(and they all do) that they take great care with your data, won't share it
with anyone else, implement great security, etc. Then they are owned by
some stupid means such as a flawed and out of date Internet-facing webapp
and proven to be liars.

I wish there were far more punitive punishments for customers to pursue to
help shift the ROI towards providing more security.

Bob
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[gold flake]

Also, as someone remarked on another thread on this list, it is your
report that will be read by the client or the suits in your company.
If you cannot construct a grammatically correct sentence, all your
fancy work showing the holes in the infrastructure is worth zipity doo
dah.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Dave]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/01/2012 23:32, valdis.kletni...@vt.edu wrote:
> On Sat, 07 Jan 2012 17:03:09 CST, Laurelai said:
>> Perhaps these companies should try to hire the kids owning them instead
>> of crying to the feds.
> 
> Most of the kids are skript kiddies, and don't really understand the *defense*
> end of the security business very well.  Sure, some may be better than skript
> kiddies, and may be *incredible* at finding a memory overlay or an SQL
> injection, but do they know how to *secure* against *everything*?
> 
> Does that kid know anything about "continuity of operations"? How to negotiate
> with network providers to guarantee diverse cable paths?  How to set up proper
> audit trails so they can figure out what happened after the fact? How to deal
> with physical security issues (how do you know the guy at the door works for
> Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
> evidence" order?  How to secure systems against insider threats and
> embezzlement (still a big problem, even if hackers get more news time)? How to
> ensure proper backups get done (this can be very non-trivial if you have
> multiple petabytes of storage, and need to do point-in-time recoveries)? How 
> to
> do all the other things involved in actually making a data processing facility
> *secure*?
> 
> For all the flak the CISSP gets, it's *still* worthwhile to wander over and
> take a quick peek at *all* the subject areas it covers (18 if I remember
> right), and then ask yourself "How much does the average kiddie know about all
> this?"
> 
> And there's another little problem:  If you had a store, and somebody robbed
> you at gunpoint, would you feel good about offering them a job because they
> obviously need the money?  Or would you tend to avoid that person as an
> employee, because they've already proven they don't want to follow the rules?
> And even if you're willing to give a felon another shot, what do you say to 
> the
> other employees when they say "You hired WHO? That guy shot Fred in the knee,
> I'm outta here".
> 
> And why should your answer be any different just because the attack involved a
> computer rather than a 9mm?

CISSP is just the beginning of security skills... Far ranging but shallow.
I considered gaining a CISSP but it only proves that I can pass an exam.
Unfortunately many courses these days only teach one to pass the exam.

Professing to be an expert whilst comparing myself to the average user may well 
be true.
But in all honesty I am only as good as the scenarios I have encountered and 
understood.

I have been playing around with computers since I got a ZX spectrum, I know an 
awful lot about I.T., computers and IT security.
I progressed from from first line support to management during my career, Yet I 
still consider myself a noob when I read what some of what the
contributors to this list have to say. Thanks for the continuing education 
guys/gals.

I expect senility to kick in before I consider myself some kind of guru.
The problem lies with those who consider themselves a guru after passing an 
exam.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTwn3rrIvn8UFHWSmAQKGsAf+MPVU791YzsJ1G17o2PMMVpeTqmGU4rvE
4knmyHqAz2Llifqto4G7RBhV+sPQZkW4IoRNrI8v2+e9yRFQQixsyZRkTGFUEXyc
NgM+EFxH3kcoFv47HmW/Hj7K4WrYefJQm3gB8WLrLi3d96a1ZEsEW7gmSFfjNf+q
A+dZVxZV2FGAcPvn208L+NVmFutSLTzxrPENnZ4/86nwoEcFHLxnS+U/NM2vPsNP
QRjVE8NpkjaPvxC/VKTcObulhxgunIohDalVXTUg8Fy9+OEaC7KtbAr6GlSbkS0o
+sXxn/Se+OD7AYskFprtcET5qggbB6dl+GkFzf6zDV54FVh3C9Dk5w==
=Ah3g
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ian Hayes]

The industry would self-correct pretty quickly if customers weren't
satisfied with their contractor firing off a quick Nessus scan, and handing
this year's report off along with the bill. A lot of companies don't WANT
to know they are vulnerable, because of the shitstorm it causes.

On Jan 7, 2012 3:38 PM, "Laurelai"  wrote:

On 1/7/12 5:31 PM, Ferenc Kovacs wrote:
>
>
>
> On Sun, Jan 8, 2012 at 12:03 AM, Laurelai http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response, Philosophy of Information Security

[coderman]

On Sat, Jan 7, 2012 at 12:55 PM, Shyaam Sundhar  wrote:
> ...
> why are people sloppy by nature when it comes to
> security?

this is like asking for the origin of existence; a mystery to the end!



> Why is security still considered as a blanket as opposed to the
> core of any system?

build security in: a radical concept!

instead quality is conferred second rate status, lucre and expedience
trump effectiveness, and short sighted competition creates cavities of
vulnerability where only broad cooperation can protect.

an endless playground for the curious and devious to deceive, thwart,
and threaten at will.



> PS: I am totally wrong and I know that ;)

infosec is totally wrong as industry, too few know that! ;P

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sun, 08 Jan 2012 03:28:43 +0100, Ferenc Kovacs said:

> - it should be handled the same way as QA, it's not a feature, it's a way

Actually, the problem is that it *is* handled the same way as QA.


pgpKCkPrbAJFp.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sun, Jan 8, 2012 at 2:42 AM,  wrote:

> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
> > imo public shaming(ie. owned by kiddies, usually they get bigger media
> > attention) can force companies to take security more seriously, but imo
> > hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while
> they
> were having their security issues - it was already sliding *before* PSN
> got hacked,
> but continued sliding at the *exact same rate* for several months, with no
> visible
> added dip due to the multiple hacks they had.  The hack at TJX didn't
> cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive -
> most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
>
> > able to secure your infrastructure, but the industry is rotten mostly
> > because it-sec isn't as high priority as it should be.
>
> As high priority as the IT Sec people usually think it should be, or as
> high
> priority as a cold hard-line analysis of business cost/benefts says it
> should
> be?  IT people tend to be *really* bad at estimating actual bottom-line
> costs.
>
> > it is an added-value, usually bolted-on top of the screwed up legacy
> > processes/softwares, and the higher-ups expect it to be bought by money
> > alone.
>
> Remember that at the C level, *everything* is bought by money alone.
> An initiative will cost $X in capex, $Y in manpower costs, and is predicted
> to return $Z per year.  If Z is bigger than X+Y, we proceed, if not, we
> don't.
> (Of course, the fun is in nailing X Y and Z down to accurate numbers :)
>
> > company, but they won't change the flawed processes, and the bad
> priorities.
>
> Remember that computer security is almost always a cost center, not a
> profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money),
> unless
> you can demonstrate how that will impact the bottom line.  Just like I
> *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one
> that
> gets 42, and save $50 month in gas- but then have a $250/month car payment
> to
> make. That doesn't make fiscal sense, and often neither does fixing the
> flawed
> process.
>
> > of course many of them will get owned, lose a good chunk of money, some
> of
> > them even will go out of business, but until most of them can get away
> with
> > those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> You run a restaraunt, and make a bet that you can sell a fajita that's 20%
> bigger than your competitor, for 50 cents less,and still make money.  Maybe
> you're right, and you end up expanding into a nationide fajita chain. Maybe
> you're not - something like 50% of restaraunts fold in under 3 years.
>
> You manage an office building complex, and make a bet that if there's a
> fire,
> only one of the buildings will burn down and not all of them, so you don't
> insure for "everything burning down" because that's a *lot* higher premium
> per
> year and you don't really see them *all* burning as being likely.  If one
> burns
> down, you collect the insurance, rebuild, and get on with running an office
> complex.  If they all burn down, you're probably screwed.  Unless you're
> one
> lucky guy like Larry Silverstein, and they're ruled separate events at the
> WTC
> so you get paid for all the buildings anyhow:
>
>
> http://articles.cnn.com/2004-12-06/justice/wtc.trial_1_larry-silverstein-single-occurrence-insurers?_s=PM:LAW
>
> You run a company, and make a bet that there's only a X% chance of being
> hacked, and it will probably cost you $Y, so you spend $Z.  Maybe you guess
> wrong, like Sony did, maybe you don't, and all the money you didn't spend
> on
> security becomes profit, not cost.
>
> But it's the same thing - you estimate your chances, and place your bet.
> It's
> called the way business works.
>

it seems that you are missing my point.
I don't try to say that security should be the top priority, I'm saying
that:
- it should be handled the same way as QA, it's not a feature, it's a way
of doing things, you can't just buy it from a vendor without changing
anything on your side.
- currently the efforts for it security in most cases are below what a
formal risk analysis/evaluation would identify for most of the companies
out there.

A kiddie with no formal education, or relevant experience, but with being
handy using a pc and the internet shouldn't be able to "own" companies and
create loss/stole millions of dollars.

So I would be curious what is your opinion about those two points.

btw: A Sony is a good counter-example, but we also see CA companies
recently going out of business after being hacked, usually losing customer
trust is more grave where the trust is more important to begin with.

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

On Sat, Jan 7, 2012 at 8:42 PM,   wrote:
> On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:
>
>> imo public shaming(ie. owned by kiddies, usually they get bigger media
>> attention) can force companies to take security more seriously, but imo
>> hiring the kiddies isn't the solution.
>
> It matters a lot less than you think.  Go look at Sony's stock price while 
> they
> were having their security issues - it was already sliding *before* PSN got 
> hacked,
> but continued sliding at the *exact same rate* for several months, with no 
> visible
> added dip due to the multiple hacks they had.
Sony has a chronic, progressive problem with data security. Sony (or a
child corporation operating under their name) had been hacked at least
43 times in the past
(http://attrition.org/security/rant/sony_aka_sownage.html).

Adding insult to injury, Sony laid off security folks before the
spectacular breach
(http://techgeek.com.au/2011/06/25/lawsuit-sony-laid-off-security-staff-before-data-breach/).

Sony is the poster child for driving drunk on the information super
highway. Computing is a privilege, not a right. They should have their
privileges revoked.

> The hack at TJX didn't cripple that
> company either.  Cost them a bunch, but nothing they couldn't survive - most
> companies that size already budget a lot more for unforseen events than the
> hacks cost them.
It cost TJX next to nothing, if I recall. It was less than 1% of one
quarter's earnings. The executives were awarded bonuses for a job well
done, and the loss was passed on to the share holders.

> [SNIP]
>
> Remember that computer security is almost always a cost center, not a profit
> center, and one of those "bad priorities" is usually "make more money".
>
> They aren't going to change the flawed process (which will cost money), unless
> you can demonstrate how that will impact the bottom line.  Just like I *could*
> replace my already-paid-off car that gets 27 miles to the gallon with one that
> gets 42, and save $50 month in gas- but then have a $250/month car payment to
> make. That doesn't make fiscal sense, and often neither does fixing the flawed
> process.
>
>> of course many of them will get owned, lose a good chunk of money, some of
>> them even will go out of business, but until most of them can get away with
>> those broken model, they won't try to fix the underlying problem.
>
> And you know what? *Every single decision* a business makes is like that.
>
> [SNIP]
Sadly, you are right.

In the US, we need a legislative change - broader, more encompassing
laws and definitions which benefit the users (whether its a user with
a credit card on file, or a user with PII on file). We need harsh
penalties to act as a deterrent against corporate indifference, and
board members to be held criminally accountable. With harsh penalties
and board accountability, I would argue you could relax legislative
oversight - give them enough rope to hang themselves, and see how many
executives will opt for 'lets spend 10 years in prison' because its
cheaper to do nothing.

Its probably a pipe dream, though (I know it is while corporate
america gets to participate in the oligarchy via bribes (err, PAC
contributions)).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said:

> imo public shaming(ie. owned by kiddies, usually they get bigger media
> attention) can force companies to take security more seriously, but imo
> hiring the kiddies isn't the solution.

It matters a lot less than you think.  Go look at Sony's stock price while they
were having their security issues - it was already sliding *before* PSN got 
hacked,
but continued sliding at the *exact same rate* for several months, with no 
visible
added dip due to the multiple hacks they had.  The hack at TJX didn't cripple 
that
company either.  Cost them a bunch, but nothing they couldn't survive - most
companies that size already budget a lot more for unforseen events than the
hacks cost them.

> able to secure your infrastructure, but the industry is rotten mostly
> because it-sec isn't as high priority as it should be.

As high priority as the IT Sec people usually think it should be, or as high
priority as a cold hard-line analysis of business cost/benefts says it should
be?  IT people tend to be *really* bad at estimating actual bottom-line
costs.

> it is an added-value, usually bolted-on top of the screwed up legacy
> processes/softwares, and the higher-ups expect it to be bought by money
> alone.

Remember that at the C level, *everything* is bought by money alone.
An initiative will cost $X in capex, $Y in manpower costs, and is predicted
to return $Z per year.  If Z is bigger than X+Y, we proceed, if not, we don't.
(Of course, the fun is in nailing X Y and Z down to accurate numbers :)

> company, but they won't change the flawed processes, and the bad priorities.

Remember that computer security is almost always a cost center, not a profit
center, and one of those "bad priorities" is usually "make more money".

They aren't going to change the flawed process (which will cost money), unless
you can demonstrate how that will impact the bottom line.  Just like I *could*
replace my already-paid-off car that gets 27 miles to the gallon with one that
gets 42, and save $50 month in gas- but then have a $250/month car payment to
make. That doesn't make fiscal sense, and often neither does fixing the flawed
process.

> of course many of them will get owned, lose a good chunk of money, some of
> them even will go out of business, but until most of them can get away with
> those broken model, they won't try to fix the underlying problem.

And you know what? *Every single decision* a business makes is like that.

You run a restaraunt, and make a bet that you can sell a fajita that's 20%
bigger than your competitor, for 50 cents less,and still make money.  Maybe
you're right, and you end up expanding into a nationide fajita chain. Maybe
you're not - something like 50% of restaraunts fold in under 3 years.

You manage an office building complex, and make a bet that if there's a fire,
only one of the buildings will burn down and not all of them, so you don't
insure for "everything burning down" because that's a *lot* higher premium per
year and you don't really see them *all* burning as being likely.  If one burns
down, you collect the insurance, rebuild, and get on with running an office
complex.  If they all burn down, you're probably screwed.  Unless you're one
lucky guy like Larry Silverstein, and they're ruled separate events at the WTC
so you get paid for all the buildings anyhow:

http://articles.cnn.com/2004-12-06/justice/wtc.trial_1_larry-silverstein-single-occurrence-insurers?_s=PM:LAW

You run a company, and make a bet that there's only a X% chance of being
hacked, and it will probably cost you $Y, so you spend $Z.  Maybe you guess
wrong, like Sony did, maybe you don't, and all the money you didn't spend on
security becomes profit, not cost.

But it's the same thing - you estimate your chances, and place your bet. It's
called the way business works.


pgpxZDFYWsgVc.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 18:24:04 CST, Laurelai said:

> Well enjoy your doomed industry then. Ill continue to take great
> pleasure as the so called experts get owned by teenagers.

I'm not sure why you consider it "doomed".  It's only "doomed" if you have
some silly notion that a company needs to have 100% security.

We've not managed to totally secure the roads, there's still bad drivers out
there.  We've not managed to totally secure the credit card system, there's
still fraud.  But neither of those are "doomed" either - we just accept there's
bad drivers and buy car insurance, and the credit card companies accept
that there will be 2% to 6% fraud write-offs and chargebacks, budget
accordingly, and get on with business.

And it's the same in computer security - if you've figured out it's going to
cost you $250K/year (remember, salary, bennies, *and* overhead) to hire a
security geek, but there's only a 5% chance you'll get hacked in a given year
and you've got a business plan on how to *recover* for $100K, and swallow the
$600K in lost sales the week your website is down, you're still better off *not
hiring the expert and risking getting hacked*.

Just like any other business - banks, gas stations, and minimarts all accept
the chance of armed robbery as part of the risk of doing business.  Most will
deploy *some* countermeasures to lower the risk (usually a video camera or two,
and tell the clerks to hand over the money and try not to get shot), and at
some point say "Meh, that's enough. Time to get back to selling stuff and
making money".  Nothing different just because it's a cyber attack rather than
a physical one.



pgprAA57LBcls.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

Looks like the discussion is taking a different direction.

Thank you.
Shyaam

On Jan 7, 2012, at 7:37 PM, Ferenc Kovacs  wrote:

> 
> 
> On Sun, Jan 8, 2012 at 1:24 AM, Laurelai  wrote:
> On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
> 
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
> 
> And the kids are going to land a $1M performance bond, how?
> 
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
> 
> their so called expertsd are full of shit, then they fire said experts
> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
> 
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
> 
> Well enjoy your doomed industry then. Ill continue to take great pleasure as 
> the so called experts get owned by teenagers.
> 
> imo public shaming(ie. owned by kiddies, usually they get bigger media 
> attention) can force companies to take security more seriously, but imo 
> hiring the kiddies isn't the solution.
> even if he/she happens to be the "superstar", who given the chance would be 
> able to secure your infrastructure, but the industry is rotten mostly because 
> it-sec isn't as high priority as it should be.
> it is an added-value, usually bolted-on top of the screwed up legacy 
> processes/softwares, and the higher-ups expect it to be bought by money alone.
> they would pay for the cert, they would pay for the hacker-proof seal, they 
> would pay for the insurance, and the decent looking it-security consulant 
> company, but they won't change the flawed processes, and the bad priorities.
> of course many of them will get owned, lose a good chunk of money, some of 
> them even will go out of business, but until most of them can get away with 
> those broken model, they won't try to fix the underlying problem.
> 
> -- 
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sun, Jan 8, 2012 at 1:24 AM, Laurelai  wrote:

> On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
>
>> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>>
>>> Because they pay the kids to own them in a safe manner to show that
>>>
>> It's not as simple as all that.  A good pen-tester needs more skills than
>> just
>> how to pwn a server.  You need some business smarts, and you need to be
>> *very*
>> careful about writing the rules of engagement (some pen tests that involve
>> physical attacks can literally get you shot at if you screw this part
>> up), and
>> then *sticking with them* (you find a major social engineering problem
>> while
>> doing a black-box test of some front-end servers, you better re-negotiate
>> those
>> rules of engagement before you do anything else).  Also, once a pen test
>> starts, you can't take your time and poke it with the 3 or 4 types of
>> attacks
>> that you're good at - you have 3 weeks starting at 8AM Monday to hit it
>> with
>> 37 different classes of attacks they're likely to see and another 61 types
>> of attacks they're not likely to see and aren't expecting.  And be
>> prepared to
>> work any one of those 94 from "looks like might be an issue" to something
>> you
>> can put in a report and say "You Have A Problem".
>>
>> Almost no company is stupid enough to hire a pen testing team without
>> that team
>> posting a good-sized performance bond in case of a screw-up taking out a
>> server, or a rogue pentester stealing the data. (ESPECIALLY in this case,
>> you
>> *already* caught them stealing the data once :)
>>
>> And the kids are going to land a $1M performance bond, how?
>>
>> (Hint - think this through.  Really good pentesters make *really* good
>> bucks.
>> If those kiddies had what it took to be good pentesters, they'd already be
>> making bucks as pentesters, not as kiddies)
>>
>>  their so called expertsd are full of shit, then they fire said experts
>>> and hire competent people saving time money and resources, try and
>>>
>> Doesn't scale, because there's not enough competent people out there.
>> There's
>> 140 million .coms, there aren't 140 million security experts out there.
>>
>> It's not a new idea - I've heard it every year or two since probably
>> before
>> most of the people on this list were born.  The fact that almost no
>> companies
>> actually *do* it, and that those hackers who have successfully crossed
>> over to
>> consulting are rare enough that you can name most of them, should tell you
>> something about how well it ends up working in practice.
>>
>>  Well enjoy your doomed industry then. Ill continue to take great
> pleasure as the so called experts get owned by teenagers.
>

imo public shaming(ie. owned by kiddies, usually they get bigger media
attention) can force companies to take security more seriously, but imo
hiring the kiddies isn't the solution.
even if he/she happens to be the "superstar", who given the chance would be
able to secure your infrastructure, but the industry is rotten mostly
because it-sec isn't as high priority as it should be.
it is an added-value, usually bolted-on top of the screwed up legacy
processes/softwares, and the higher-ups expect it to be bought by money
alone.
they would pay for the cert, they would pay for the hacker-proof seal, they
would pay for the insurance, and the decent looking it-security consulant
company, but they won't change the flawed processes, and the bad priorities.
of course many of them will get owned, lose a good chunk of money, some of
them even will go out of business, but until most of them can get away with
those broken model, they won't try to fix the underlying problem.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Kurt Buff]

On Sat, Jan 7, 2012 at 13:50,   wrote:
> On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:
>
>> Although, once they have gained popularity and to a stage where a garage
>> office becomes a shop floor and a @home biz becomes a 
>> rent-a-million$-building
>> office, it is time to shift priorities.
>
> If finding people who are competent enough to secure a payroll system for a
> company of 10 people is difficult, what makes you think that it's easy to find
> people who can secure the systems for a company of 1,000?

I would think it would be easier, because a company of 1,000 is much
more likely to have an actual budget for this kind of stuff than a
company of 10, or 100. But, still not as easy as for a company of
10,000, or 100,000.

Kurt

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
>> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
>
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
>
> And the kids are going to land a $1M performance bond, how?
>
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
>
>> their so called expertsd are full of shit, then they fire said experts
>> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
>
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
>
Well enjoy your doomed industry then. Ill continue to take great 
pleasure as the so called experts get owned by teenagers.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
> Because they pay the kids to own them in a safe manner to show that

It's not as simple as all that.  A good pen-tester needs more skills than just
how to pwn a server.  You need some business smarts, and you need to be *very*
careful about writing the rules of engagement (some pen tests that involve
physical attacks can literally get you shot at if you screw this part up), and
then *sticking with them* (you find a major social engineering problem while
doing a black-box test of some front-end servers, you better re-negotiate those
rules of engagement before you do anything else).  Also, once a pen test
starts, you can't take your time and poke it with the 3 or 4 types of attacks
that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
37 different classes of attacks they're likely to see and another 61 types
of attacks they're not likely to see and aren't expecting.  And be prepared to
work any one of those 94 from "looks like might be an issue" to something you
can put in a report and say "You Have A Problem".

Almost no company is stupid enough to hire a pen testing team without that team
posting a good-sized performance bond in case of a screw-up taking out a
server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
*already* caught them stealing the data once :)

And the kids are going to land a $1M performance bond, how?

(Hint - think this through.  Really good pentesters make *really* good bucks.
If those kiddies had what it took to be good pentesters, they'd already be
making bucks as pentesters, not as kiddies)

> their so called expertsd are full of shit, then they fire said experts 
> and hire competent people saving time money and resources, try and 

Doesn't scale, because there's not enough competent people out there. There's
140 million .coms, there aren't 140 million security experts out there.

It's not a new idea - I've heard it every year or two since probably before
most of the people on this list were born.  The fact that almost no companies
actually *do* it, and that those hackers who have successfully crossed over to
consulting are rare enough that you can name most of them, should tell you
something about how well it ends up working in practice.



pgpkMacEcMBbb.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

I would agree to every response in this chain of emails.

Reason: there is no 1 perfect solution. There is no one single mindset that can 
protect against everything that people ate facing these days. Blended attacks 
and threats make things complicated. Defense is not as simple as said when it 
is attempted to be put into works and there cannot be 1 perfect solution that 
secures everything either.

Thank you.
Shyaam

On Jan 7, 2012, at 6:37 PM, Laurelai  wrote:

> On 1/7/12 5:31 PM, Ferenc Kovacs wrote:
>> 
>> 
>> 
>> On Sun, Jan 8, 2012 at 12:03 AM, Laurelai  wrote:
>> On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:
>>> On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:
>>> 
 Although, once they have gained popularity and to a stage where a garage
 office becomes a shop floor and a @home biz becomes a 
 rent-a-million$-building
 office, it is time to shift priorities.
>>> If finding people who are competent enough to secure a payroll system for a
>>> company of 10 people is difficult, what makes you think that it's easy to 
>>> find
>>> people who can secure the systems for a company of 1,000?
>>> 
>>> As Stratfor has demonstrated, the talent pool of *really* competent security
>>> people is shallow enough that there's not even enough to secure the security
>>> companies. And it's not just Stratfor - when was the last time this list 
>>> went a
>>> week without mocking a security company for its lack of clue?  It's an 
>>> industry-wide
>>> problem - there's a *severe* shortage of experts.
>>> 
>>> And even though schools like DeVry and ITT are churning out lots of people 
>>> with
>>> entry level certifications, I'm not at all sure that helps the situation - 
>>> we
>>> end up with a lot of people who are entry level, and don't realize how much
>>> they don't know. That makes them almost more dangerous than not having 
>>> anybody
>>> at all. Sort of like if you walk alone through a scary part of town, you
>>> actually stand a good chance because you *know* you're alone and will act
>>> accordingly - but if you have a bodyguard with you, you're likely to act
>>> differently, and end up totally screwed when you find out said bodyguard 
>>> has a
>>> belt in martial arts, but zero experience in street fighting...
>>> 
>>> 
>>> 
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> Perhaps these companies should try to hire the kids owning them instead of 
>> crying to the feds.
>> 
>> why do you think that kiddies using tools like sqlmap would be able to 
>> defend them from other kids?
>> 
>> 
>> -- 
>> Ferenc Kovács
>> @Tyr43l - http://tyrael.hu
> Because they pay the kids to own them in a safe manner to show that their so 
> called expertsd are full of shit, then they fire said experts and hire 
> competent people saving time money and resources, try and remember the guys 
> with the certs are the ones getting owned by the skiddies with sqlmap so that 
> should show you how broken the infosec industry is, want to fix it? Start by 
> hiring the skids because they are still more competent than the guys they are 
> owning. If that one gets owned you hire the guy who owned him ect... until 
> you actually have to know what the hell your doing to be in infosec. Use a 
> Darwinian approach to the industry.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 5:31 PM, Ferenc Kovacs wrote:



