[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1200878238637.6b2d781b-629e-4f8a-b4f2-a4fc53de51f5@google.com>
Date: Sun, 20 Jan 2008 17:17:18 -0800 (PST)
From: secreview <secreview@...hmail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Professional IT Security Providers - Exposed]
PlanNetGroup ( F )
The PlanNetGroup is a Professional IT Security Services Provider
located at http://www.plannetgroup.com. One of our readers requested
that we perform a review of the PlanNetGroup, so here it is. It is
important to state that there isn’t all that much information available
on the web about the PlanNetGroup, so this review is based mostly on
the interviews that we performed.The PlanNetGroup was founded by Jim
Mazotas of Ohio USA according to this Affirmative Action Verification
Form. We called Mr. Succotash and spoke with him for about an hour
about his company, here’s what he had to say.When we spoke with Jim
Mazotas we asked him how he defined a Penetration Test. His answer
wasn’t really an answer at all but rather was a bunch of technical
words strung into sentences that made no sense. Here is what he said
for the most part. We can’t give you an exact quote because he
requested that some of the information related to clients, etc be kept
confidential.“We get to target object, where we go with that is based
upon the client’s comfort level. We grab banner information, backend
support information, and other kinds of information. During a
penetration test we most will not penetrate. Most mid level companies
will not want penetration.” – Sanitized Quote from JimNot only do we
not understand what Jim said, but he’d be better off saying “I don’t
know” next time instead of looking like an idiot and making up an
answer. This goes for all of you people that get asked technical
questions. If you say “I don’t know” at least you won’t look like a
fool. Anyway.When we asked Jim to define a Vulnerability Assessment, we
became even more flustered. Again his answer was like a politician
trying to evade a question with a bunch of nonsensical noise. Again,
we’ve sanitized this at Jim’s request.“ A Vulnerability Assessment is
more a lab based environment type test. Analyze servers and all nodes
that are a true vital asset to the company and assess the vulnerability
In a very planned out manner. This is done in a lab based environment.”
– Sanitized Quote from JimAgain, next time say “I don’t know” because
now you look like an idiot. Nobody expects you to know everything, but
when you make shit up and try to fool people, its insulting. To be fair
to Jim, he did say that he was not technical, but we didn’t get
technical here. As the founder of the business he should at least know
what his different service boundaries are and how his services are
defined.When we asked Jim if his team performed Vulnerability Research
and Development, he said that they did not have the time because they
were “fully booked”. His primary customer base includes state
government and a few private sector businesses. Unfortunately, we can’t
disclose who his exact customers are. He did say that he provides
Network Management Services and Wireless Management services for many
of his clients. Sounds more IT related than Professional Security
related.When we finished with our call to Jim we asked him if he’d be
kind enough to give us contact information for someone more technical
in his company. He told us that he’d be happy to arrange a call with
someone. At the end, we didn’t end up calling anyone but instead shot a
few emails back and fourth. The rest of this review is based on those
emails.We decided to ask the same questions to Jim’s technical expert.
We know who his expert is, but we assume that he wants to stay
anonymous because he signed his email with “Jason Bourne”. So for the
sake of this interview we’ll call him Michael. Here’s the email from
Michael:-) How do you perform your vulnerability assessments?"*
Carefully! :) Typically, we will work with the customer to define
thescope of the assessment; limitations to OS, Network Equipment,
WebServer, etc. This could be a combination of components (depending
onscope), the real goal ultimately with this is to assess the
patchingeffort of a customer. Depending on time and availability, we
will workon finding any new vulnerability if we generate an anomaly of
interest.Currently, the focus is primarily on discovering new
Oraclevulnerabilities - as MS SQL 2K5 is more difficult to beat on,
comparedto Oracle. Within vulnerability assessments, we disregard any
attemptsto evade IDS, IPS, etc."We’re not impressed with Michael’s
answer. First off we have no idea what the hell this means: “Depending
on time and availability, we will work on finding any new vulnerability
if we generate an anomaly of interest.” And we totally disagree with
“Currently, the focus is primarily on discovering new Oracle
vulnerabilities - as MS SQL 2K5 is more difficult to beat on, compared
to Oracle.” In fact, whatever is being described above doesn’t sound
anything like a vulnerability assessment, we're not sure what kind of
service it is.-) How do you perform your penetration testing?* Again,
carefully! The definition that I use with customers is -Anything Goes!
