[GRLUG] PCI v1.2 Compliance.

Thu Dec 11 14:33:15 EST 2008

Greg - First things first... take a deep breath.  I can almost feel  
your annoyance from here.

On Dec 10, 2008, at 6:29 PM, Greg Folkert wrote:

> be wrned, my reply is long and could have been orders of magnitude
> longer.
>>>
>
> Of course, the penetration tester asked for a username and password on
> these machines and the ports the consoles were running on. And I  
> didn't
> give them to him.
>
> I gave him a Debian SID machine with a minimal install (but a public
> interface and a private interface with SSHD running on the public side
> only), with out any obvious way to get things onto the machine. No  
> FTP,
> no SCP (ssh client stuff), no wget, no curl... in fact the only thing
> available was netcat and a few other "networking" tools left around.  
> He
> called me immediately and asked that I install this and that with a
> smattering these things with a compiler and other nice to haves. I  
> said:
> "No, you are the penetration tester. I gave you a machine that I'd  
> place
> on the Internet straight and I even gave you tools I'd typically not
> leave on the machine."
>
> He reported us as non-compliant, I challenged that declaration. I  
> won as
> I was able to demonstrate the idiot wasn't a good penetration  
> tester. He
> had a public interface *WIDE* open and a Private Interface *WIDE*  
> open.
> With no IPTABLES loaded, no routing or forwarding ability. Effectively
> an SSH relay machine with SSH turned off on the private side. I used
> netcat and a combo of the tools on the machine to GET a compiler, a  
> set
> of rootkits, a remote command daemon and other things installed.
> Including libraries and many other things needed for compiling. I then
> went on and installed apache2, MySQL, nessus and other pieces to scan
> the interior network and also nmap to sweep the network. All from HIS
> account, without ever using root. I even found the IDS and other
> monitoring machines and the logging server (though I couldn't get to
> them as things are configured for access). All in all it took about 4
> hours longer to get everything installed and compiled in his  
> userdir...
> but it all worked and like a charm.
>
> By the way... Don't use TrustWave as a PCI QSA (or whatever its  
> called).
> Hint Hint.
>

I find that part the most interesting of all.  It sounds like you gave  
the tester the keys to the castle and he/she went right ahead and  
shoved them up their ass for lack of knowing what to do with them.   
Not being at a company that has any publicly facing anything from this  
office I don't have any experience with pen testers.  Are they  
typically this bad?  Are they mostly just script kiddies that need a  
windows box to run an automated test from?  That situation is  really  
slightly scary/sad in the end.  After you proved your point did you go  
out and find another pen testing firm worth their salt?

Where do you work?  It sounds like you've got some fun stuff going on  
(even if it is being ultra scrutinized at this point).