“The company plans to launch a penetration-testing service for businesses in October that will use the same techniques as hackers to gain access to its customers' machines. However, the exploit code it will use will be controlled and will not propagate itself as a worm would, HP said on Tuesday.”
Sounds like a bunch of pentesting/ethical hacker type jobs are going to open up. I think that other corporations will follow suit. I know some guys who do forensics and pentesting on the side. As vulnerabilities are found quicker by criminals, pentesters/ethical hackers seem to be becoming more signifigant.
read more | digg story
“Don't let a malware attack ruin your business. A little planning and the right responses can make it a minor annoyance instead of a major catastrophe.”
This is a pretty good article. The mentions how to “prepare” for and attack but I would go a step further and submit how to “prevent” an attack from ever occuring. It is possible to avoid an attack:
1) Get a firewall that used network address translation.. use network address translation
2) Use firefox
3) Don't surf shady sites: serial crack, pirated software, some porn sites, screen savers
4) Watch out for dirty downloads. Some p2p application and the wares loaded on them are loaded with trojans, worms and other malware
5) Don't surf the Internet with administrative privledeges.
read more | digg story
This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures. In this case, a contracting consultant conducted a penetration test with out getting formal approval. He expoited the FBI's vulnerabilities to gain elevated privledges.
Joseph Thomas Colon, 28, is a former employee of BAE Systems. His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.
However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority.
Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system.
As a result, Mr. Colon will likely serve about 18 months in prison. :(…
Pentesting and ethical hacking tools and techniques must be dealt with responsibly. The bureacracies that might allow pentesting must be respected at all costs. The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.