In addition to attempting to locate missing patches,vulnerable IOS's,
applications, etc - we will perform an assortment oftimed attacks,
attempt to spoof trusted connections, or even performsocial engineering
- like dropping a few pre-trojan'd usb data sticksoutside of a customer
service area, a data center, etc. The only thingthat we do not perform,
typically, is denial of service style or type ofattacks. We have had
only one customer that we felt was in the positionto handle such a test
and it was performed against their disasterrecovery infrastructure, not
production."Michael, why are you trying to be cute with your “Again,
carefully!” bullshit? A penetration test is not “Anything Goes!”, if
that’s how you define it then I don’t want you anywhere near any of my
networks. And why the hell would you perform a Denial of Service attack
against anyone? Everybody can be knocked off line if you fill up their
pipe. You scare us man!-) How do you perform evasive IDS testing?"* We
use a series of proxy servers to attempt to perform basic
hackingtechniques; port scans, blatant attacks, etc. We are typically
going tolook for TCP resets as a means to evaluate if IDS is present
andpossibly to find if IDS performs blocking activity. Often times, if
asystem in a trusted DMZ can be compromised and used as a
proxy(exploiting a relationship or rule within a firewall) or an SSH,
SSL,encrypted tunnel can be established to a server behind the IDS
sensorthan we can successfully pull off an attack without the
customerssecurity staff even knowing."It doesn't sound like Michael
knows how to perform IDS evasion testing. Using a proxy is not going to
help anyone evade detection, it will just help them to hide their IP
address. If the target network or application is being protected by an
IPS device, then the IP that they are attacking from will be shunned
just the same. So, we understand that the PlanNetGroup's expert hasn't
a clue as to how to evade IDS. (Michael, did you get your answer from
Google?)-) What tools do you favor?“* We really do not favor any tools.
The focus of our effort (Assuming we are performing a pen-test or
assessment) is to analyze a situation and choose the best tool for the
end result or compromise. I will use commercial applications, such as
AppScan, WebInspect, even ISS. There are however plenty of freeware,
low-cost tools that we use; nmap, nessus, metasploit - ultimately, I
find that an internet browser and a telnet prompt will suffice for much
of the testing. It ultimately gets back to interpreting the results and
adjusting the testing accordingly. We make it a point to try out new
freeware tools on every assignment. The more tools that we know of and
can test with opens our options if in the future a situation best
suited for a tool presents itself.”Every business that delivers
security services has a set of tools that they use. These tools change
from business to business, but common ones are nessus, webinspect,
CANVAS, Core Impact, Metaspoloit, etc. From the answer above, it looks
like they like the same tools as most people. That said, we've seen no
proof of talent from anyone at PlanNetGroup yet. So we're near certain
that their deliverables ARE the product of automation.-) Can you
provide us with sample deliverables? (sanitized)“* No, too much time.
Even to sanitize creates an opportunity for a liability in the event
that a customer name is exposed ... accidents do happen! I will say
that we do not take dumps from applications and regurgitations the
information on paper. We limit our executive summary to 6 pages at most
and attempt to keep the entire report limited to 25 pages in total. Our
goal with a deliverable is to get the precise information to the key
stake holders so that they can make a decision.”Woha, it takes too much
time to create a fake deliverable? Well that's one way to get out of
it, but we don't buy it. Either way, at this point we don't feel that a
sample report would help this review, we've seen nothing impressive
yet.-) Do you offer the option of performing Distributed Metastasis?“*
No, not really. This is my decision as in a previous life I got walked
out of Bell Atlantic Mobile (Verizon Wireless) using this technique
when I compromised their Unix infrastructure by compromising the rlogin
function (on all Unix servers, across all data centers). There is no
substitute for experience, especially bad ones!”It sounds like Michael
has a difficult time sticking to the scope of work. Any time anyone
performs Distributed Metastasis it should be built into a scope of work
first. If it is not, then do not perform the testing because it is
invasive and will get you into trouble. This is a big negative point in
our eyes as its critical that providers are able to adhere to the scope
of work for each specific engagement.-) What is your background with
relation to information security?“* Too long, too boring. Yeah got the
CISSP (nice vocabulary test), but had to as I worked for DOD. Got a
number of Certifications (I have a stack almost an inch thick and only
get into them about once a year to throw another couple on top of the
previous ones - too much alphabet soup for me, but bosses and customers
like it. Spoke at a number ofEuropean conferences, but found too many
people did not understand a word I was talking about, so I got tired of
that and quit that scene. My outlook on security has changed, to the
point that I will advise customers of their risk, attempt to make it
practical - but if they make a conscious choice not to listen - I do
not fret over it.?”It sounds like Michael is a corporate security guy
and has no experience as a hacker. Certifications hold little to no
water when it comes to real IT security. What does hold water is
experience and from what we can tell, Michael has no real hacker
experience.-) Do you resell third party technologies?“* No, but kind of
wished that we would. I think that it would help with sales.”We don't
think that it is a good idea that Professional IT Security Providers
sell third party technologies. Specifically because they become biased
towards a specific technology and push that technology as a method of
remediation when better methods might already exist.-) Can you tell me
why the EIP is important?“* The EIP controls an applications execution.
If an attacker can modify the EIP while it is being pushed on the stack
then the attacker *could* execute their own code and create a thread
(aka. a buffer overflow condition exists). I had a good refresher this
past year at Blackhat with a course run by Saumil Shah - he had an
interesting buffer overflowfor the Linked-In client.”The EIP is the
Instruction Pointer for the x86 architecture. The purpose of the EIP is
to point to the next instruction in a particular code segment. If the
EIP can be overwritten then the flow of control of an application can
be changed. In most cases this can lead to the execution of arbitrary
code on the targeted system. Hackers use this to penetrate vulnerable
systems.-) Can you define a format string exploit?"* A format string
exploit leverages what is considered a programmingbug. If input is not
sanitized, an attacker can perform calls to thestack; read, write, etc
without knowing details about the EIP."Unfortunately this answer isn't
accurate or detailed enough as almost all software vulnerabilities are
the result of user input that is not properly sanitized or validated. A
format string condition occurs when a user inserts a format token into
a C based application and that input is not properly sanitized. Hence
why it is called a format string vulnerability. When that input hits a
function that performs formatting, such as printf() the input is
interpreted in accordance with the format tokens. Sometimes this can be
used to write arbitrary data to arbitrary memory locations. The EIP
isn't the only valuable memory location.If you’ve managed to get this
far, then you’ve survived reading Michael’s answers to our questions.
We’re not going to spend much more time writing this review because by
now we’ve formed our opinion. We did take a quick look at the
PlanNetGroup’s website and as with their people, we were not the least
bit impressed.Our opinion of the PlanNetGroup is that they’d have a
hard time hacking their way out of a wet paper bag. Their security
expert is not an expert by our standards, as he did not properly answer
any of our questions or help to define any of their services. We’re
pretty sure that the PlanNetGroup could run nessus and offer basic
vulnerability assessment services. We’re also pretty sure that they
could offer IT services at some level. But we’d hardly call them
subject matter experts and wouldn’t recommend their services to
anyone.If you are using the PlanNetGroup services and feel that we have
not given them a fair review then please comment on this post. We will
consider your comments. We have to say that Jim and Michael were both
very polite, friendly, and respectful, but we can’t let their kind
nature impact our opinion of their service delivery capabilities. We
think that they should sit down and try to define their services
properly. We also think that they should hire an ethical hacker with
real world experience if they intend to protect anyone.Score Card
(Click to Enlarge)
--
Posted By secreview to Professional IT Security Providers - Exposed at
1/20/2008 04:21:00 PM
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists