Here's one example (I'll post THIS one to the thread, as it's more vague, and doesn't directly name anyone.) Nearby, in the area where I live, there is a fairly new company, who promotes 'KNOWING HOW A HACKER THINKS, AND WHAT THEY LOOK FOR AND USE TO GET YOU." I've seen copies of their 'pentests' from some customers, who have since called me. The reports are canned output from nessus and MSF, but don't even go as far as showing they achieved any compromise, or any real detail, aside of the fact that nessus SAYS there are vulnerabilities, and that MSF SAYS they can be exploited. In fact, in one such report, they show an attempt (that failed) to use MSF to exploit the weakness, and leave it at a statement of "Given time, we're certain that we could've compromised your system." (yeah..... given LOTS of time, for them to call in someone with a clue.) I'm sorry, but the point is to actually achieve the compromise, to prove the validity of the discovery. A little extra work by them, to understand the exploit and tweak it, and they could've easily made it work. But instead, they proved (to me, anyway) that they're more or less script kiddies, who memorized their way through certifications (or not even,) but don't truly understand the realities and flaws they were seeing.
This is one of a handful I could give you, from personal experiences. There have been several, not only by that company, but by others I've seen. I've also seen reports and findings from other companies who've claimed to have found really serious holes, only to have to relate to my clients (whom I did NOT test, at all) that the holes were neither valid, nor exploitable, in the way that said company claimed. I went on, in one case to show it was IMPOSSIBLE to have gotten in, via one reported finding, and the contracted pentest company later acknowledged to the customer they doctored up things a bit, since they hadn't proven anything, otherwise. They had also been contracted for services in maintaining patching,etc, so they wanted to prove there was reason to pay them for their time and services. Needless to say, said company will NEVER be called by that particular customer, again. I give the company in my first paragraph props, at least, for leaving it at, "we didn't get it, but could've." At least they didn't outright lie...
Just goes to show, like in the thread where sil is discussing certified versus experienced, etc, that folks really need to vet out their employees, and need to research carefully on anyone they are contracting in for security work, to make sure the credentials and knowledge are accurate, and not just a ticket to open the front door and make some $$.
Last edited by hayabusa
on Thu Jul 21, 2011 2:47 pm, edited 1 time in total.
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH