innismir.net

As some of you know, Brady has recently celebrated his 1st birthday. It’s been a long year and as it’s worn on, my commute (two hours each way end to end) has often left me frustrated due to the lack of time with my son. More and more often, I have wondered, despite loving my current job and the people that I work with, if it was worth the time it was taking away from my family. Yesterday, as I had to telecommute due to the epic flooding that shut down Route 140 I was able to play with my son before getting him ready for bed. It was during this I had a moment of clarity: It wasn’t worth it.

After putting him to bed and discussing it with my wife, I started weighing my options to figure out a way to allow me to work near my family, make my own hours, and hopefully live comfortably. After thinking about it more and more, I came to the realization that InfoSec lifestyle wasn’t cutting it anymore and that I was essentially fighting a losing battle. I’ve always been a bit of a chaotic neutral person and thusly I came to the conclusion that the best way to get what I want is to switch sides and move over to the darker realms of the Internet. As in my old job I monitored them daily, it was easy to reach out to my former adversaries and start inquiring about positions within their organization. They were very receptive and were happy to get someone with my portfolio, so I was able to negotiate a tidy signing bonus as long as relocation costs.

Yes, you read that right, relocation. We are all moving to Estonia. This may seem like a big move, but I have always wanted to set out and blaze a new trail beyond my comfort zone, so this was right up my alley. With Brady just picking up Portuguese and English, adding Estonian on top of that will do wonders for his development. Finding a new house would be a worry, but thankfully Peeter, my new boss, has an associate, Mikhail, that was able to get me a a killer deal on some waterfront property in Hiiumaa. He was even able to get the seller to go way below their asking price! Plus, they have a very decentralized structure are fans of working from home, so I should be able to get away with only showing up to meetings a couple times a month off-island. This is an ideal situation and everyone in the Jackson household is excited.

I know this might come to a shock to some of my InfoSec friends and it may seem like I’m abandoning them for “the other team” — and I’m sorry if you feel this way. This was the best option available to me to continue working in the field I love that will allow me to be close to my family. I sincerely hope that despite now me being an adversary, we can still remain cordial and reasonable to each other and can remain friends. Of course, trusted friends should feel free to contact me if you are interested in joining me on this great adventure, as we are currently looking for people who have experience in the field and like to work in the trenches.

I’ll be chronicling the move and the adventure of emigrating int he upcoming weeks, this should be interesting on so many levels. I need to start researching how one gets an Amateur Radio license in Estonia.

… or, how selective prosecution of computer crimes is causing more problems then it’s solving.

Allow me to introduce you to two script kiddies: David Kernell and Michael Mooney. One of which is currently on trial for accessing computers in an unauthorized manner, the other is currently scott free for doing the same. Why is one being prosecuted for his crimes while the other is not? I think it’s a symptom of a larger problem in the legal system in the United States.

First off, a little background: In 2008, David Kernell aka “rubico” correctly guessed then Alaskan Governor Sarah Palin’s password reset question on her Yahoo mail account using public information sources such as Wikipedia. Kernell then proceeded to post the screenshots and other bits of information found in the account in a public forum on the Internet. A few months later, Michael Mooney aka “Mikeyy” found a security hole in the Twitter service which allowed a user to post Javascript in their “Bio” section. Mooney then decided that instead of doing the responsible thing and reporting this to Twitter, he should instead use the hole to hijack people’s Twitter account to at first promote a site he ran, then to sing his praises. You may remember me writing an article about what unfolded next, but that’s another discussion entirely.

Now, today, Kernell is currently awaiting trial for his crimes in a Federal court in Knoxville. Mooney would have long faded into obscurity in my mind, but he decided to do some Google vanity searches on himself, came across my article, and decided to convince himself that I was somehow jealous of his… hmm… nope, not sure on that one, but anyway… After telling him in no uncertain terms about what I thought of him, we got in a classic Internet argument.

After dealing with his inane ramblings and him trying trying to convince me that despite him admitting what he did broke the law what he did wasn’t illegal (Obviously, Mooney retained Erwin Schrödinger as counsel), I got to wondering why is Mooney free to drink Martinis, watch the sun rise, and fancy himself as some kind of security consultant, while Kernell is currently staring down a sentence in FPMITA prison? I understand that the Feds don’t have the time and inclination to investigate every little event, but the facts that Mooney admitted to doing it, his information is publicly available (Heck! Check his Twitter stream or his website and find his mobile number!), and that he’s admitted to breaking the law, the Feds are saying that while it’s not OK to break into a Vice Presidential candidate’s e-mail, you can hijack thousands of user’s computers to promote your website and get away with it, provided you don’t  do anything really nasty.

Something that has always concerned me is the selective prosecution of one computer crime and not of another. As someone who deals with the endless streams of attacks and scans coming down the SuperInfoBahn, “getting the bad guys” is a all too infrequent event. When incidents like the Mikeyy worm go un-prosecuted I feel that we are continuing to send the message to people that compromising a computer, website, or whatever, is fine provided that, you know, don’t do anything really bad, whatever that means. I think we’re essentially already looking at the Fixing Broken Windows theory at work: we’re not going after the crimes when their small, and thus, we’re continuing to see problems escalate. While I’m not suggesting that if we go after the small crimes we’ll see ZeuS drop off the face of the planet next week, it might start to take a bite out of younger people trying to compromise each other via Rouge Neopets Paintbrush Generators.

I don’t know how it’s come to be that Kernell is being prosecuted while Mooney is not, I’m sure going after such a high profile target under USSS protection definitely made it hard for Kernell to slide back into obscurity. I’m not suggesting that Kernell be let off  the hook for his crimes, but, I don’t think anyone can disagree that it’s fair that Mooney isn’t being held responsible for his crimes, while Kernell is.

While going through my backlog of RSS entries that have piled up over the past week, I came across this story from Byron Achohido (via Threatpost, which I highly recommend) who talks about the moral ambiguity of the release of tools that can allow rainbow tables made for cracking the A5/1 GSM encryption cipher. First, let’s get this out of the way: Attacks like this against A5/1 have been around sine at least October 2007. The big deal with these new tools is that they provide the basis of taking the computation time down from days or hours to seconds. These tools are rainbow table generators. They do not do any kind of sniffing or cracking, just a boat load of computations.

This aside, I find the story interesting for a number of reasons: First I like how the iPhone is specifically mentioned. Byron mentions that:

Hackers could go after sensitive information exchanged while using Web apps for phone banking and stock trading; or they could eavesdrop on sensitive conversations, discussion about medical histories, for instance.

Actually, in cases where you are on a 3G network, you’re safe from this attack on the data side, as 3G networks use the A5/3 cipher. The problem is that, at least in AT&Ts case, even if you are on a 3G network, any voice calls are routed over regular GSM channels, which use the faulty A5/1 cipher. I believe T-Mobile is in the same boat. Fixing this is rather simple from a technical standpoint, just flip the voice side over to 3G as well. Of course, we know that in real life it’s almost never that simple. Both carriers’ 3G network is nowhere near the size of their GSM networks, and who knows what kind of capacity they have on the 3G side. However, the decision here is completely on the carrier: What do they value more, their customers security and privacy or their profit margin?

Plus, I think the larger question here is when did mobile phones become secure? I think any person with a background in Information Security or Radio that was around in the early 1990s either monitored cell phones or knew of someone that did. While with the introduction of digital phones the monitoring became more difficult by your simple geek, given a sizable sum of money, it is still possible. The creation of devices such as Cryptophone proves this. Even before these tools were released, there are attacks on GSM in the wild which are “active” attacks, such as spoofing cell towers and then telling the phone to go sans encryption.

Next, regarding the question of releasing these tools; Byron calls the release taking the “morally debatable high ground.” I think his logic is really flawed, and he shows why in his article:

As this timeline depicting the emergence of the Conficker worm shows, the bad guys pay big bucks to black hat researchers adept at finding vulnerabilities, which can be immediately exploited for profit — before anyone issues a patch.

And now grey hat researchers,  like Moore and Nohl,  build careers out of concocting campaigns to embarrass vendors under the banner of compelling vendors to resolve security flaws in popular products – usually highly profitable cash cows — in a timely manner.

It’s been shown that attackers pay large sums of money for attacks that aren’t patched, making a market for enterprising attackers with questionable morals to develop them. With the existence of this market, why are we assuming that the bad guys don’t have rainbow tables for A5/1 already computed and are actively recording calls from high value targets? Cons It’s silly. Releasing these tools essentially destroys the already tattered blanket of ignorance people have been wrapping themselves up in since people started shouting that A5/1 was insecure and once again shows us that mobile phones are, by their very definition, insecure devices.

This article just was posted to my Twitter stream (Hat Tip: Chris Boyd). Graham Cluely from Sophos calls for people to stop using the word “endpoint” and replace it with “computer” as it confuses users. On it’s face, it makes sense. My wife would have no idea what I was talking about if I started bandying about “endpoints” in conversation instead of “computers”. I also completely agree that the term “endpoint” is incredibly overused by marketing departments. However, if we start trying to fit our nomenclature into simpler terms rather then continue to use our existing ones, are we hurting ourselves in the long term?

Allow me to babble about my childhood. I have always had a deep love of radios. My dad would have the police scanner on almost every evening and one of the channels he had crystaled in was “North Shore CMED.” For the 99.9% of you who have no idea what CMED was, it allowed ambulances to brief hospitals about inbound patients being delivered to their ER. For those of you familar with the 1970s era TV Show Emergency, the radio traffic was similar to the calls between Squad 51 and Rampart. Now, what does this have to do with endpoints? Well, back when I first started listening, there would be patients that were involved in “car accidents”. Then, a few years later, “car accidents” started being replaced with “motor vehicle accident” or “MVA”, makes sense, right? Person could be in a truck, bus, dune buggy, etc. Now, apparently, the new term is no longer “MVA”, it is now a “MVC” or “Motor Vehicle Collision”, that makes sense too, right? Person could have decided to ram someone off the road or is suicidal. These terms do a better job of encompassing all possible scenarios, despite most people possibly not understanding the difference between a “car accident” and a “motor vehicle collision”.

This reasoning is exactly why we use the term endpoint. While the public might not understand the difference between a “computer” and an “endpoint” there are key differences between the two.  For example: I currently have five endpoints on my desk, but only two computers, the other three are an embedded device, an IP phone, and my mobile phone. While all are endpoints and you could make the case that all five are indeed “computers”, they do not fit what the general public thinks a computer is. When you’re talking about endpoint security, you need to keep in mind anything that is a destination for information is an endpoint and they all need to be protected. Yes, in 90% of the cases it is a computer, but this is rapidly changing. Language is a very powerful tool. By switching to “endpoints” instead of “computers” we as professionals are being more specific to whats affected. If we say that computers are affected by a certain issue, do we mean only computers? Or do we mean computers along with other devices? As a side benefit, it’s also the first step to start convincing people that they need to start looking at any kind of device needs to be secure.

While we’re not going to be changing any thinking overnight, nor are we going to enjoy answering the endless questions of “What’s an endpoint? Oh, you mean a computer…” its one of those painful things that we’re going to need to do. Keeping ourselves to old definitions keeps us from talking about evolving threats accurately and that’s just a bad idea.

David Rice wrote a response about my last post regarding a Secure Software Reality Check and makes some good points.

But people’s “wants” do not exist in a vacuum. The “wants” live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the “want” of a big vehicle is promoted in the U.S. while inhibiting the ”need” for low-emissions subcompacts.

I don’t disagree with the idea of people’s wants not living in a vacuum. The ads on TV demonstrate otherwise. However, most people’s wants live within their own bubbles. For example, While don’t give a crap about torque, horsepower, etc, I do give a damn about 4 wheel drive due to my winter commute down some crazy back roads to the commuter rail. One of my other wants is downright “strange” when compared to the mainstream: I am one of the few people who look for cars with a smaller central console due to my other hobbies, which is a pretty strange “want” to have when you look at the mainstream, but it makes perfect sense within my bubble.

In other words, it makes more sense from a buyer’s perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to “buy big” would gradually ebb. So the “want” for a big vehicle would be partially transformed into a new “want” for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this “want” would be more aligned with the “need” for reducing the social and environmental costs (known as negative externalities) of car ownership.

I disagree with the current gas prices “reward” buying a larger vehicle. They simply allow for buying a larger vehicle. Do consumers by a Hummer when a Impala would suffice? I’d be stupid to suggest that they don’t. But by creating an external force (i.e. a tax) in order to to “discourage” certain “behaviors” you’re doing nothing to stop the “want” you’re just trying to force people to do something they don’t want to do. You’re treating the symptom (low MPG cars) rather then treating the disease (bad driving habits).

What does this have to do with secure software you may ask?

In the context of software then, there is no incentive to reduce “vulnerability emissions” by software manufacturers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want “big” software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for “big” software, software manufacturers are happy to supply it. There is no incentive to do otherwise.

There is an incentive to do otherwise and I think this is where the MPG analogy breaks down. Every so often Microsoft has some major bug that gets exploited enough that it makes the news cycle. Microsoft’s response to this has been nothing more then a “Whoops! Our Bad. We have a patch.” They then wash their hands of it. This is the equivalent to Ford Motor Company dealing with the Cruise Control issue back in 2003 with “Whoops! Our Bad. We’ll replace it.” However, their are now multiple class action lawsuits from people who were affected by this problem. Why does Microsoft get away scot free yet Ford has to pay the piper? I think one of the reasons is because people haven’t realized that they can make money off of software defects and the other is that people haven’t made a connection yet between physical loss and virtual loss.

Aunt Ethel and Uncle Mortimer, while they don’t give a crap about how many critical bugs their operating system had this month, they do care if their computer gets owned. What needs to be done by us as a  community is teaching them that B is directly related to A. If people start understanding that because some coder at Microsoft didn’t check his buffer size correctly their credit card numbers are now floating around Romania, we’ll start seeing people crying bloody murder. The sooner they do that, the sooner we’ll get vendors who take security seriously, and the sooner that happens, the sooner we’ll all be better off. No laws needed.

Chris Wysopal, aka “Weld Pond” wrote about the recent DDoS attacks against South Korea and the root cause being that we have an insecure software ecosystem. Chris is spot on with this statement and he brings up an interesting analogy:

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers

I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?

This is exactly the same with computer security. We talk a lot about “securing cyberspace” and the government pushes lofty goals about treating our “digital infrastructure… as a strategic national asset” but the it’s exactly the same. Most people don’t want to have secure software. They want to have their Bonzi Buddy and their 3D Dancing Pigs on their website. The software has a horrible security track record? It requires tons of security settings to be disabled on the computer? Your entire HR system uses Microsoft Access as a back end? Who cares?

Chris is right. We need to make EVERYTHING secure. Every operating system, every application, every library. This is nowhere near an easy fix. Ideally we need to start the software industry at tabula rasa and start everything from scratch. It is possible: Just look at OpenBSD. However, we are not going to be able to convince anyone to start taking these steps until we start making a gigantic culture change starting from the ground up. Aunt Ethel and Uncle Mortimer need to start understanding that they are doomed in the current environment and start demanding their software be secure. Companies need to stop dealing with vendors that have repeated security problems. In house staff need to be trained in secure computing practices. Computer science students need to be taught about secure coding methods. This needs to be EPIC. However, until then, we are all going to be stuck on the hamster wheel of pain by dealing with massive botnets, scrambling to patch zero day vulnerabilities, and holding our breath waiting for the next “big one.”

How do we make it so we can escape? I have no clue and I doubt anyone else does either. The only thing I could see possibly breaking us out is everything going up in a giant cloud of smoke. All the cyberwar pundits are correct and we have a massive attack on our infrastructure. Blackouts! ATMs Jackpotting! Computers turning into Bombs! Dogs and cats, living together! Mass Hysteria! Only then will we learn the error of our ways!

Of course the pessimistic side of me says that we’ll still want our Bonzi Buddy and 3D dancing pigs.

(On a tangent, did you know Weld Pond was 43? I feel old now.)

Wow. That was quick. Of course, this isn’t a copycat attack, but holy crap, is this kid’s 15 minutes up already? Sadly, Mr. Rowland is now learning the hard way that he may not have thought his cunning plan all the way through:

And, of course, Chris Boyd comes up with the most direct worm prevention technique.

So, over the weekend Twitter was hit with not one, but two worms. “Mikeyy Mooney” wrote a worm to deface people’s profiles and cause compromised accounts to first promote his website, then promote himself. A bad weekend for Twitter indeed, but it has possibly turned into something worse for the Internet as a whole.

Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.

I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people. Chris Boyd (who’s weblog you should definitely be reading) has done some work in investigating these attitudes and they are quite scary. There are thriving communities of kids who are scamming people out of HabboHotel and RuneScape credits and not only seeing nothing wrong with it, they kind of see it as getting experience for later on in life. (Sadly, Chris’s archives seem to be wiped out, so I can’t provide links). Some of Mike’s statements even reflect such an attitude:

“I’m really getting a bad reputation from it but at the same time people are taking into consideration that even though I did some harm I didn’t cause any damage,” he said.

When did it suddenly become “OK” to hijack people’s accounts? Have we really slid down the slippery slope enough that taking control of someone else’s “property” is fine as long as you don’t do anything *really* malicious? Also, whether or not “damage” was done is another thing entirely. How many non-security-savvy people completely freaked out over the weekend when they saw their Twitter account was posting random things? How many man hours were wasted not only of the Twitter staff, but the thousands of people who were compromised and had to clean up their account in addition to making sure they weren’t compromised in some other fashion? How would Mike like to recieve a bill for that?

Now, Mr. Rowland sees his hiring as a way of providing Mike a safe place to use his talents. You know, sort of like an online YMCA. At one point in my life I did agree with this sentiment as there was no easy way to “break” things. However this is not the case anymore. I am amazed at some of the utilities available today specifically designed to hone peneration and security skills. I see it as upping the ante for these groups. Seeing Mike get hired after he exploited Twiter is probably going to get a lot of gears turning and cause thinking of “Geez, if I do something similar to YouTube/Facebook/Hi5/MySpace” maybe I’ll get a job as well!”

When I finally made the decision to try to make a jump from an Information Security hobby into an Information Security career, I did have a similar conundrum: How do I get some, for lack of a better term, “street cred?” I’ll admit I started poking at websites looking for similar holes as the ones Mike found in Twitter and finding them in the process. HOWEVER, and this is the key difference, I worked with the websites to fix the holes, rather then attempt to make the front page of the Technology section of ABC’s website. Closest I ever got to that was an article in InfoWorld about an anti-phishing application I wrote in my spare time. Not as exciting? Nope. A lot of work? Yup. Did it work? My current place of employment says “Yes”.

Of course, it isn’t all sunshine and puppies for Mike as he also got himself reamed a new one by a group who posted all his personal information online to Full-Disclosure. This might temper the rush of script kiddies trying to get their name in the press. However, I’d be willing to make a bar bet that we will see an uptick in “harmless” attacks against social media services like Twitter due to Mike’s hiring.

Link many other Twitter users this weekend, I got the following DM from someone I followed:

Hey, i found a website with your pic on it… LOL check it out here <link>

As soon as it arrived, my spidey sense went off:

• Unsolicted? Check.
• Vague message? Yup.
• Wants me to click on a link? Indeed.

This  instantaneously causes me to think “Bad link! Do not click!” and I quickly tweeted my concerns. Thankfully many people did the same which probably saved more then a few people from clicking the link. It did garner a fair bit of attention since this was the first-ever phish that came via DMs on Twitter and some people are seeing strange activity on certain accounts, but for the most part it has faded back into the noise of a usual Monday morning on Twitter.

This was bad, and I feel it was the opening salvo in a major change in the way spammers operate on Twitter, but I think the worse may be yet to come. For those of you not on Twitter, the way spammers have been operating is by setting up an account, following a lot of people, then waiting for the unsuspecting users to follow back. Once they feel that enough people have started following them, they start spamming their links. Now, with the phishing attempts, they can cut out the middle man and start spamming your follower lists with their links. Ruh Roh Shaggy…

Now, lets ratchet this up to the next level. Imagine if the phishing page had some kind of exploit embedded into it? Let’s say @britneyspears posts “Hey guys, check out my new track at (link)!” Thousands of devoted Britney Spears fans clamor to hear their idol’s screeches talents and are directed to a page telling them to log in with their twitter ID. That page exploits their browser and assigns them to a botnet. The few who think Twitter is trustworthy fork over their credentials, at which point a PHP script logs into their Twitter account and DMs all their friends the same link with a random headline.

Lather.
Rinse.
Repeat.

Congratulations! We now have the first Twitter worm! With Twitters somewhat notorious instability under high load, at which point would we see a Twitter DoS?

This Twitter phish was bad. However, I think the community dodged a bullet and we may not be so lucky next time. Many people think Twitter is a safe sandbox on the Internet and not the same as their e-mail or IM. The million dollar question is how can we teach people that Twitter can be a nasty place before “the big one” hits?

There has been some hub-bub lately about Fortify saying that “Penetration is Dead! .. Oh yeah, and by ‘Dead’, we mean, not dead, but just different.”  This was following a similar, but completely unrelated post by Jack Daniel stating that “Penetration testing is a farce and largely a waste of time and money.” While I am inclined to agree with Jack’s basic tennants regarding the two possible outcomes of pentration tests, and I do have a disdain for the term “ethical hacking”, I don’t think that the current model is going away, nor that it is useless.

There are two types of penetration testing that should exist: The kind of penetration test that is worked into the QA process, and the “How screwed are we?” audit-type penetration test. The former should be worked within the application development process, testing the codebase as the project moves forward and giving the application one last assessment before it moves into production. The latter is one where you have a no-holds-barred scan on your network. Both of these accomplish two similar, but different goals: Within the QA process, it gives you and the developers ideas on how secure a certain application is and if there are any show-stopping security bugs. As an audit, it gives you a better idea as to where the weak spots are on your network.

Both of these need to be accomplished by an independent party who do not hold an interest within the project. If you have an independent security team, they can usually handle the tests within the QA process. However, for audits, more often then not, it is a good idea to call in the consultants and let them go to to town. Now, I loathe consultants and feel that they often aren’t worth half of what they charge, but, there needs to be an air of impartiality to upper management. Also, by not putting the security group in charge, it gives them equal time within the crosshairs, something that may be glossed over if they are the ones running it.

More often then not, companies don’t have an independent security team. This has given rise to numerous “penetration testing” companies that specialize in shining a flashlight into all of the dusty corners of your applications and network. This is great and fills a vacuum for a lot of small businesses who just has a “computer guy” who realizes that security is an issue, but does not have enough cycles to address it. However the major issue is, as Jack correctly points out, that we don’t have a common criteria to judge what kind of “penetration test” we’re getting. Are we getting some ninja dropped into our environment to wreak havoc for a week or are we having someone show up with Nessus, scan, and drop off a report later that day? Also, what happens afterward? Does a report get dropped off and the auditor washes their hands of it or will they assist within the remediation phase of the problem? Does the report even get read by upper management? If management and IT is relatively clueless about what a good “penetration test” is, there potential for abuse is very high. When dealing with security that is a very dangerous game to play.

I don’t have a solution to this, besides suggesting that outreach and education is key. The issue is who should be doing the outreach and do companies really want to be reached out to. There is no quick and easy solution to this, just like a “penetration test” is not a silver bullet for solving security issues.