Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Info Security : Worst cases scenarios of this job Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    Info Security : Worst cases scenarios of this job

    Penetration testing:
    Worse case:
    In this the hardest part is explaining the clients what we did and the explaining them the balck command prompt we have on our PC is there servers cmd shell :P.
    Best part: Is our Job is our passion

    Pls put more taught, its fun
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    What happens is Most of the Clients Doesnt nt Understand whats really acheived,in every cases we should try to tel them whats the Business Impact of an particular Threat and how it can bring their Business in a critical Stage,bt finally its takes much time to make them understand

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    Hire a Hacker by the Night and Hire a Chief Security Officer (CSO) by the Day.

  3. #3
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    The Worst case i faced few days b4...
    It was PT and i managed to get Admin User ID and Password from vulnerable application....
    so loged in to varify if those are correct and client asked me why i loged in with Admin privileges
    my answer was to varify that the admin id and password is correct or not so he said isn't it possible to varify without login in the server i said yes it is possible, he asked me how i said by confirming it from you, so he said but why i will tell that its right or wrong thats your job....
    actualy he wanted that i should check if the credentials are correct or not without asking him and without login in...
    i was like..... i guess info sec guys understand my feelings......

  4. #4
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    I remember NEO mentioning an incident , were clients asked him to test DOS and DDOS attacks, and did not want any of there services to be down too :P
    Hacking Is a Matter of Time Knowledge and Patience

  5. #5
    *laughing*
    How about we write a "Dummies for PT Clients"

  6. #6
    Garage Member D4rk357's Avatar
    Join Date
    Jul 2010
    Location
    localhost@mumbai
    Posts
    153
    Blog Entries
    1
    Worst case for me is when clients ask me to fix what i have found ..even though its out of scope :/
    Spirit was turned 2 ashes ,soul endured so much pain..
    now the darker time evanescence ,the fallen shall rise again.

  7. #7
    InfoSec Consultant the_empty's Avatar
    Join Date
    Jul 2010
    Location
    the blue no-where
    Posts
    155
    Blog Entries
    2
    My client beats u all.... called me in night at around 2:00 and asked me how to u unzip the archive to get the report....
    ACCESS is GOD

  8. #8
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    Lol......excellent thread to start with......almost 6 years in security industry I had numerous painful and funny moments.

    Like Neo's experience I had client requiring a DoS and DDoS test without any service disruption....what makes it cruel is its a RBI mandate to all banks.....

    I usually have tought time explaining clients to make em understand the risk of XSS,SQL Injections

    On top of it all u slog it out and exploit 100 servers with metasploit and u show them a meterpreter session as a PoC Screenshot.....and the client gives u a look at the presentation as if "what the %4% is this,u show me some black screens where have u broken or exploited"

  9. #9
    I come across such idiots sometimes over period i have realized they are more scared that a vuln has been which could directly impact them and their jobs. It is the company responsibility to make sure guy who secure should not be reprimanded in the first go but given chance to secure.

    PK

    Quote Originally Posted by 41.w4r10r View Post
    The Worst case i faced few days b4...
    It was PT and i managed to get Admin User ID and Password from vulnerable application....
    so loged in to varify if those are correct and client asked me why i loged in with Admin privileges
    my answer was to varify that the admin id and password is correct or not so he said isn't it possible to varify without login in the server i said yes it is possible, he asked me how i said by confirming it from you, so he said but why i will tell that its right or wrong thats your job....
    actualy he wanted that i should check if the credentials are correct or not without asking him and without login in...
    i was like..... i guess info sec guys understand my feelings......

  10. #10
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    for me one case was when we have to convince the application owner that SQL inject is a application specifc flaw and not a server flaw.

    His argument same code on production does'nt give you SQL injection but on Test machine you are saying its SQL vulnerable it must be the machine can't be my code.
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •