Security testing, 100% legit
Results 1 to 8 of 8

Thread: Security testing, 100% legit

  1. #1
    Junior Member
    Join Date
    Jan 2005
    Posts
    1

    Security testing, 100% legit

    Hello,

    I didn't quite know which forum to place this post, mods you are welcome to move it to an appropriate forum..

    anyway...

    We are planning a new production server on our network, but before we go live, we would like to test its security.
    Therefore we have put it on a separate net, we would like YOU to try rooting the box and give us feedback on your findings.

    The following attacks are not allowed:
    DOS/DdOs-attacks
    To kill the server : )

    We would really appreciate your help/efforts.

    You are free to try any techniques you want, except those listed over.

    So, go ahead and test you skills ; )

    send mail @ this address dsedse05-at-start.no or PM, for further information about IP etc.

    Thank you for your interest.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    What you are asking is very risky for both your company and to the individuals who would help you. You don't know me, or anything about me. I could possibly penetrate your system, install some backdoors and then tell you how I penetrated your system. Later when you are on line, I would own you, because I would have my backdoors.

    On the other hand, you could have something go totally wrong with your system, and come back at me for damaging it, by trying to penetrate it.

    Why don't you go to a company that is designed to do penetration testing, set it up completely legal, and get a proffesional report on your system.

    Trying to save money by having one or more of us do it for you, is openning up all of us to problems no one needs.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I have to agree with Moxnix on this and go a little further: Just because you say it's legit doesn't make it so, particularly online. Try looking for companies like KPMG or CGI as they both do network auditing. You might even contact a company like IBM. Additionally, posting for a listing of companies on the Pen-Test list of Securityfocus.com might get you some contacts specifically in your local area.

    This is something you need to do on a person-to-person basis.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Pen-testing, done properly, is a full blown all out attack against the server/environment in question...whether brute force or on the stealth-down-low. In either case, it can (should?) set off alarms and notifications (queue klaxon's and the Lost In Space robot "Danger! Danger Will Robinson!") if you are protected properly. Most professional, legitimate Pen-testers will have a legal agreement with the owner of the systems, indicating they are authorized to perform said testing, and it might go into detail of who-what-when-where-how, or it might be more open ended...but in either case, it is a "Get out of jail, free" card.

    Anything else is simply foolish and almost certainly illegal. To come here and ask in this manner may seem like a good idea to you, but to the professionals among us, it's a low level insult (do you have any friends who are doctors? Do you ask them about your ailments, rather than make an office appointment and pay the fee?). To the others among us (no offense...I didn't want to say "the non-professionals"), it's a HUGE risk. Regardless of your claims that it is legit and requirements that they email you for details, this could very easily be an attempt to dupe someone else into attacking a start.no (or other) service.

    Security Newbies...take note. While I am not actively accusing dsedse05 of anything at this time, you should be seeing red flags and thinking "social engineering".
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Ha! zencoder

    do you have any friends who are doctors? Do you ask them about your ailments, rather than make an office appointment and pay the fee?
    Well they certainly don't seem to have any qualms when it comes to me and their computers

    dsedse05

    One thing that hasn't been mentioned : if you get this sort of work done by an assortment of anonymous people on the internet, you have no formal contractual agreement or liability. You would have no idea if the job had been done professionally or not, what had been tested and so on..................I would advise you to at least cover your rear end in that respect.

    just a thought

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    One thing that hasn't been mentioned : if you get this sort of work done by an assortment of anonymous people on the internet, you have no formal contractual agreement or liability. You would have no idea if the job had been done professionally or not, what had been tested and so on..................I would advise you to at least cover your rear end in that respect.
    Yes. If you shout on the streets only idiots will answer

    Just to reinforce nihil's argument, no serious security consultant will do a penetration test without a contract.

    Doing without it is a shortcut to jail.

    Everytime ive joined a penetration test there was a contract covering our "rear end". And even with those we got in trouble sometimes
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by nihil
    Ha! zencoder
    Well they certainly don't seem to have any qualms when it comes to me and their computers
    As well you SHOULD bother them, then. Next time they ask, describe your carpal-tunnel (sp?) -like symptoms and ask if they can give you a referral to a specialist, but you really don't want to bother with seeing the regular MD before hand.

    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Zen:

    but you really don't want to bother with seeing the regular MD before hand.
    Hmmm.... He's bypassing the "virtual MD" by coming to me isn't he? He should be taliking to my help desk first....

    Dsed: You won't get anyone sensible to pen test your network this way. Will you delineate the deliverables, lay down attack parameters against each resource available, lay out the windows of time for the test to take place? Probably not. What happens if the person who "has a go" at it trashes your server? You're getting yourself into a large legal issue by going this route. It's expensive for a reason...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •