|
-
January 24th, 2005, 02:42 PM
#1
Junior Member
Security testing, 100% legit
Hello,
I didn't quite know which forum to place this post, mods you are welcome to move it to an appropriate forum..
anyway...
We are planning a new production server on our network, but before we go live, we would like to test its security.
Therefore we have put it on a separate net, we would like YOU to try rooting the box and give us feedback on your findings.
The following attacks are not allowed:
DOS/DdOs-attacks
To kill the server : )
We would really appreciate your help/efforts.
You are free to try any techniques you want, except those listed over.
So, go ahead and test you skills ; )
send mail @ this address dsedse05-at-start.no or PM, for further information about IP etc.
Thank you for your interest.
-
January 24th, 2005, 02:59 PM
#2
What you are asking is very risky for both your company and to the individuals who would help you. You don't know me, or anything about me. I could possibly penetrate your system, install some backdoors and then tell you how I penetrated your system. Later when you are on line, I would own you, because I would have my backdoors.
On the other hand, you could have something go totally wrong with your system, and come back at me for damaging it, by trying to penetrate it.
Why don't you go to a company that is designed to do penetration testing, set it up completely legal, and get a proffesional report on your system.
Trying to save money by having one or more of us do it for you, is openning up all of us to problems no one needs.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
January 24th, 2005, 04:12 PM
#3
I have to agree with Moxnix on this and go a little further: Just because you say it's legit doesn't make it so, particularly online. Try looking for companies like KPMG or CGI as they both do network auditing. You might even contact a company like IBM. Additionally, posting for a listing of companies on the Pen-Test list of Securityfocus.com might get you some contacts specifically in your local area.
This is something you need to do on a person-to-person basis.
-
January 24th, 2005, 05:02 PM
#4
Pen-testing, done properly, is a full blown all out attack against the server/environment in question...whether brute force or on the stealth-down-low. In either case, it can (should?) set off alarms and notifications (queue klaxon's and the Lost In Space robot "Danger! Danger Will Robinson!") if you are protected properly. Most professional, legitimate Pen-testers will have a legal agreement with the owner of the systems, indicating they are authorized to perform said testing, and it might go into detail of who-what-when-where-how, or it might be more open ended...but in either case, it is a "Get out of jail, free" card.
Anything else is simply foolish and almost certainly illegal. To come here and ask in this manner may seem like a good idea to you, but to the professionals among us, it's a low level insult (do you have any friends who are doctors? Do you ask them about your ailments, rather than make an office appointment and pay the fee?). To the others among us (no offense...I didn't want to say "the non-professionals"), it's a HUGE risk. Regardless of your claims that it is legit and requirements that they email you for details, this could very easily be an attempt to dupe someone else into attacking a start.no (or other) service.
Security Newbies...take note. While I am not actively accusing dsedse05 of anything at this time, you should be seeing red flags and thinking "social engineering".
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 24th, 2005, 06:40 PM
#5
Ha! zencoder
do you have any friends who are doctors? Do you ask them about your ailments, rather than make an office appointment and pay the fee?
Well they certainly don't seem to have any qualms when it comes to me and their computers 
dsedse05
One thing that hasn't been mentioned : if you get this sort of work done by an assortment of anonymous people on the internet, you have no formal contractual agreement or liability. You would have no idea if the job had been done professionally or not, what had been tested and so on..................I would advise you to at least cover your rear end in that respect.
just a thought
-
January 24th, 2005, 07:24 PM
#6
One thing that hasn't been mentioned : if you get this sort of work done by an assortment of anonymous people on the internet, you have no formal contractual agreement or liability. You would have no idea if the job had been done professionally or not, what had been tested and so on..................I would advise you to at least cover your rear end in that respect.
Yes. If you shout on the streets only idiots will answer 
Just to reinforce nihil's argument, no serious security consultant will do a penetration test without a contract.
Doing without it is a shortcut to jail.
Everytime ive joined a penetration test there was a contract covering our "rear end". And even with those we got in trouble sometimes
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
January 24th, 2005, 08:13 PM
#7
Originally posted here by nihil
Ha! zencoder
Well they certainly don't seem to have any qualms when it comes to me and their computers
As well you SHOULD bother them, then. Next time they ask, describe your carpal-tunnel (sp?) -like symptoms and ask if they can give you a referral to a specialist, but you really don't want to bother with seeing the regular MD before hand.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 25th, 2005, 02:21 PM
#8
Zen:
but you really don't want to bother with seeing the regular MD before hand.
Hmmm.... He's bypassing the "virtual MD" by coming to me isn't he? He should be taliking to my help desk first....
Dsed: You won't get anyone sensible to pen test your network this way. Will you delineate the deliverables, lay down attack parameters against each resource available, lay out the windows of time for the test to take place? Probably not. What happens if the person who "has a go" at it trashes your server? You're getting yourself into a large legal issue by going this route. It's expensive for a reason...
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