On Sun, Jan 8, 2012 at 12:03 AM, Laurelai > wrote:


On 1/7/12 3:50 PM, valdis.kletni...@vt.edu
 wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a 
rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to 
find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list 
went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people 
with
entry level certifications, I'm not at all sure that helps the situation - 
we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having 
anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard 
has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter:http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -http://secunia.com/

Perhaps these companies should try to hire the kids owning them
instead of crying to the feds.


why do you think that kiddies using tools like sqlmap would be able to 
defend them from other kids?



--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Because they pay the kids to own them in a safe manner to show that 
their so called expertsd are full of shit, then they fire said experts 
and hire competent people saving time money and resources, try and 
remember the guys with the certs are the ones getting owned by the 
skiddies with sqlmap so that should show you how broken the infosec 
industry is, want to fix it? Start by hiring the skids because they are 
still more competent than the guys they are owning. If that one gets 
owned you hire the guy who owned him ect... until you actually have to 
know what the hell your doing to be in infosec. Use a Darwinian approach 
to the industry.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 17:03:09 CST, Laurelai said:
> Perhaps these companies should try to hire the kids owning them instead
> of crying to the feds.

Most of the kids are skript kiddies, and don't really understand the *defense*
end of the security business very well.  Sure, some may be better than skript
kiddies, and may be *incredible* at finding a memory overlay or an SQL
injection, but do they know how to *secure* against *everything*?

Does that kid know anything about "continuity of operations"? How to negotiate
with network providers to guarantee diverse cable paths?  How to set up proper
audit trails so they can figure out what happened after the fact? How to deal
with physical security issues (how do you know the guy at the door works for
Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
evidence" order?  How to secure systems against insider threats and
embezzlement (still a big problem, even if hackers get more news time)? How to
ensure proper backups get done (this can be very non-trivial if you have
multiple petabytes of storage, and need to do point-in-time recoveries)? How to
do all the other things involved in actually making a data processing facility
*secure*?

For all the flak the CISSP gets, it's *still* worthwhile to wander over and
take a quick peek at *all* the subject areas it covers (18 if I remember
right), and then ask yourself "How much does the average kiddie know about all
this?"

And there's another little problem:  If you had a store, and somebody robbed
you at gunpoint, would you feel good about offering them a job because they
obviously need the money?  Or would you tend to avoid that person as an
employee, because they've already proven they don't want to follow the rules?
And even if you're willing to give a felon another shot, what do you say to the
other employees when they say "You hired WHO? That guy shot Fred in the knee,
I'm outta here".

And why should your answer be any different just because the attack involved a
computer rather than a 9mm?



pgpgOVFuTcQdJ.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sun, Jan 8, 2012 at 12:03 AM, Laurelai  wrote:

>  On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:
>
> On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:
>
>
>  Although, once they have gained popularity and to a stage where a garage
> office becomes a shop floor and a @home biz becomes a rent-a-million$-building
> office, it is time to shift priorities.
>
>  If finding people who are competent enough to secure a payroll system for a
> company of 10 people is difficult, what makes you think that it's easy to find
> people who can secure the systems for a company of 1,000?
>
> As Stratfor has demonstrated, the talent pool of *really* competent security
> people is shallow enough that there's not even enough to secure the security
> companies. And it's not just Stratfor - when was the last time this list went 
> a
> week without mocking a security company for its lack of clue?  It's an 
> industry-wide
> problem - there's a *severe* shortage of experts.
>
> And even though schools like DeVry and ITT are churning out lots of people 
> with
> entry level certifications, I'm not at all sure that helps the situation - we
> end up with a lot of people who are entry level, and don't realize how much
> they don't know. That makes them almost more dangerous than not having anybody
> at all. Sort of like if you walk alone through a scary part of town, you
> actually stand a good chance because you *know* you're alone and will act
> accordingly - but if you have a bodyguard with you, you're likely to act
> differently, and end up totally screwed when you find out said bodyguard has a
> belt in martial arts, but zero experience in street fighting...
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>  Perhaps these companies should try to hire the kids owning them instead
> of crying to the feds.
>

why do you think that kiddies using tools like sqlmap would be able to
defend them from other kids?


-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote:

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:


Although, once they have gained popularity and to a stage where a garage
office becomes a shop floor and a @home biz becomes a rent-a-million$-building
office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people with
entry level certifications, I'm not at all sure that helps the situation - we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard has a
belt in martial arts, but zero experience in street fighting...



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Perhaps these companies should try to hire the kids owning them instead 
of crying to the feds.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said:

> Although, once they have gained popularity and to a stage where a garage
> office becomes a shop floor and a @home biz becomes a rent-a-million$-building
> office, it is time to shift priorities.

If finding people who are competent enough to secure a payroll system for a
company of 10 people is difficult, what makes you think that it's easy to find
people who can secure the systems for a company of 1,000?

As Stratfor has demonstrated, the talent pool of *really* competent security
people is shallow enough that there's not even enough to secure the security
companies. And it's not just Stratfor - when was the last time this list went a
week without mocking a security company for its lack of clue?  It's an 
industry-wide
problem - there's a *severe* shortage of experts.

And even though schools like DeVry and ITT are churning out lots of people with
entry level certifications, I'm not at all sure that helps the situation - we
end up with a lot of people who are entry level, and don't realize how much
they don't know. That makes them almost more dangerous than not having anybody
at all. Sort of like if you walk alone through a scary part of town, you
actually stand a good chance because you *know* you're alone and will act
accordingly - but if you have a bodyguard with you, you're likely to act
differently, and end up totally screwed when you find out said bodyguard has a
belt in martial arts, but zero experience in street fighting...



pgpYKxYUHzibN.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

Completely agreed. Availability and business is top priority for managers. 
Although, once they have gained popularity and to a stage where a garage office 
becomes a shop floor and a @home biz becomes a rent-a-million$-building office, 
it is time to shift priorities. But again, I have no say in that, and it is 
what it is.

Thank you.
Shyaam

On Jan 7, 2012, at 4:08 PM, valdis.kletni...@vt.edu wrote:

> On Sat, 07 Jan 2012 15:55:28 EST, Shyaam Sundhar said:
> 
>> My question(s) would be: why are people sloppy by nature when it comes to
>> security? Why is security still considered as a blanket as opposed to the 
>> core
>> of any system?
> 
> In most shops, the level of competence is barely sufficient to make sure that
> the payroll system prints a check for every employee with the correct number 
> on
> it. Trying to keep the system running *and* secure is beyond their competence
> level, so you have to choose one - running or secure.  Most managers will
> choose 'running', because if they choose 'secure', *they* don't get a paycheck
> either...
> 
> (Vastly oversimplified, but that's pretty much it in a nutshell).
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

On Sat, Jan 7, 2012 at 3:48 PM, Ferenc Kovacs  wrote:
>
>
> On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton  wrote:
>>
>> http://bolt.thexfil.es/84e9h!t was an interesting link - it
>> demonstrated the pwnage.
>>
>> It looks like these folks gained access via PHP. Stratfor was using a
>> Linux based system system, but PHP was version 1.8
>> from 2009 (perhaps with some back patches). Current version of PHP is
>> 5.3.8 (http://www.php.net/).
>
>
> O really? PHP 1.8? how would you compile that on a modern linux distro?
> how would you run drupal on top of it?
>
> // $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
> that is a line from the default drupal config file.
I stand corrected (thank you).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Valdis . Kletnieks]

On Sat, 07 Jan 2012 15:55:28 EST, Shyaam Sundhar said:

> My question(s) would be: why are people sloppy by nature when it comes to
> security? Why is security still considered as a blanket as opposed to the core
> of any system?

In most shops, the level of competence is barely sufficient to make sure that
the payroll system prints a check for every employee with the correct number on
it. Trying to keep the system running *and* secure is beyond their competence
level, so you have to choose one - running or secure.  Most managers will
choose 'running', because if they choose 'secure', *they* don't get a paycheck
either...

(Vastly oversimplified, but that's pretty much it in a nutshell).



pgpeFEEvw04Gi.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Shyaam Sundhar]

All this is true. From time to time, these things happen to businesses that do 
not take security as bread and butter. Although, I call that statement 
incorrect as well, because security firms themselves get targeted most of the 
time.

My question(s) would be: why are people sloppy by nature when it comes to 
security? Why is security still considered as a blanket as opposed to the core 
of any system? 

PS: I am totally wrong and I know that ;)

Thank you.
Shyaam

On Jan 7, 2012, at 3:48 PM, Ferenc Kovacs  wrote:

> 
> 
> On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton  wrote:
> http://bolt.thexfil.es/84e9h!t was an interesting link - it
> demonstrated the pwnage.
> 
> It looks like these folks gained access via PHP. Stratfor was using a
> Linux based system system, but PHP was version 1.8
> from 2009 (perhaps with some back patches). Current version of PHP is
> 5.3.8 (http://www.php.net/).
> 
> O really? PHP 1.8? how would you compile that on a modern linux distro?
> how would you run drupal on top of it?
> 
> // $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
> that is a line from the default drupal config file.
> 
> I agree that the php app was the most likely source of the intrusion, I would 
> guess that they didn't kept the drupal core and the contrib modules 
> up-to-date, and they were owned through some old vulnerability.
> 
> -- 
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 2:48 PM, Ferenc Kovacs wrote:



On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton > wrote:


http://bolt.thexfil.es/84e9h!t 
was an interesting link - it
demonstrated the pwnage.

