A security Leakage??

[jockey0109]

I agree with you nihil....But let me remind you again...the server ( which seems to have removed,) was a site of the largest Mobile service Provider in INDIA. And anyone who will even think of getting root on that system will not attack with robots...yes, he might design one asfter he come to know all about how to get there. But the attacks on those type of system,s have to be MANUALLY. ANd I think there are still manual aqttacks existing ..... or am I worng?? So it is always bad to show your server details in any manner. And that too when it will be opened by a lot of people some of which might be CRACKERs???

Peace.

[HTRegz]

Originally posted here by nihil
Hmmmm,

It is really a question of degrees, is it not?.................... after all, you can safely assume that 80% or more of computers on the net are running some flavour of Windows, and that this will be 98SE or later.



Windows 2000 Pro SP4, fully patched as of August 2006

Does that help you?................not really

What would potentially be of use would be what services and applications I am running?

However, I still maintain that the majority of attacks these days are of a robotic nature, at least at their inception. Consequently, information on my OS is irrelevant, as it is never gathered. The bot only wants to know if the exploit works......................it really does not care why

The operating system and applications/services go hand in hand in my books... If everyone was as robotic as you state then Pen Testers would be out of a job... Why have someone pen test by hand when no one else is doing that... Highly unlikely... the skiddies out there are running automated scripts and yes they account for a decent number of attacks but there's more serious stuff out there... and those are the things that people should be worried about protecting themselves from.... and I'm not necessarily talking about people at home.. I'm talking about businesses... Is it good that I know that 8 months ago CIBC was using Windows NT on all of their ATMs? I wouldn't think so...

Peace,
HT

[nihil]

Hey, jockey~ please think about this:

The bigger they are, the more open they are?................ After all, your guys aren't going to be running Windows 95 are they?

If you checked out the "job opportunities" part of their website, you would find what they are using? or they would be boasting about it in their general information section?

The operating system and applications/services go hand in hand in my books... If everyone was as robotic as you state then Pen Testers would be out of a job

Yes, this is about to happen....................... if you don't believe me, have a word with TH-13 who has commented to that effect already?

It is bot vs bot my friend

[HTRegz]

Originally posted here by nihil
Hey, jockey~ please think about this:

The bigger they are, the more open they are?................ After all, your guys aren't going to be running Windows 95 are they?

If you checked out the "job opportunities" part of their website, you would find what they are using? or they would be boasting about it in their general information section?



Yes, this is about to happen....................... if you don't believe me, have a word with TH-13 who has commented to that effect already?

It is bot vs bot my friend

Pen testers will never be out of work... it's not bot vs bot... I can never solely be bot vs bot... Let's take the PCI certification

There are two requirements

1) Automated Scanning
2) Pen Test...

Why would you need to be scanned with a product by Tenable, Qualys, nCircle, Rapid7, etc and also get a Pen Test if pen testing was becoming obsolete?

If it was a world of bot vs bot we wouldn't have AV Vendors with security researches and signature writers, we wouldn't have reverse engineers, we wouldn't haev pen testers, we wouldn't have a number of people we currently have.. but if you feel it's entirely robotic with no need for people.. Feel free to tell that to H.D. Moore, Dave Aitel, Pedram Amini, eEye, iDefense and everyone else...

Yes there will be more automation in the future on the "white hat" side of the fence... but it will never be to the extent that you describe.. If it was entirely bot based that companies would also get rid of Quality Analysts and all Quality Control positions.. because they wouldn't need them... and that will also never happen..

There's a reason why bots and skiddies aren't nearly as dangerous in the security community as "black hats"... because their automated attacks are easily detectable... that's why it will never progress to pure bot vs bot.

[nihil]

Why would you need to be scanned with a product by Tenable, Qualys, nCircle, Rapid7, etc and also get a Pen Test if pen testing was becoming obsolete?

Hah! define need

Obviously somebody has to design and write the "bots" just as people have to determine vulnerabilities and exploits.............. and people have to write the applications and operating systems that permit them.

Most organisations are in the happy position that they do not merit individual and specific attack. For them the botniks are the real and present danger. Let's face it, criminals are percentage players who are doing it for the money rather than the glory or reputation?

We are in an interesting position in IT history, in that we are using operating systems and applications that are based on designs from a previous era. If I were a young person today, and planning a career in IT, I would not expect that situation to remain for the next 40 years.

Hey, back in the old days we used to have chimney sweeps................. where would you find one of those today?

[HTRegz]

Originally posted here by nihil
Hah! define need

Obviously somebody has to design and write the "bots" just as people have to determine vulnerabilities and exploits.............. and people have to write the applications and operating systems that permit them.

Most organisations are in the happy position that they do not merit individual and specific attack. For them the botniks are the real and present danger. Let's face it, criminals are percentage players who are doing it for the money rather than the glory or reputation?

We are in an interesting position in IT history, in that we are using operating systems and applications that are based on designs from a previous era. If I were a young person today, and planning a career in IT, I would not expect that situation to remain for the next 40 years.

Hey, back in the old days we used to have chimney sweeps................. where would you find one of those today?

You can't use a time frame of 40 years in IT but at the same time you can... IT isn't like other fields,,, the speed of progression is much faster but there are also fallback points..

As far as define need... it is REQUIRED in order to process credit card payments... that's what need is...

I'm actually talking to TH13 while I write this... we've decided that you need to sit down and rethink things a little... Determine the difference between Vulnerability Assessment and Penetration Testing.. figure out what they both are.. how they work and then come back and have this chat.

Peace,
HT

[RoadClosed]

Pen testers won't be out of work.l.. unfortunately. Although most are hacks. (meaning they don't know jack).

But thanks to regulatory and more regulatory action in government, they are still safe. IDS? That could be another story.... I have been highly debating it's significance in the modern (meaning current) network. With intelligent firewalls, high speed packet shaping/recording, access filtering, Spam gateways, and a host of the modern crop of Internet Servers, it just seems well silly to have a dedicated IDS system.

Pen testing though - gotta have it for any number of certification processes in business. At least in North America.

//EDIT oh and when the hammer falls... you better have a nice shiny (current) pen test of your configuration or the ass is on a platter. Who wants their ass on a platter served with chips?