On top of this manual testing, we also run two vulnerability analysis tools, Nessus and Retina. Nessus is freeware, you're welcome to check it out, Retina has a bit of a hefty price tag.
I've used Nessus off and on for quite a few years now, thanks :).
Reliable enough that at that current point in time where the audit is taking place I'd be at least 95% sure that we caught everything.
95% is a HUGE distance away from looking for ALL exploits(it's probably the last fraction of a percent that bites you though :p). I hope you don't think I am implying that it is possible to find everything, I know better. The trouble is your client doesn't know better, and it is a dangerous thing to tell him.
This is true of any situation where you as a business are marketing yourself to someone whom you are technically superior too.
Yes, but in your position you have to be extra careful with what you say. I have no idea what your actual skill level is, I only have what I read here to go on. All I am saying is that you need to pick your words more wisely... If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question).
Then I'd love to do an audit for you! You'd be doing part of my work.
I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible.
Hope this clears some things up. I never thought I'd be defending my business at posting this, but such is the nature of my business.
I certainly hope you don't think I've been replying to you under the assumption that you are a cracker looking for help breaking passwords. Whether you are or not, I hope the info in these replies will be useful for someone reading it even if it isn't you :).
I have been severely disappointed my MANY so-called 'security experts', ALL of which were from one of the big consulting firms. The way I see it, I know a good deal about the security of the systems that I own... When I hear a security consultant make mistakes related to MY hardware, I assume he will make similar mistakes where I have less knowledge. (boy that didn't feel like a good sentence :p)
I hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database).
In any situation, I will likely be looked upon as a hacker first, and an aspiring security professional last.
Good luck! You are chasing a very rapidly moving target in the security world :).
In reply to Re: Re: Re: Re: Password cracking algorithm
by oknow
in thread Password cracking algorithm
by SyN/AcK
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |