Re: [PEN-TEST] PBX Security

["Mark L. Jackson" <sincity_mark () INAME COM>]

> <quote> It's unfair to use a known back-door when pen-testing.  The
> back-door on Norstar is pretty hard to stumble across, but it is nice to
> know the default passcodes, and test for things like that.  Good luck!
> </quote>

I am sure everyone out there wanting to break into system will play fair!

If it is open and I know about it; someone with less-than-honorable
intentions does also, and they would not hesitate to use it. I will use it.
Does not mean that the testing should stop there.

> If it is known (heck, or even if you are the only one who knows
> it), why is
> it unfair? If you were able to find it, via social engineering,
> why can't a
> hacker. The way I look at, if a back-door has a hard coded (or unchanged
> default) method for allowing access, then it is a security hole.
> Isn't that
> what a Pen-Test is supposed to uncover?

Some people I have run into think that Pen-testing is about finding new and
innovative ways to break in. I disagree. Pen-Testing is about finding holes,
PERIOD.

My opinion is that if you do not use what is known to you (and others) you
are not doing your job. Besides, how do you know it will work until you try
it. Is that not the idea of Pen-testing, finding ALL weaknesses you can?

Mark