Re: Re: Re: Re: Password cracking algorithm

On top of this manual testing, we also run two vulnerability analysis tools, Nessus and Retina. Nessus is freeware, you're welcome to check it out, Retina has a bit of a hefty price tag.

I've used Nessus off and on for quite a few years now, thanks :).

Reliable enough that at that current point in time where the audit is taking place I'd be at least 95% sure that we caught everything.

95% is a HUGE distance away from looking for ALL exploits(it's probably the last fraction of a percent that bites you though :p). I hope you don't think I am implying that it is possible to find everything, I know better. The trouble is your client doesn't know better, and it is a dangerous thing to tell him.

This is true of any situation where you as a business are marketing yourself to someone whom you are technically superior too.

Yes, but in your position you have to be extra careful with what you say. I have no idea what your actual skill level is, I only have what I read here to go on. All I am saying is that you need to pick your words more wisely... If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question).

Then I'd love to do an audit for you! You'd be doing part of my work.

I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible.

Hope this clears some things up. I never thought I'd be defending my business at posting this, but such is the nature of my business.

I certainly hope you don't think I've been replying to you under the assumption that you are a cracker looking for help breaking passwords. Whether you are or not, I hope the info in these replies will be useful for someone reading it even if it isn't you :).

I have been severely disappointed my MANY so-called 'security experts', ALL of which were from one of the big consulting firms. The way I see it, I know a good deal about the security of the systems that I own... When I hear a security consultant make mistakes related to MY hardware, I assume he will make similar mistakes where I have less knowledge. (boy that didn't feel like a good sentence :p)

I hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database).

In any situation, I will likely be looked upon as a hacker first, and an aspiring security professional last.

Good luck! You are chasing a very rapidly moving target in the security world :).

Comment on Re: Re: Re: Re: Password cracking algorithm

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Password cracking algorithm by SyN/AcK (Scribe) on Jul 23, 2003 at 00:00 UTC
95% is a HUGE distance away from looking for ALL exploits(it's probably the last fraction of a percent that bites you though :p). I hope you don't think I am implying that it is possible to find everything, I know better. The trouble is your client doesn't know better, and it is a dangerous thing to tell him. Well, I guess it depends on how you look at it. I make it clear to all of my clients that securing them today does not mean they will be secure tomorrow. I stress that its an ongoing process, I try to convince them to join lists like bugtraq, I inform them of tools like Nessus that can help them. When I say 95%, I'm taking into account those vulnerabilities that haven't been established as plugins yet, as well as any vulns that aren't on the network at that time. I stress to all of my clients that our initial tests are just a snapshot of the network, which could potentially be changing based on what machines are on, and what services are on. I try to stress to them that during the audit period, all of the machines should be on so that its as complete as possible. So in that sense, I don't think that the portion we are missing is that significant. It is as you say though, the fraction of a percent that you miss is the one that bites you in the ass. ;P I have a saying though, "If you want a network that's 100% secure, unplug your computers from the wall." I stress that we try to bring a measure of security above that of what they already have. Half the battle is making the client aware of all the potential problems they have now, and how those will continue in the future unless they take active steps to make themselves secure. If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question). I'm not sure exactly which comments you are referring to. Besides, I'm not trying to sell you guys anything. In a business environment, I never claim something I can't back up. That's why my business has been successful. I have a good reputation that I would not tarnish. I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible. Actually I've done mostly medium to large networks, although I have not actually done an audit on a company that had a security department. I do not know if you have a security department or not. Actually, I've found in the larger companies that I've audited, they're more apt to just set me off on my own. The admins are either to busy to worry about the security all the time, or not capable. I think its awesome though that your company relies on you to make sure your machine is secure. I try to instill this with the audit, I try to stress that workers as well as the admins be aware of patches and things that come out. I have been severely disappointed my MANY so-called 'security experts', ALL of which were from one of the big consulting firms. The way I see it, I know a good deal about the security of the systems that I own... When I hear a security consultant make mistakes related to MY hardware, I assume he will make similar mistakes where I have less knowledge I think this is a fair assumption. I feel comfortable with my skills, I have not yet been in a situation where I dealt with someone who knew more on the subject than I. If I was put into that situation, I would not be afraid to make someone in charge of the dealings aware of the situation and suggest that the person may do well to help in the audit. I would be comfortable with that. I'm not going out there to prove I know more than someone, I do the best job I can, and if someone has positive input, or knows more than I, I would admit it, and hope to bennefit from the knowledge I gained from that person. hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database). Yes, I didn't look on these particular comments as a negative. If anything, arguing for my skills and my business is just like what happens when I go in to negotiate with a client. I've never gone into a dealing where the person there said, "Oh we've heard so much good stuff about you, you really must know what you are doing."... What I hear is, "Oh we've heard good things about you, but we have a lot of questions for you." Good luck! You are chasing a very rapidly moving target in the security world :). Thank you! I appreciate the kind words and the suggestions.	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Re: Re: Password cracking algorithm
by SyN/AcK (Scribe) on Jul 23, 2003 at 00:00 UTC

Well, I guess it depends on how you look at it. I make it clear to all of my clients that securing them today does not mean they will be secure tomorrow. I stress that its an ongoing process, I try to convince them to join lists like bugtraq, I inform them of tools like Nessus that can help them. When I say 95%, I'm taking into account those vulnerabilities that haven't been established as plugins yet, as well as any vulns that aren't on the network at that time. I stress to all of my clients that our initial tests are just a snapshot of the network, which could potentially be changing based on what machines are on, and what services are on. I try to stress to them that during the audit period, all of the machines should be on so that its as complete as possible. So in that sense, I don't think that the portion we are missing is that significant.

It is as you say though, the fraction of a percent that you miss is the one that bites you in the ass. ;P I have a saying though, "If you want a network that's 100% secure, unplug your computers from the wall." I stress that we try to bring a measure of security above that of what they already have. Half the battle is making the client aware of all the potential problems they have now, and how those will continue in the future unless they take active steps to make themselves secure.

If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question).

I'm not sure exactly which comments you are referring to. Besides, I'm not trying to sell you guys anything. In a business environment, I never claim something I can't back up. That's why my business has been successful. I have a good reputation that I would not tarnish.

I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible.

Actually I've done mostly medium to large networks, although I have not actually done an audit on a company that had a security department. I do not know if you have a security department or not. Actually, I've found in the larger companies that I've audited, they're more apt to just set me off on my own. The admins are either to busy to worry about the security all the time, or not capable. I think its awesome though that your company relies on you to make sure your machine is secure. I try to instill this with the audit, I try to stress that workers as well as the admins be aware of patches and things that come out.

I think this is a fair assumption. I feel comfortable with my skills, I have not yet been in a situation where I dealt with someone who knew more on the subject than I. If I was put into that situation, I would not be afraid to make someone in charge of the dealings aware of the situation and suggest that the person may do well to help in the audit. I would be comfortable with that. I'm not going out there to prove I know more than someone, I do the best job I can, and if someone has positive input, or knows more than I, I would admit it, and hope to bennefit from the knowledge I gained from that person.

hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database).

Yes, I didn't look on these particular comments as a negative. If anything, arguing for my skills and my business is just like what happens when I go in to negotiate with a client. I've never gone into a dealing where the person there said, "Oh we've heard so much good stuff about you, you really must know what you are doing."... What I hear is, "Oh we've heard good things about you, but we have a lot of questions for you."

Good luck! You are chasing a very rapidly moving target in the security world :).

Thank you! I appreciate the kind words and the suggestions.

[reply]