RE: NASA Security Audit

From: Simons, Rick (RSIMONS_at_alldata.net)
Date: 10/09/03

  • Next message: Gary Everekyan: "RE: POP/SMTP Proxy"
    To: "'Gregory M. Brown'" <gbrown@alvalearning.com>, SECURITY-BASICS@SECURITYFOCUS.COM
    Date: Thu, 9 Oct 2003 07:12:08 -0500 
    
    

    I am fairly green to the security field, but I will offer what I can. I
    will watch this thread with interest. 8) If my reply is in no way related
    to your actual question, please feel free to delete, heh. I tend to answer
    questions I know, even if the question I answered wasn't quite the question
    posed.

    If you have been in the field for 2 years, I doubt any of this will be
    beneficial; but I will offer it anyway. If I were trying to get in, I would
    start by footprinting your organization. IP range, phone number range,
    browse the 'official' website for valuable info about your setup and a
    personnel listing. Then I would look at the doors in (ftp, term, x phone
    numbers with modems on them (from the phone number scan), y contacts at the
    location to social engineer with (from the website), google the personnel I
    could find on the website to see, like in this case, if I could find a very
    descriptive list of what hardware the target was running or perhaps some
    personal pages created by employees that might help my attacks. If one of
    the posts was, like this one being very descriptive about the firewalling
    solutions, I would start banging on the known vulnerabilities for those
    devices. You would be surprised how many attacks start out by reading news
    groups or mailing lists and someone posts saying the security guru just left
    and they were handed the job, have little experience in the field, etc. so
    hackers who monitor said newsgroups and mailing lists open up the flood
    gates.

    With FTP obviously you have a clear text password issue, so I would start
    moving out from your server and try to take control of a periphral router or
    gateway so I could sniff user/pass for the service. Chances are, perhaps
    this isn't the case, but chances are that the ftp user/pass combos work for
    the term service as well.

    That is all I can think of, with possible ftp server vulnerabilities, term
    service vulns, misc services that may be running, a known hardware device
    list and associated old (possibly not patched) vulns, social engineering and
    wardialing I'd say those will be hit first. If those can garner no entry,
    more head first tactics would be used. Try to dos the hardware devices with
    malformed packets or dos the services to prevent valid users from
    connecting. There is more than one way to skin a cat, and if I can't get in
    - I would make sure nobody else could either. Those types of attacks will
    most likely NOT be employed by your penetration tester, as they are more
    last resort tactics, but something to always keep in mind and adjust
    rules/timeout values/etc. appropriately. Unfortunately, at this point this
    is where my knowledge/experience fails me, so I will leave this to the more
    experienced people on this list to reply.

    Rick.

    -----Original Message-----
    From: Gregory M. Brown [mailto:gbrown@alvalearning.com]
    Sent: Wednesday, October 08, 2003 12:49 PM
    To: SECURITY-BASICS@SECURITYFOCUS.COM
    Subject: NASA Security Audit

    Well it looks as though I am finally going to be tested by the Feds.
    According to my CTO, a guy named Jay Diceman will be the point man.
    Anyone ever hear of him? I hear he is a well known security expert
    (ex-hacker?)for the federal government. I have downloaded the Evaluated
    Security Configuration document created for Microsoft by Science
    Applications International Corporation. There are actually 2 of these.
    I think those .pdf's cover the Microsoft component. I don't even want
    him to get as far as any MS box. I am fairly new to security (2years)
    and my final exam is going to be a "Black Box" test and a "Crystal" test
    from some heinously gifted hacker from NASA...

    1. What exactly will these 2 forms of intrusion concentrate on?

    2. Is my hardware up to the task? I currently have a Fortigate
    Fortinet 50 configured for intrusion detection and prevention. I am
    currently blocking 1300+ known attacks. My FW is a CheckPoint Celestix
    with a physical DMZ path. The only questionable services allowed
    through are FTP (requirement) and Terminal Services (requirement).

    3. What can I expect? Any input is GREATLY appreciated.

    Thanks. Man I hope I still have a job in 2 weeks!
    gb

     

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Gary Everekyan: "RE: POP/SMTP Proxy"

    Relevant Pages

    • REVIEW: "Security Warrior", Cyrus Peikari/Anton Chuvakin
      ... get around to stating that the book focuses on security ... tools for reverse engineering are listed in chapter two, ... Overflow attacks, in chapter five, explains buffer and other overflow ... Part three lists attacks against specific platforms. ...
      (alt.computer.security)
    • REVIEW: "Security Warrior", Cyrus Peikari/Anton Chuvakin
      ... get around to stating that the book focuses on security ... tools for reverse engineering are listed in chapter two, ... Overflow attacks, in chapter five, explains buffer and other overflow ... Part three lists attacks against specific platforms. ...
      (comp.security.misc)
    • Experiences with company nCircle and their IP360 product
      ... these mailing lists. ... Does any of the listmembers have any experience with the security ... LogicaCMG is neither liable for the proper and complete ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: PAWS security vulnerability
      ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ...
      (freebsd-questions)
    • May I have permission to travel???????
      ... ""Homeland Security Tightens Grip on International Travel ... The Department of Homeland Security proposed new rules back in July ... These lists ... Instead of providing a passenger manifest after departure as now ...
      (alt.true-crime)