[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080121164036.D72222003A@mailserver7.hushmail.com>
Date: Mon, 21 Jan 2008 11:40:36 -0500
From: "SecReview" <secreview@...hmail.com>
To: <nate.mcfeters@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers -
Exposed] PlanNetGroup ( F )
Nate,
Your email was constructive and much appreciated. We'll go over
the review a second time and incorporate some of your suggestions.
Thank you for taking the time to provide so much good feedback.
On Mon, 21 Jan 2008 02:07:50 -0500 Nate McFeters
<nate.mcfeters@...il.com> wrote:
>SecReview,
>My 2 cents on your review, although I will try to be nicer then
>you were to
>the reviewee. I'm completely skipping your section where you
>talked to the
>non-technical person, that's not even fair... sorta like reviewing
>a
>consulting group based on their website alone... oh shit, I forgot
>you guys
>do that too.
>
>Your comments on Question 1:
>
>We're not impressed with Michael's answer. First off we have no
>idea what
>the hell this means: "Depending on time and availability, we will
>work on
>finding any new vulnerability if we generate an anomaly of
>interest." And we
>totally disagree with "Currently, the focus is primarily on
>discovering new
>Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat
>on,
>compared to Oracle." In fact, whatever is being described above
>doesn't
>sound anything like a vulnerability assessment, we're not sure
>what kind of
>service it is.
>
>The first portion "Depending on time and availability..." I don't
>understand
>what your confusion is. Basically the responder is saying that
>he's willing
>to do what the client will pay him for. Consulting is not a
>cookie-cutter
>gig, so sometimes clients want you to spend 5 minutes running
>scans, some
>want you to fuzz a proprietary protocol for as long as it takes.
>I
>personally don't think either end of the extreme is of value to
>the client,
>but you can hardly fault the respondent for delivering what the
>client asks
>for.
>
>The second, I don't agree the overall focus is on Oracle, but if
>you read
>the new (ZDnet, eWeek), or if you follow the conferences (HITB
>Malaysia 2007
>great Oracle presnetation), then you will know that Oracle is
>catching a bit
>of the limelight. Besides that, I don't think you are qualified
>to say what
>exactly a vulnerability assessment is... if the client is paying
>you to
>assess their database servers, then that is a vulnerability
>assessment of
>their database servers and that is what the work is. Different
>clients have
>different needs, and their are different specialty consulting
>groups to help
>meet those... can hardly fault him if his specialty is databases.
>
>Your Comments on Question 2:
>
>>>trying to be cute with your "Again, carefully!" bullshit?
>
>Come on guys... imagine you get called by a group of people asking
>to assess
>your company and you don't know who they are, wouldn't you try to
>befriend
>them if possible? A little professionalism would go a long way to
>improving
>your reviews.
>
>>>A penetration test is not "Anything Goes!"
>
>Umm... sorry guys, there is plenty of cause for performing a
>Denial of
>Service test. Keep in mind that availability is a large portion
>of what
>security is about. I don't think he's talking about using a bot
>net to try
>to take them down.
>
>>>it doesn't sound like Michael knows how to perform IDS evasion
>testing.
>Using a proxy is >>not going to help anyone evade detection, it
>will just
>help them to hide their IP address.
>
>Hmm... well, you're partially right. I suppose that if he had
>enough proxy
>servers and kept his scans very focused, he "might" be able to get
>around an
>IDS. In any case, not all clients want IDS evasion performed...
>for
>instance, they may want to test their incident response, or, they
>may allow
>the consulting group through the IPS/IDS in an effort to save on
>time and
>costs.
>
>Your response to question 3:
>
>>>From the answer above, it looks like they like the same tools as
>most
>people. That said, >>we've seen no proof of talent from anyone at
>PlanNetGroup yet. So we're near certain that >>their deliverables
>ARE the
>product of automation.
>
>If they are the same tools that everyone use, how can you knock
>them for
>that? It seems to me that a group starts with a score of 0 in
>your book,
>and then if they impress you they get points. If you don't ask
>the right
>questions, I don't see how they could impress you. I concede, it
>is
>certainly possible that they have no skills, and that they use
>automation,
>but I don't think it is fair to say that at this point of the
>review.
>
>Your response to question 4:
>
>>>Woha, it takes too much time to create a fake deliverable? Well
>that's one
>way to get out >>of it, but we don't buy it. Either way, at this
>point we
>don't feel that a sample report would >>help this review, we've
>seen nothing
>impressive yet.
>
>Ever tried to do so? It does take awhile, and it is risky. If
>you miss
>sanitization and release results of one of your clients you could
>get sued.
> Perhaps given the context of the investigation he didn't want to
>give you
>an old report and it would take to long and too much of his
>billable time to
>actually get this to you. That's not unreasonable. You aren't
>paying him.
> Again with the comments of nothing impressive yet. You are
>asking generic
>questions, how could anything be impressive? It's a phone call or
>email and
>you are asking questions that almost all consulting groups should
>have
>relatively the same answers to... I see nothing impressive in that
>at all.
>
>Your response to question 5:
>
>>>It sounds like Michael has a difficult time sticking to the
>scope of work.
>Any time anyone >>performs Distributed Metastasis it should be
>built into a
>scope of work first. If it is not, >>then do not perform the
>testing because
>it is invasive and will get you into trouble. This is >>a big
>negative point
>in our eyes as its critical that providers are able to adhere to
>the scope
>>>of work for each specific engagement.
>
>I actually agree with most of this, but then again, as long as he
>doesn't go
>over the clients budgetary and time constraints and is providing
>the
>customer with value, I have no problem with going outside of scope
>as long
>as the client does not. Also, I don't know that it is a big
>negative as you
>say.
>
>Your response to question 6:
>
>>>It sounds like Michael is a corporate security guy and has no
>experience
>as a hacker.
>Bit of a blanket statement I'd say, but OK, let's assume you are
>correct
>>>Certifications hold little to no water when it comes to real IT
>security.
>Agreed, but you are totally putting words into his mouth. He
>basically says
>the same thing by calling the CISSP a definition test. Why do
>that? Most
>people in security have the certs... most realize they are worth
>nothing and
>don't really test tech knowledge, but instead test business
>knowledge.
>>>What does hold water is experience and from what we can tell,
>Michael has
>no real hacker >>experience.
>Please define "no real hacker experience". If you mean he isn't
>31337 like
>you guys, then OK. BTW, most clients aren't just paying for "real
>hacker
>experience" they're also paying for the business side, i.e. what
>is my risk,
>how can I mitigate, etc. A good team has both people.
>
>On your response to question 7:
>
>Do you resell third party technologies?
>
>>>We don't think that it is a good idea that Professional IT
>Security
>Providers sell third party >>technologies. Specifically because
>they become
>biased towards a specific technology and >>push that technology as
>a method
>of remediation when better methods might already exist.
>Agreed. But that said, what if your third-party tech. has nothing
>to do
>with the main thrust of your consulting work? The question is
>pretty vague.
>
>On your response to question 8 and 9:
>
>Ok, I'll buy that you have cookie cutter definitions from google
>of those
>flaws and that his definitions don't fit. I'll even buy that you
>make a
>good point when you say EIP overwrite is not the only method of
>exploitation
>(especially these days), but I'm wondering what you expected.
>Should he
>have rattled on and on about how to exploit b0f in an XP SP 2
>environment?
> Talk to you at length about DEP? Bit ridiculous expectations.
>Hell, while
>your at it, why didn't you ask him about integer overflows? Off-
>by
>one/few/many exploits? Heap overflows? Why not have him recite
>the Heap
>Fung Sheui method to you? What about double free flaws, dangling
>pointers,
>etc. etc. etc. Let's be serious here, unless you are contracted
>by
>Microsoft or another major software vendor, you probably don't pay
>the bills
>by doing your own research, so... does this really matter? Sure,
>it's
>great... I'd like to know that consultants I was paying top dollar
>to knew
>about this, but if he comes on site and spends 3 weeks trying to
>find an
>integer overflow, I'm going to be pissed.
>
>Disclaimer:
>I'm not a client of PlanNetGroup. Also, I don't think what you
>are trying
>to do is a terrible thing, there's lots of snake oil being sold in
>the
>commoditized security market out there, but I disapprove of your
>professionalism and your methods. Also, I believe the list is
>still waiting
>for you to credentialize yourself/yourselves. That still hasn't
>seem to be
>grasped here. Look, if you're someone people respect, then maybe
>people
>will buy your reviews, but somehow I doubt that is the case. I'm
>basing
>that view off of the content of your website and the fact that you
>still
>have not credentialized yourself as the list called for so long
>ago. Do
>that, and I will re-review my review of your reviews.
>
>Nate
>
>On Jan 20, 2008 7:17 PM, secreview <secreview@...hmail.com> wrote:
>
>> The PlanNetGroup is a Professional IT Security Services Provider
>located
>> at http://www.plannetgroup.com. <http://www.plannetgroup.com/>
>One of our
>> readers requested that we perform a review of the PlanNetGroup,
>so here it
>> is. It is important to state that there isn't all that much
>information
>> available on the web about the PlanNetGroup, so this review is
>based mostly
>> on the interviews that we performed.
>>
>> The PlanNetGroup was founded by Jim Mazotas of Ohio USA
>according to this Affirmative
>> Action Verification Form<http://odnapps01.odn.state.oh.us/das-
>eod/EODBMSDev.nsf/d881c0c739c3c9b985257344004f1929/c3e323de1df5162b
>8525735d00607a6d?OpenDocument>.
>> We called Mr. Succotash and spoke with him for about an hour
>about his
>> company, here's what he had to say.
>>
>> When we spoke with Jim Mazotas we asked him how he defined a
>Penetration
>> Test. His answer wasn't really an answer at all but rather was a
>bunch of
>> technical words strung into sentences that made no sense. Here
>is what he
>> said for the most part. We can't give you an exact quote because
>he
>> requested that some of the information related to clients, etc
>be kept
>> confidential.
>>
>> "We get to target object, where we go with that is based upon
>the client's
>> comfort level. We grab banner information, backend support
>information, and
>> other kinds of information. During a penetration test we most
>will not
>> penetrate. Most mid level companies will not want penetration."
>– Sanitized
>> Quote from Jim
>>
>> Not only do we not understand what Jim said, but he'd be better
>off saying
>> "I don't know" next time instead of looking like an idiot and
>making up an
>> answer. This goes for all of you people that get asked technical
>questions.
>> If you say "I don't know" at least you won't look like a fool.
>Anyway.
>>
>> When we asked Jim to define a Vulnerability Assessment, we
>became even
>> more flustered. Again his answer was like a politician trying to
>evade a
>> question with a bunch of nonsensical noise. Again, we've
>sanitized this at
>> Jim's request.
>>
>> " A Vulnerability Assessment is more a lab based environment
>type test.
>> Analyze servers and all nodes that are a true vital asset to the
>company and
>> assess the vulnerability In a very planned out manner. This is
>done in a lab
>> based environment." – Sanitized Quote from Jim
>>
>> Again, next time say "I don't know" because now you look like an
>idiot.
>> Nobody expects you to know everything, but when you make shit up
>and try to
>> fool people, its insulting. To be fair to Jim, he did say that
>he was not
>> technical, but we didn't get technical here. As the founder of
>the business
>> he should at least know what his different service boundaries
>are and how
>> his services are defined.
>>
>> When we asked Jim if his team performed Vulnerability Research
>and
>> Development, he said that they did not have the time because
>they were
>> "fully booked". His primary customer base includes state
>government and a
>> few private sector businesses. Unfortunately, we can't disclose
>who his
>> exact customers are. He did say that he provides Network
>Management Services
>> and Wireless Management services for many of his clients. Sounds
>more IT
>> related than Professional Security related.
>>
>> When we finished with our call to Jim we asked him if he'd be
>kind enough
>> to give us contact information for someone more technical in his
>company. He
>> told us that he'd be happy to arrange a call with someone. At
>the end, we
>> didn't end up calling anyone but instead shot a few emails back
>and fourth.
>> The rest of this review is based on those emails.
>>
>> We decided to ask the same questions to Jim's technical expert.
>We know
>> who his expert is, but we assume that he wants to stay anonymous
>because he
>> signed his email with "Jason Bourne". So for the sake of this
>interview
>> we'll call him Michael. Here's the email from Michael:
>>
>> -) How do you perform your vulnerability assessments?
>>
>> "* Carefully! :) Typically, we will work with the customer to
>define the
>> scope of the assessment; limitations to OS, Network Equipment,
>Web
>> Server, etc. This could be a combination of components
>(depending on
>> scope), the real goal ultimately with this is to assess the
>patching
>> effort of a customer. Depending on time and availability, we
>will work
>> on finding any new vulnerability if we generate an anomaly of
>interest.
>> Currently, the focus is primarily on discovering new Oracle
>> vulnerabilities - as MS SQL 2K5 is more difficult to beat on,
>compared
>> to Oracle. Within vulnerability assessments, we disregard any
>attempts
>> to evade IDS, IPS, etc."
>>
>> We're not impressed with Michael's answer. First off we have no
>idea what
>> the hell this means: "Depending on time and availability, we
>will work on
>> finding any new vulnerability if we generate an anomaly of
>interest." And we
>> totally disagree with "Currently, the focus is primarily on
>discovering new
>> Oracle vulnerabilities - as MS SQL 2K5 is more difficult to beat
>on,
>> compared to Oracle." In fact, whatever is being described above
>doesn't
>> sound anything like a vulnerability assessment, we're not sure
>what kind of
>> service it is.
>>
>> -) How do you perform your penetration testing?
>>
>> * Again, carefully! The definition that I use with customers is -
>
>> Anything Goes! In addition to attempting to locate missing
>patches,
>> vulnerable IOS's, applications, etc - we will perform an
>assortment of
>> timed attacks, attempt to spoof trusted connections, or even
>perform
>> social engineering - like dropping a few pre-trojan'd usb data
>sticks
>> outside of a customer service area, a data center, etc. The only
>thing
>> that we do not perform, typically, is denial of service style or
>type of
>> attacks. We have had only one customer that we felt was in the
>position
>> to handle such a test and it was performed against their
>disaster
>> recovery infrastructure, not production."
>>
>> Michael, why are you trying to be cute with your "Again,
>carefully!"
>> bullshit? A penetration test is not "Anything Goes!", if that's
>how you
>> define it then I don't want you anywhere near any of my
>networks. And why
>> the hell would you perform a Denial of Service attack against
>anyone?
>> Everybody can be knocked off line if you fill up their pipe. You
>scare us
>> man!
>>
>>
>> -) How do you perform evasive IDS testing?
>>
>> "* We use a series of proxy servers to attempt to perform basic
>hacking
>> techniques; port scans, blatant attacks, etc. We are typically
>going to
>> look for TCP resets as a means to evaluate if IDS is present and
>> possibly to find if IDS performs blocking activity. Often times,
>if a
>> system in a trusted DMZ can be compromised and used as a proxy
>> (exploiting a relationship or rule within a firewall) or an SSH,
>SSL,
>> encrypted tunnel can be established to a server behind the IDS
>sensor
>> than we can successfully pull off an attack without the
>customers
>> security staff even knowing."
>>
>> It doesn't sound like Michael knows how to perform IDS evasion
>testing.
>> Using a proxy is not going to help anyone evade detection, it
>will just help
>> them to hide their IP address. If the target network or
>application is being
>> protected by an IPS device, then the IP that they are attacking
>from will be
>> shunned just the same. So, we understand that the PlanNetGroup's
>expert
>> hasn't a clue as to how to evade IDS. (Michael, did you get your
>answer from
>> Google?)
>>
>> -) What tools do you favor?
>>
>> "* We really do not favor any tools. The focus of our effort
>(Assuming we
>> are performing a pen-test or assessment) is to analyze a
>situation and
>> choose the best tool for the end result or compromise. I will
>use commercial
>> applications, such as AppScan, WebInspect, even ISS. There are
>however
>> plenty of freeware, low-cost tools that we use; nmap, nessus,
>metasploit -
>> ultimately, I find that an internet browser and a telnet prompt
>will suffice
>> for much of the testing. It ultimately gets back to interpreting
>the results
>> and adjusting the testing accordingly. We make it a point to try
>out new
>> freeware tools on every assignment. The more tools that we know
>of and can
>> test with opens our options if in the future a situation best
>suited for a
>> tool presents itself."
>>
>> Every business that delivers security services has a set of
>tools that
>> they use. These tools change from business to business, but
>common ones are
>> nessus, webinspect, CANVAS, Core Impact, Metaspoloit, etc. From
>the answer
>> above, it looks like they like the same tools as most people.
>That said,
>> we've seen no proof of talent from anyone at PlanNetGroup yet.
>So we're near
>> certain that their deliverables ARE the product of automation.
>>
>> -) Can you provide us with sample deliverables? (sanitized)
>>
>> "* No, too much time. Even to sanitize creates an opportunity
>for a
>> liability in the event that a customer name is exposed ...
>accidents do
>> happen! I will say that we do not take dumps from applications
>and
>> regurgitations the information on paper. We limit our executive
>summary to 6
>> pages at most and attempt to keep the entire report limited to
>25 pages in
>> total. Our goal with a deliverable is to get the precise
>information to the
>> key stake holders so that they can make a decision."
>>
>> Woha, it takes too much time to create a fake deliverable? Well
>that's one
>> way to get out of it, but we don't buy it. Either way, at this
>point we
>> don't feel that a sample report would help this review, we've
>seen nothing
>> impressive yet.
>>
>> -) Do you offer the option of performing Distributed Metastasis?
>>
>> "* No, not really. This is my decision as in a previous life I
>got walked
>> out of Bell Atlantic Mobile (Verizon Wireless) using this
>technique when I
>> compromised their Unix infrastructure by compromising the rlogin
>function
>> (on all Unix servers, across all data centers). There is no
>substitute for
>> experience, especially bad ones!"
>>
>> It sounds like Michael has a difficult time sticking to the
>scope of work.
>> Any time anyone performs Distributed Metastasis it should be
>built into a
>> scope of work first. If it is not, then do not perform the
>testing because
>> it is invasive and will get you into trouble. This is a big
>negative point
>> in our eyes as its critical that providers are able to adhere to
>the scope
>> of work for each specific engagement.
>>
>> -) What is your background with relation to information
>security?
>>
>> "* Too long, too boring. Yeah got the CISSP (nice vocabulary
>test), but
>> had to as I worked for DOD. Got a number of Certifications (I
>have a stack
>> almost an inch thick and only get into them about once a year to
>throw
>> another couple on top of the previous ones - too much alphabet
>soup for me,
>> but bosses and customers like it. Spoke at a number of
>> European conferences, but found too many people did not
>understand a word
>> I was talking about, so I got tired of that and quit that scene.
>My outlook
>> on security has changed, to the point that I will advise
>customers of their
>> risk, attempt to make it practical - but if they make a
>conscious choice not
>> to listen - I do not fret over it.?"
>>
>> It sounds like Michael is a corporate security guy and has no
>experience
>> as a hacker. Certifications hold little to no water when it
>comes to real IT
>> security. What does hold water is experience and from what we
>can tell,
>> Michael has no real hacker experience.
>>
>> -) Do you resell third party technologies?
>>
>> "* No, but kind of wished that we would. I think that it would
>help with
>> sales."
>>
>> We don't think that it is a good idea that Professional IT
>Security
>> Providers sell third party technologies. Specifically because
>they become
>> biased towards a specific technology and push that technology as
>a method of
>> remediation when better methods might already exist.
>>
>> -) Can you tell me why the EIP is important?
>>
>> "* The EIP controls an applications execution. If an attacker
>can modify
>> the EIP while it is being pushed on the stack then the attacker
>*could*
>> execute their own code and create a thread (aka. a buffer
>overflow condition
>> exists). I had a good refresher this past year at Blackhat with
>a course run
>> by Saumil Shah - he had an interesting buffer overflow
>> for the Linked-In client."
>>
>> The EIP is the Instruction Pointer for the x86 architecture. The
>purpose
>> of the EIP is to point to the next instruction in a particular
>code segment.
>> If the EIP can be overwritten then the flow of control of an
>application can
>> be changed. In most cases this can lead to the execution of
>arbitrary code
>> on the targeted system. Hackers use this to penetrate vulnerable
>systems.
>>
>> -) Can you define a format string exploit?
>>
>> "* A format string exploit leverages what is considered a
>programming
>> bug. If input is not sanitized, an attacker can perform calls to
>the
>> stack; read, write, etc without knowing details about the EIP."
>>
>> Unfortunately this answer isn't accurate or detailed enough as
>almost all
>> software vulnerabilities are the result of user input that is
>not properly
>> sanitized or validated. A format string condition occurs when a
>user inserts
>> a format token into a C based application and that input is not
>properly
>> sanitized. Hence why it is called a format string vulnerability.
>When that
>> input hits a function that performs formatting, such as printf()
>the input
>> is interpreted in accordance with the format tokens. Sometimes
>this can be
>> used to write arbitrary data to arbitrary memory locations. The
>EIP isn't
>> the only valuable memory location.
>>
>>
>>
>>
>> If you've managed to get this far, then you've survived reading
>Michael's
>> answers to our questions. We're not going to spend much more
>time writing
>> this review because by now we've formed our opinion. We did take
>a quick
>> look at the PlanNetGroup's website and as with their people, we
>were not the
>> least bit impressed.
>>
>> Our opinion of the PlanNetGroup is that they'd have a hard time
>hacking
>> their way out of a wet paper bag. Their security expert is not
>an expert by
>> our standards, as he did not properly answer any of our
>questions or help to
>> define any of their services. We're pretty sure that the
>PlanNetGroup could
>> run nessus and offer basic vulnerability assessment services.
>We're also
>> pretty sure that they could offer IT services at some level. But
>we'd hardly
>> call them subject matter experts and wouldn't recommend their
>services to
>> anyone.
>>
>> If you are using the PlanNetGroup services and feel that we have
>not given
>> them a fair review then please comment on this post. We will
>consider your
>> comments. We have to say that Jim and Michael were both very
>polite,
>> friendly, and respectful, but we can't let their kind nature
>impact our
>> opinion of their service delivery capabilities. We think that
>they should
>> sit down and try to define their services properly. We also
>think that they
>> should hire an ethical hacker with real world experience if they
>intend to
>> protect anyone.
>>
>> Score Card (Click to Enlarge)
>>
>>
>>
><http://bp2.blogger.com/_VcwqM25xL9M/R5PxN8GqVTI/AAAAAAAAACU/D7T4RS
>QlSXs/s1600-h/96YV5X.jpeg>
>>
>> --
>> Posted By secreview to Professional IT Security Providers -
>Exposed<http://secreview.blogspot.com/2008/01/plannetgroup-
>f.html>at 1/20/2008 04:21:00 PM
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
Regards,
The Secreview Team
http://secreview.blogspot.com
--
Love Graphic Design? Find a school near you. Click Now.
http://tagline.hushmail.com/fc/Ioyw6h4fQlBYaiWpFnhi7pQK25eSsGhZHGXMnUnkrTsYbFDu13WWSE/
Professional IT Security Service Providers - Exposed
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists