Re: Looking for help against Chinese Hacking Team

["Adriel T. Desautels" <ad_lists () netragard com>]

Hi there,
	The real problem here is that you don't know what you are doing  
(yet). Let me pad that by saying that you're clearly not a security  
expert and as such you shouldn't be expected to know how to solve this  
problem.  The solution is simple though, especially if you're dealing  
with SQL Injection.  Before I give you the solution for free (which is  
posted all over the web) I'll ramble on a bit.

	First, when you went through your "waves" of security experts, what  
was your decision criteria? I'll admit that there are not very many  
real "experts" out there and that there are a lot of fraudulent ones.   
A real expert would have provided you with a solution to your problem  
immediately while some of the others (on this list too) have no clue  
what they are doing.  Unfortunately, most of your Certified Ethical  
Hackers also don't have a clue (certifications are political and not  
always a real representation of talent).

	Why am I taking the time to write this? Well honestly I am sick and  
tired of the bad name that these "Fake" security experts are giving to  
real experts. They offer "penetration tests" that start a $500.00, or  
Web Application Security Assessments that start at $700.00 when it is  
IMPOSSIBLE to do either at those prices.

	The fact of the matter is that your average and real "security  
expert" will have a man hour rate of about 190-350 an hour.  The  
average "good" web application penetration test will take more than 10  
hours to do. That does not include time to write reports, to do  
research, to analyze unique issues,  or to do a lot of the other  
manually intensive work that needs to be done to do the work  
properly.  Can that all be done for $500.00? You do the math.... (the  
answer is no). Generally speaking if you are asking for an application  
assessment you're going to spend over $10,000.00. If you're not then  
you're getting ripped off.

        So anyway, the solution to your problem is as follows:

	1-) Your problem appears to be that you suffer from exploitable SQL  
Injection Vulnerabilities.
	2-) Your solution is to implement Parameterized Stored Procedures in  
conjunction with strong 	       input and data validation.

	Check out http://www.owasp.org as a reference, or you can hire my  
team to do a kick-ass job and get you locked down good and tight. You  
most probably have may other risks that you are unaware of that can be  
dealt with by the right team.  If you have any questions I'm a big  
proponent of free advice.

> > From: harveyfrank <joet () ticadvisors com>
> > Date: December 12, 2008 19:59:19 EST
> > To: pen-test () securityfocus com
> > Subject: Looking for help against Chinese Hacking Team
> >
> >
> > We've been battling the Chinese for several months now and have  
> > gone through
> > several waves of US  security experts who have failed to stop them.  
> > In their
> > defense, we are not on an unlimited budget and they've gotten us to  
> > a point
> > where it looks as though somewhere among the site's 400 scripts is  
> > a SQL
> > injection vulnerability.
> >
> > Automated testing by a few pen test products seems to think we're  
> > fine. We
> > definitely are not.
> >
> > Is it possible to hire a CEH to find the Chinese-discovered  
> > vulnerability
> > for a few hundred dollars? (We aren't just being cheap, we've blown  
> > our wad
> > on security that hasn't worked.) Would someone with intimate  
> > knowledge of
> > the latest wave of Chinese attacks be required for this job?  
> > Besides our
> > first rate security team that's just been beat, I've tried the $200  
> > pen test
> > folks and they have all failed. Microsoft security help has also  
> > failed.
> >
> > Advice (Besides porting to Linux)? Help?
> > --
> > View this message in context: 
> > http://www.nabble.com/Looking-for-help-against-Chinese-Hacking-Team-tp20986210p20986210.html
> > Sent from the Penetration Testing mailing list archive at Nabble.com.
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------

Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------