[GRLUG] PCI v1.2 Compliance.
Colin Vallance
grlug at tankrip.com
Thu Dec 11 14:33:15 EST 2008
Greg - First things first... take a deep breath. I can almost feel
your annoyance from here.
On Dec 10, 2008, at 6:29 PM, Greg Folkert wrote:
> be wrned, my reply is long and could have been orders of magnitude
> longer.
>>>
>
> Of course, the penetration tester asked for a username and password on
> these machines and the ports the consoles were running on. And I
> didn't
> give them to him.
>
> I gave him a Debian SID machine with a minimal install (but a public
> interface and a private interface with SSHD running on the public side
> only), with out any obvious way to get things onto the machine. No
> FTP,
> no SCP (ssh client stuff), no wget, no curl... in fact the only thing
> available was netcat and a few other "networking" tools left around.
> He
> called me immediately and asked that I install this and that with a
> smattering these things with a compiler and other nice to haves. I
> said:
> "No, you are the penetration tester. I gave you a machine that I'd
> place
> on the Internet straight and I even gave you tools I'd typically not
> leave on the machine."
>
> He reported us as non-compliant, I challenged that declaration. I
> won as
> I was able to demonstrate the idiot wasn't a good penetration
> tester. He
> had a public interface *WIDE* open and a Private Interface *WIDE*
> open.
> With no IPTABLES loaded, no routing or forwarding ability. Effectively
> an SSH relay machine with SSH turned off on the private side. I used
> netcat and a combo of the tools on the machine to GET a compiler, a
> set
> of rootkits, a remote command daemon and other things installed.
> Including libraries and many other things needed for compiling. I then
> went on and installed apache2, MySQL, nessus and other pieces to scan
> the interior network and also nmap to sweep the network. All from HIS
> account, without ever using root. I even found the IDS and other
> monitoring machines and the logging server (though I couldn't get to
> them as things are configured for access). All in all it took about 4
> hours longer to get everything installed and compiled in his
> userdir...
> but it all worked and like a charm.
>
> By the way... Don't use TrustWave as a PCI QSA (or whatever its
> called).
> Hint Hint.
>
I find that part the most interesting of all. It sounds like you gave
the tester the keys to the castle and he/she went right ahead and
shoved them up their ass for lack of knowing what to do with them.
Not being at a company that has any publicly facing anything from this
office I don't have any experience with pen testers. Are they
typically this bad? Are they mostly just script kiddies that need a
windows box to run an automated test from? That situation is really
slightly scary/sad in the end. After you proved your point did you go
out and find another pen testing firm worth their salt?
Where do you work? It sounds like you've got some fun stuff going on
(even if it is being ultra scrutinized at this point).
More information about the grlug
mailing list