-
March 30th, 2005, 02:21 AM
#1
Senior Member
Blind Penetration Test
I found this article in govermentsecurity.org found it interesting and informative so here its
Life is a shipwreck but we must not forget to sing in the lifeboats. ~Voltaire
-
March 30th, 2005, 09:29 AM
#2
What a bunch of useless crap.
"Blind penetration tests" part symptom of bad information security management part euphemism for l33t h4x0rz wet dream.
Think about it, what use is a "blind penetration test"? For any company wishing to run a pen test, they should define what what to test and the expected results beforehand. The testing team should have a high level of knowledge (on a need to know basis of course with considerations of a seperation of duties, otherwise you may be asking for trouble especially if you are a pen test service provider) of the targeted system, this ensures the most efficient (read fastest and least expensive) audit but the most comprehensive.
cheers,
catch
-
March 30th, 2005, 01:34 PM
#3
Indeed. What penetration test? They're only doing some basic noninvasive recon stuff. The only "active" part of this document is the traceroute/nmap. Big deal Any serious security professional should be able to do this blindfolded
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 30th, 2005, 01:39 PM
#4
Just as an FYI, I spoke with GSecur and he wanted me to pass on that the document was never completed. (one of those "intended to but real life interfered"). I think, however, that a blind penetration test may have some value to find those things you don't know about or wouldn't think about. If all tests are done by those who know how things work, then they know what to expect or where to look.
If, however, it's done by someone who doesn't know they will look and poke in more places and may find things that were overlooked by those who are used to the existing sytem.
Just my take/opinion.
-
March 30th, 2005, 01:47 PM
#5
MsM: That's the reason why you should never test your own stuff. You know how it's build and will test along the same lines. Testing should be done by someone who has absolutely no idea on how you did it or how it works.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 31st, 2005, 02:35 AM
#6
Reiteration
penetration testing :
The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
- Glossary of Computer Security Terms
http://www.radium.ncsc.mil/tpep/libr...CSC-TG-004.pdf
cheers,
catch
-
March 31st, 2005, 05:47 AM
#7
Gsecur hasn't impressed me with anything that I could label as 'legitimate' yet.
This document only add's to that opinion (or lack thereof). To be honest, I think it's like choosing to reinvent the wheel when there is no good reason to. catch said it, its a skiddie circle-jerk disguised as a "white paper".
I do these for a living. This is *NOT* how you go about it, and continue to offer this service as a legitimate, trusted company.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
March 31st, 2005, 06:34 AM
#8
Member
Originally posted here by SirDice
MsM: That's the reason why you should never test your own stuff. You know how it's build and will test along the same lines. Testing should be done by someone who has absolutely no idea on how you did it or how it works.
I partly disagree, here is why. You are right about knowing your own system and knowing what security issues you may or may not have. But also knowing or not knowing would give you more time to search in other areas of your computer for vulnerabilities. If you know that you are very secure with exploits of certian programs, the next best thing is to try to find other ways into your system and patch up.
You should always take a second opinion so to speak about your workings, incase you miss something. But someone has to test these things on a computer before commensing to reach out over a network and trying it on someone else.
-
March 31st, 2005, 06:41 AM
#9
I agree that you should always get a second opinion on your work. Sometimes people get too close ot their projects and lose that objective point of view you need. Its not on purpose but it is much easier for you to look and see how something -should- work, but ignore ow it is -actually- working
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|