[GRLUG] PCI v1.2 Compliance.

Greg Folkert greg at gregfolkert.net
Thu Dec 11 17:22:30 EST 2008 

On Thu, 2008-12-11 at 14:33 -0500, Colin Vallance wrote:
> Greg - First things first... take a deep breath.  I can almost feel  
> your annoyance from here.
> 
> On Dec 10, 2008, at 6:29 PM, Greg Folkert wrote:
> 
> > be wrned, my reply is long and could have been orders of magnitude
> > longer.
> >>>
> >
> > Of course, the penetration tester asked for a username and password on
> > these machines and the ports the consoles were running on. And I  
> > didn't
> > give them to him.
> >
> > I gave him a Debian SID machine with a minimal install (but a public
> > interface and a private interface with SSHD running on the public side
> > only), with out any obvious way to get things onto the machine. No  
> > FTP,
> > no SCP (ssh client stuff), no wget, no curl... in fact the only thing
> > available was netcat and a few other "networking" tools left around.  
> > He
> > called me immediately and asked that I install this and that with a
> > smattering these things with a compiler and other nice to haves. I  
> > said:
> > "No, you are the penetration tester. I gave you a machine that I'd  
> > place
> > on the Internet straight and I even gave you tools I'd typically not
> > leave on the machine."
> >
> > He reported us as non-compliant, I challenged that declaration. I  
> > won as
> > I was able to demonstrate the idiot wasn't a good penetration  
> > tester. He
> > had a public interface *WIDE* open and a Private Interface *WIDE*  
> > open.
> > With no IPTABLES loaded, no routing or forwarding ability. Effectively
> > an SSH relay machine with SSH turned off on the private side. I used
> > netcat and a combo of the tools on the machine to GET a compiler, a  
> > set
> > of rootkits, a remote command daemon and other things installed.
> > Including libraries and many other things needed for compiling. I then
> > went on and installed apache2, MySQL, nessus and other pieces to scan
> > the interior network and also nmap to sweep the network. All from HIS
> > account, without ever using root. I even found the IDS and other
> > monitoring machines and the logging server (though I couldn't get to
> > them as things are configured for access). All in all it took about 4
> > hours longer to get everything installed and compiled in his  
> > userdir...
> > but it all worked and like a charm.
> >
> > By the way... Don't use TrustWave as a PCI QSA (or whatever its  
> > called).
> > Hint Hint.
> >
> 
> I find that part the most interesting of all.  It sounds like you gave  
> the tester the keys to the castle and he/she went right ahead and  
> shoved them up their ass for lack of knowing what to do with them.   
> Not being at a company that has any publicly facing anything from this  
> office I don't have any experience with pen testers.  Are they  
> typically this bad?  Are they mostly just script kiddies that need a  
> windows box to run an automated test from?  That situation is  really  
> slightly scary/sad in the end.  After you proved your point did you go  
> out and find another pen testing firm worth their salt?

I gave him effectively a machine that was setup as an SSH relay machine,
except without ssh client stuffs (IOW actual ssh executable) but with a
few direct tools not normally left on things. I didn't give him the set
of keys... more like a hammer and chisel against a stone door, but the
door also only goes to a REALLY TALL walled hallway with no end.

This Pen-tester was a third-party contractor for this QSA. I don't know
where he got his cred, but I really can tell you that I could do better
than him with my hands tied behind my back and typing with my toes.

> Where do you work?  It sounds like you've got some fun stuff going on  
> (even if it is being ultra scrutinized at this point).

I'd rather not say *RIGHT* now as we are being scanned and pen tested
right now.
-- 
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20081211/d266d591/attachment.pgp

More information about the grlug mailing list