Sunday, October 16, 2011

How I got back a returning customer

Background
A little background information for you folks... who don't understand what I do... I expose the ways in which your network, server, host, web application, website or any other system maybe vulnerable to real attacks. We are not talking about some obscure bug that can't be exploited. We are talking about DNS here...

Now DNS is not exactly rocket science, right? You think so? The customer whom I spoke to doesn't really concur with me on that point. He thinks it is rocket science, since he does not have enough technical knowledge to figure it out. I give him a demonstration of how to tunnel SSH over DNS (Ozyman) and SSH over HTTP :))

Show time (DNS Tunneling)
Once I do that, his auditor freaks out and tells me how I am doing bad things. What is my job again? I expose vulnerabilities and real threats to the customer, I don't perform simple scans and tell the customer to patch some bug without taking business productivity and impact in to consideration. In layman terms, tunneling a protocol over another like discussed above can cause the network to think SSH is just DNS traffic. Truth is some rogue hacker may get a reverse shell running through that port and hide in plain sight.

The customer and his new found "auditor" (read: CISSP / CISA holder, with no grasp of protocols). I had to show documentation, research and a tool. To top it off, I showed a live demo and used Wireshark to show the DNS traffic. I did my job and I did it so well, that the customer becomes scared, confused and everything else, but convinced. The customer does not want to understand the impact, or go with a quality security tester like me.

My mistake
I told them, I will test the environment without any bias and will not support their certification (compliance) efforts, if they fail to co-operate and patch all the important vulnerabilities. This causes a real stir and the next time, the customer (who happened to be a return customer - more than 4 engagements)... fails to choose ME for the 5th time.

Business 101
Guess why they didn't want me? I argued and I failed to co-operate with them for their namesake compliance... OK, from a business point of view I totally understand their hatred towards me. There's an old saying in sales, If You Win the Argument, You Lose the Sale (The auditor played a good part in convincing them, that I am not the right person for the job). When it comes to security and technical aspects, I put my money where my mouth was... and showed them a real demonstration.

Better Late Than Never
What did I learn? Be co-operative... or lose the sale. I'd rather have it my way or the highway... and a customer who can not appreciate quality is always going to end up in my bad books. I am a person that believes in quality over everything else.

What did they learn? The customer's network got hacked exactly 90 days, after they achieved compliance. The customer didn't hesitate to call me. The manager at their firm said some thing I am very proud of... He said, "We are calling you because you scared us just like that hacker..."

For a few dollars more
After the post mortem and forensic analysis, I helped them to set up an incident response plan. The customer now engages me for security testing and over all maintenance of their network. I have gained a returning customer, after losing them once. Selling is all about second chances ;))

P.S: This is NOT the First Time, I am getting a call from a customer that disagreed with me and got hacked!

Cheers,
Kish

Thursday, October 06, 2011

Wow, Goodbye Steve?

Is it that time of the century for an inventor to be gone? Gee, that sucks... Goodbye Steve :(



Steve is an inspiration at best and he braved - being born to unmarried parents, thrown to be adopted by his mother... Then he drops out of college, founder of apple, founder of pixar, rejoins apple - a revolution happens with iPhone, iPad, iPod and owning an Apple product doesn't make you exclusive anymore, they've turned from being a niche company to a mainstream company with nearly $350 Billion USD in stocks... The only company that makes more money than Apple is Exxon Mobil and they do it from oil, not from ideas !

R.I.P Steve, also R.I.P A.C Nielsen... Peace !

Saturday, August 27, 2011

iQuit... Steve job quits apple, what again?

I have stopped counting the number of times, he's quit and come back to Apple...


Really would be a relief, if he let M$ stay on top and generate serious revenue compared to Apple. Personally, I'd like to see iPhone and a lot of i Apps / i Hardware(s) to stop... The world becomes restricted to bullshit software provided by apple... and their updates, well you've got to pay for it? WTF?

A lot of apple fans are pissed because the software, drm and whole pay for your updates BS - what if, they introduce bugs just to push more updates... That is not happening now, but some thing like that isn't impossible... ;)

It would be ironic to have such ridiculous stuff going on, amidst their already high number of vulnerabilities. iHate - Apple... All that aside, Steve Jobs is a great guy (business strategy, promotion, ideas and inspiring), Good luck to him !

Saturday, July 09, 2011

Love Letters...

I just love this, love this mail, especially the part about monies... hahaha !



Thank you for the Love letters :D

Monday, June 06, 2011

Note: Top 5 Database Breaches in 2011

1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.

2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens.

3. Victim: Epsilon
Assets Stolen: E-mail databases from 2 percent of the firm's 2,500 corporate clients.

4. Victim: Sony
Assets Stolen: More than 100 million customer account details and 12 million unencrypted credit card numbers.

5. Victim: Texas Comptroller's Office
Assets Stolen: The names, Social Security numbers, and mailing addresses of 3.5 million individuals, plus dates of birth and driver's license numbers of some.

Note for reference... :D

Thursday, April 28, 2011

And you thought online booking is safe

INOX Movies features - A lesson in "designing secure web pages"


Vulnerable URL: hxxp://www.inoxmovies.com/seatlayout.aspx

Incase you don't understand what will be the bug, it will be a SQL Injection!

INOX Movies is "Safe"... Come on, it uses "http"... it's unbreakable! :D

Sunday, April 17, 2011

APNIC runs out of IPv4 Address


http://www.apnic.net/publications/news/2011/final-8

If you haven't read this announcement, read it and act on IPv6... deployment for your enterprise environment.

Cheers,
Kish

Saturday, February 12, 2011

Ignorance is "THE" root of all evil

Example? HBGary's latest pwnage by Anonymous group... Can't understand why they don't maintain good passwords, different passwords for their account, some user awareness and why they can't get pro-active website maintenance and testing. They have so much capital and as the last line in the JPG says... "not expertly secured" ... Epic FAIL.



BTW, I had and still have respect for Greg Hoglund from HBGary. All in all, they lost clients and will have bad PR for the next month or so... please work on your security "before" you get hacked.

For all the guys, who insist on "no DoS, no stress testing, no client side testing and no social engineering" - [04:18] <&Sabu> greg, a 16 year old girl social engineered your admin jussi and got root to rootkit.com

Yes, that's straight from a IRC chat log involving Greg(HBGary), Penny (HBGary) and the anonymous group... I read the full log for the LOLs :D

Peace !