Re: Fwd: Penetration test of 1 IP address

[Bob Radvanovsky <rsradvan () unixworks net>]

Believe it or not, many things that pen-testers and/or social engineers do are the "obvious" things.  Things that are 
oblivious to most people, sometimes, are not-so oblivious to those who exist in a frame of mind that is "outside" from 
everyone else's.

Maybe this will put things into a slightly different perspective that perhaps you could relate to, or even appreciate.  
In school (high school, college, technical school -- it doesn't matter), have you ever worked on a homework or lab 
assignment that had you *stumped*, only to ask, either the teacher of the class or a fellow classmate, for some help, 
they come in, look at your configuration or the method/approach that you're taking, only then to type/write something 
down in a matter of seconds?

Sometimes, you need someone who's not immersed or engrossed in whatever your clients or environment has you bottled up 
in.  Also, it takes a certain mindset to be able to view things from this perspective, and some would even argue that 
it's genetic (born with a "gift" versus learned within an environment).  I tend to think that it combines a little of 
both, taking into account people who have an ability -- a gift (if you will) -- that can perceive concepts from either 
a wwwwwiiiiiiidddddeeeee perspective, then suddenly, at a moments notice, shift their train of thought to something 
more tightly focused, only later go back to the wide-angle perspective again.

Many people, many companies would like you to think that a "child" is what's behind most attacks, and some would argue 
ostensibly, that it is a group of children performing such acts.  But what many fear, yet never state, is that often 
times, there's a "mastermind" at work, that controls, manipulates, an endoctrinates these children into performing 
whatever acts they do.  To some, they feel that they're doing this to (as you put it) get famous, others want to get 
rich quickly, whereas some think that they're performing an act that they don't see as wrongful ("evil") acts.  It is a 
known fact in psychology that children -- up to certain age groups -- have abilities of perception, comprehenson, 
understanding and mental mechanics -- that far surpass most adults.  And thus drawing upon a conclusion that (for sake 
of simplicity) the acts performed, either negatively or positively (it depends on who's performing what) is mere 
"childs play".

I would garner you this challenge.  Put yourself (or attempt to) into a frame of mind similar to what has been 
discussed here, then ask yourself a single, yet importantly decisive question: "How would <xxx> perform such a task?"  
If you can answer that, then perhaps, you have a naturally-born gift for such levels of creativity that places such as 
the NSA, CIA or various intel groups would *love* to hire you!!!  I've known children who have mathemtical capabilities 
that would boggle even the best of mathematicians, and yet -- to them -- everything appears "easy" to them.

Having been "on both sides of the fence", I can tell you that it isn't easy.  I started college at age 14 -- well 
before I was even finished with jumior high school -- and well on my way while I was still *in* high school!  Does that 
make me smart?  Not really.  I just had a knack -- an ability -- to see things *differently* -- than most other people 
did at that time.  This was in the late 1970's/early 1980's.  Times have changed since then, and not for the better, 
either.  If you are thinking that tasks such as these are easy, you now need to think of the consequences that are 
(now) often times associated with such tasks.  Yes, I'm talking about "bureaucracies" (possibly beyond even your worst 
nightmarish perceptions of "Red Tape Hell" or "Paperwork Purgatory"), not to mention thinking of legal (libel) 
consequences.  Many people on this discussion group (myself included) who wish to continue working -- freely -- as a 
citizen, and thus, offer *some* consul, but not to the point of where they could be held liable for their actions or 
suggestive content.

Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax) 

----- Original Message -----
From: Brian Loe [mailto:knobdy () gmail com]
To: pen-test () securityfocus com
Subject: Fwd: Penetration test of 1 IP address


> Every time I see one of these e-mails the first question that pops
> into my mind is, "where do I get a customer like that?!"
>
> The second thing that pops into my mind is that it can't be a "real"
> job - that its most likely some high school kid who wants to be
> famous, but not smart enough to figure out how.
>
> I'm not a security "expert". I've never done a pen test. However,
> everything that has been suggested, I already knew how to do - and
> would have known to do it.
>
> On 2/9/06, Levenglick, Jeff <JLevenglick () fhlbatl com> wrote:
> > That's right.. Legal software. I wonder what would happen if this person
> > was not legit and
> > The company found out that all of the people on this list helped him?
> >
> > Or better yet. (as I stated before) This person does not have the
> > background or knowledge to give this company
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before hackers
> do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------