From: redteam@all.net
Reply-to: redteam@all.net
Organization: Red Team Mailing List
Subject: RedTeam Mailing List 980225
<pre>---------------------------------------------
From: "scipio" <scipio@ican.net>
Subject: Re: RedTeam Mailing List 980224
Date: Wed, 25 Feb 1998 13:50:37 -0500

Add to the list of what red teams do:
	Developing procedures to correct vulnerabilities

	Discovering new models that use human, organizational, computer, and
	whatever else is required to prevent future problems.

	Telling the client how to fix the problems?

---------------------------------------------
Subject: Re[4]: NetScan testing this weekend
(lots of details witheld for obvious confidentiality reasons
Here is a process we are currently going through with a client. I thought it
might be of interest to the group members - I am particularly interested in
comments about the potential for harm and how this is mitigated.)

> ... starts with port scans from one remote IP address
>	- This will include several different types of port scans
> 	- Port scans can cause harm to ongoing processes
> 		* we want to do this during off hours
> 	- Port scans can, in some cases, cause denial of services
> 		* off hours
> 
> Based on port scans, we try widely published flaws in each found service,
> starting with the most often used and commonly attacked ones.
> 
> 	- Flaws include denial of services, leakage, corruption, and
> 		exploitation - all can cause harm - recovery generally
> 		involves restarting hardware (in the worst case) or undoing
> 		harm (in a bad case)
> 		* off hours
> 
> ...
> 
> real-time feedback is important to determine, for example, what gets
> through the firewall. If your normal logs don't detect it, only the real-time
> observations will tell me where it went or didn't go. This is also helpful
> for the people running these systems because their use of the tools needed
> to watch for these things gives them experience with each of the common
> attacks. In addition, some attacks are open-loop - meaning that I cannot
> necessarily tell if they work from here. This means that without results
> from your side in real-time, we won't know which attack caused the result.
> ...
> 
> Almost all of the attacks can cause harm, even though it is unlikely that
> the harm will be severe. The harm can almost always be repaired fairly quickly
> by rebooting or similar activities, but this requires on-site personnel.

FC
---------------------------------------------
Date: Wed, 25 Feb 1998 20:59:41 -0800
From: Stuart Sabel <stuarts@princeton-systems.com>
Subject: Re: RedTeam Mailing List 980224

One more item that I have provided in the past is:

	Provide recommendations for correcting shortcomings that were found.

Best Regards,
Stuart Sabel
Princeton Systems, Inc.
stuarts@princeton-systems.com
---------------------------------------------