Penetration Testing mailing list archives
Re: [PEN-TEST] Online Security Vulnerability Services
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Wed, 23 Aug 2000 09:50:20 -0700
Here is the issue behind Gibson Research, it is a nice little tool to validate open ports, but if an organization is routed through a NAT, it is has some issues. Also the same with Online Security Vulnerability Services, how would they rate utilizing RFC1918 versus some legtitimate addressing scheme. What is their logic behind which is better and why or which is worse and why. They must put a lot of effort into researching what products are interoperable with what and why the particular products are the correct choice for the particular organization /mark At 12:33 PM 8/23/00 -0400, Jason Sheffield wrote:
Mark, I have actually had Gibson Research's (www.grc.com) downloadable client used against me (Previous job with an International Telecom) to scan hosts visible to the Internet. I was a lone PIX admin with the job of tracking down possible intrusion attempts. All that it requires is that you have a dual NIC'ed (or modem and NIC) host and you assign one of your interfaces the IP of the box you are trying to scan. The client will ask which IP of your "LOCAL" machine you would like to scan, and Viola, you have an anonymous port scanner at your fingertips. All sniffer traces point right back to GRC, and stop there. Nice "feature" don't you think. My personal experience is that I don't trust them to do a complete job, and I know that a lot of unknowing users on the Internet trust these online scanners to give them, that "nice, warm, fuzzy feeling" about security. Big mistake, as complacency makes you drop your guard. Besides, who knows what sorts of data these scanners collect on the back end. Just my $.02 Regards, Jason -----Original Message----- From: Teicher, Mark [mailto:mark.teicher () NETWORKICE COM] Sent: Monday, August 21, 2000 7:09 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Online Security Vulnerability Services Has anyone checked them out? Who would you recommend? Are Online Security Vulnerability services any different from penetration and attack testing? /thanks in advance for the info /mark
Current thread:
- Re: [PEN-TEST] Online Security Vulnerability Services Teicher, Mark (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Online Security Vulnerability Services Jason Sheffield (Aug 24)