It looks like these folks gained access via PHP. Stratfor was using a
Linux based system system, but PHP was version 1.8
from 2009 (perhaps with some back patches). Current version of PHP is
5.3.8 (http://www.php.net/).


O really? PHP 1.8? how would you compile that on a modern linux distro?
how would you run drupal on top of it?

// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
that is a line from the default drupal config file.

I agree that the php app was the most likely source of the intrusion, 
I would guess that they didn't kept the drupal core and the contrib 
modules up-to-date, and they were owned through some old vulnerability.


--
Ferenc Kovács
@Tyr43l - http://tyrael.hu


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
And again it makes me wonder how many other so called security companies 
are just as vulnerable.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ferenc Kovacs]

On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton  wrote:

> http://bolt.thexfil.es/84e9h!t was an interesting link - it
> demonstrated the pwnage.
>
> It looks like these folks gained access via PHP. Stratfor was using a
> Linux based system system, but PHP was version 1.8
> from 2009 (perhaps with some back patches). Current version of PHP is
> 5.3.8 (http://www.php.net/).
>

O really? PHP 1.8? how would you compile that on a modern linux distro?
how would you run drupal on top of it?

// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
that is a line from the default drupal config file.

I agree that the php app was the most likely source of the intrusion, I
would guess that they didn't kept the drupal core and the contrib modules
up-to-date, and they were owned through some old vulnerability.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai]

On 1/7/12 8:51 AM, Ed Carp wrote:
> ROFL!!!
>
> -- Forwarded message --
> From:
> Date: Sat, Jan 7, 2012 at 2:33 AM
> Subject: Rate Stratfor's Incident Response
> To: e...@pobox.com
>
>
> For the video announcement, please see
> http://www.youtube.com/watch?v=oHg5SJYRHA0
> Read full press release: http://bolt.thexfil.es/84e9h!t
> Rate Stratfor's incident response:
> http://img855.imageshack.us/img855/9055/butthurtreportform.jpg
>
> Hello loyal Stratfor clients,
>
> We are still working to get our website secure and back up and running
> again as soon as possible.
>
> To show our appreciation for your continued support, we will be making
> available all of our premium content *as a free service* from now on.
>
> We would like to hear from our loyal client base as to our handling of
> the recent intrusion by those deranged, sexually deviant criminal
> hacker terrorist masterminds. Please fill out the following form and
> return it to me
>
> My mobile: 512-658-3152
> My home phone: 512-894-0125
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I still find this kind of thing hilarious.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Jeffrey Walton]

http://bolt.thexfil.es/84e9h!t was an interesting link - it
demonstrated the pwnage.

It looks like these folks gained access via PHP. Stratfor was using a
Linux based system system, but PHP was version 1.8
from 2009 (perhaps with some back patches). Current version of PHP is
5.3.8 (http://www.php.net/).

Two lessons: (1) keep your boxes patched, and (2) don't store secrets
in the plain text, or use [unsalted] MD5 to digest secrets.

Fuck me running - that's been known for years I think Stratfor
broke all the major tenets of data security. The company deserves
everything they get in this instance.

And I like the RickRoll - it was a nice touch which really
demonstrated a level of caring not often seen.

Jeff

On Sat, Jan 7, 2012 at 9:51 AM, Ed Carp  wrote:
> ROFL!!!
>
> -- Forwarded message --
> From:  
> Date: Sat, Jan 7, 2012 at 2:33 AM
> Subject: Rate Stratfor's Incident Response
> To: e...@pobox.com
>
>
> For the video announcement, please see
> http://www.youtube.com/watch?v=oHg5SJYRHA0
> Read full press release: http://bolt.thexfil.es/84e9h!t
> Rate Stratfor's incident response:
> http://img855.imageshack.us/img855/9055/butthurtreportform.jpg
>
> Hello loyal Stratfor clients,
>
> We are still working to get our website secure and back up and running
> again as soon as possible.
>
> To show our appreciation for your continued support, we will be making
> available all of our premium content *as a free service* from now on.
>
> We would like to hear from our loyal client base as to our handling of
> the recent intrusion by those deranged, sexually deviant criminal
> hacker terrorist masterminds. Please fill out the following form and
> return it to me
>
> My mobile: 512-658-3152
> My home phone: 512-894-0125

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Ed Carp]

ROFL!!!

-- Forwarded message --
From:  
Date: Sat, Jan 7, 2012 at 2:33 AM
Subject: Rate Stratfor's Incident Response
To: e...@pobox.com


For the video announcement, please see
http://www.youtube.com/watch?v=oHg5SJYRHA0
Read full press release: http://bolt.thexfil.es/84e9h!t
Rate Stratfor's incident response:
http://img855.imageshack.us/img855/9055/butthurtreportform.jpg

Hello loyal Stratfor clients,

We are still working to get our website secure and back up and running
again as soon as possible.

To show our appreciation for your continued support, we will be making
available all of our premium content *as a free service* from now on.

We would like to hear from our loyal client base as to our handling of
the recent intrusion by those deranged, sexually deviant criminal
hacker terrorist masterminds. Please fill out the following form and
return it to me

My mobile: 512-658-3152
My home phone: 512-894-0125

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/