[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: whitehat



--- Alvin Oga <aoga@mail.Linux-Consulting.com> wrote:
> questions for you
> - what else is in the goals for the security test,
> where i'm not
>   using audit, pen-test, assessments and other
> "security words"

Just to see if you can get in, that's all.

> - what is the consequence if some
> whitehat/grayhat/blackhat/malicioushat
>   does get into the box, what is the
> process/proceedure/consequences
>   and follow up costs to cleanup vs shutdown/change
> the product line

Not much, frankly. The idea here is to have someone that is not malicious, but is skilled, to attempt to crack the box. If they can, I'd like to know how. The box is not running a full production application at the moment, there is zero valuable data on it. Also, see below...

1. How do we know know Mr Black is who he says he is?

You are free to contact both me (by phone or email), and my provider, Aktiom Networks: info@aktiom.net and ask them about me. I have provided a complete sig with an address, phone number, business name, etc. Do a search for my name and 'binarycloud', I appear a lot. Uhm, come to my office and meet me if you're in the bay area, CA :)

2. How can we confirm the machine details he supplies
are actually details of a machine that he owns?

See response to #1

3. How can I prove that he is not actually a skid
trying to learn how to crack a debian box (which he
has set up) so that he can then go on to crack some he
has ssh passwords to after successfully brute forcing
some on a network somewhere.

Security by obscurity has never proven very useful, and if I was a wannabe-skriptkiddie, one would think I wouldn't post here claiming to be who I am, provide a phone number, and... there are a lot better places for me to look if I was interested in that.

1. How will you know that whoever replies to your
email isn't a lurking cracker. I am sure there are
plenty on this list considering the topic.

I will ask them to sign a contractor agreement with my company, which requires a fax. I will ask for references, which are hard to construct from nothing. I will offer payment, which requires details of an address, phone number, and social security number. It's really not that hard.

2. In the event that they are is the machine
sufficiently isolated that it being compromised will
not affect the rest of your or anyone elses network.

Yes. Also the idea is not to offer the machine as a honeypot. I want an individual or preferably an individual associated with an organization to attempt to crack a box with my permission under the terms of a contract. So the idea is not to crack a box and then see if they can launch a DDos with it - just to see if they can get in.

3. Do you have a procedure to wipe the machine after
the tests are done in a timely fashion. You asked for
a summary of what took place on the machine, perhaps
you should be monitoring the activity on the machine
yourself.

No, DUH really? I thought I would just have someone do the test and not bother to login to the machine and watch what's happening. I'm a total n00b idiot and I'm looking for a l33t haxx0r to teach me evv43t1ng I nned to kn0.

The whole point of the test will be for me to monitor what's happening in cooperation with the whitehat, but not offer any resistance to the attack. My threshold for success is that the config is not crackable by itself, without any defense or assistance from me as root during an attack, even though in a "real" attack I would act as such.

I think i've sealed the config so tight that it is not vulnerable to any known/public exploits, and besides all the happy scanning tools and all that, I'd like to have the opinion or someone with excellent knowledge of debian security.


*** Please cc me on any responses.  ***

thanks,

_alex


--
alex black, founder
the turing studio, inc.

510.666.0074
root@turingstudio.com
http://www.turingstudio.com

2600 10th street, suite 635
berkeley, ca 94710



Reply to: