[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Sun Sep 8 07:42:43 UTC 2013


Pete,

On Fri, Sep 6, 2013 at 12:31 AM, Pete Herzog <lists at isecom.org> wrote:
> This isn't a court so stop. Your evidence is not something I can
> confirm nor cross-examine. And you don't attack the Medical School if
> a doctor is reportedly performing malpractice. Whatever your grievance
> with Pure Hacking it's not the fault of us or the OSSTMM but how they
> did their business in a particular instance. PH hasn't been an ISECOM
> partner for many years so again, not sure why you're coming at us.
> What I can do is take your complaint and address PH with it. That's
> what we do when a group claims to use the OSSTMM a particular way and
> another party thinks it's not true. And I'll do that. Thanks for your
> note and next time don't wait almost 4 years to let us know of an
> alleged incident so we can address it in a timely manner.

In reference to the breach being "almost 4 years" ago:
- The most recent breach is dated May 2013 i.e.
http://www.smh.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html.
- Pure Hacking where teaching ISECOM courseware over five years (in
2006) before the initial breach in December 2011 i.e.
http://www.zdnet.com/accredited-open-source-anti-hacking-course-launches-1139263109/

I can confirm that Pure Hacking requested the modification of the news
article published by Fairfax.  You can also observe a similar
behaviour when Ty Miller refused to be quoted again within
http://www.zdnet.com/thomsons-phone-clone-claims-uncertain-1339338352/
when his initial quote by SMH was challenged.

This is not hearsay based on these quotes (as of Friday 6 September
2013 after 5:15PM (AEST):
1. http://www.purehacking.com/about-us/our-team - "Staff members are
regular contributors the Open Source Security Testing Methodology
Manual (OSSTMM), certified Trainers of Penetration Testing
Professionals of OSSTMM,"
2. http://www.purehacking.com/news/afd-technical-details - a number of
quotes about "OSSTMM's
  requirement for detecting active filtering such as IDP or IPS".
3.https://www.purehacking.com/news/active-filter-detection - "As an
OSSTMM auditor Pure Hacking"

Your analogy hasn't considered that Ty (and Pure Hacking) are listed
by ISECOM as a contributor to the OSSTMM and are therefore held to a
higher standard in their implementation of the OSSTMM.

Ty Miller left Pure Hacking in May 2013 according to
http://au.linkedin.com/pub/ty-miller/16/a45/963 so I am not sure how
you concluded that PH are not at least a "recent" partner of ISECOM.
I believe Ty Miller is aware of this thread based on his recent
recorded visit to http://www.linkedin.com/in/ChristianHeinrich

The easiest course of action would be for ISECOM to issue a press
release clarifying Pure Hacking partnership with ISECOM and OSSTMM
rather than approaching Telstra and/or Pure Hacking to release the
related artifacts

If what ISECOM allege about Pure Hacking's partnership is true than
this won't be their first time that Pure Hacking have been found
guilty of brand abuse i.e.
http://lists.owasp.org/pipermail/owasp-board/2006-November/005317.html

On Fri, Sep 6, 2013 at 12:31 AM, Pete Herzog <lists at isecom.org> wrote:
> As for your robots.txt stuff:
>
> OSSTMM 3
>
> 11.4.2
> (c) Examine target web-based application source code and scripts to
> determine the existence of additional targets in the network.
>
> 11.6.3
> (a) Test the depth of access to business or confidential information
> available on web servers without any established, required credentials.
>
>
> OSSTMM 2
>
> In the sec-testing template, there is the following:
>
> Web Page Date Last Modified
> Web Links Internal
> Web Site Searchability
> Web Links External
>
>
> So while we don't call it what you call it, we do expect it to be
> reviewed along with other important information.

OSSTMM v2 was released almost a decade before December 2011 i.e.
http://www.zdnet.com/accredited-open-source-anti-hacking-course-launches-1139263109/

I'll add 11.4.2 and 11.6.3 from OSSTMM v3 as references (where
relevant) to OTG-INFO-001 or OTG-INFO-003 of the OWASP Testing Guide.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list