Two days ago the hackers who release the Zero for owned (maga)’zine’ released the fifth version, ZFO5.
For who do not know what I am talking about, check this link to read it.
Basically they hack some “wannabe” hackers and whitehat hackers which, according to them, are commercial fuckers who do not really help their customers on the long term. I am not going to comment on this statement, but the these guys had another statement that got me thinking:
The very concept of “penetration testing” is fundamentally flawed. The problem
with it is that the penetration tester has a limited set of targets they’re
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box. So if a site on a shared host is being tested, just
because site1.com is “secure” that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks. The time constraint is another problem. A professional pentester with
a week or two to spend on a client’s network may or may not get into
everything. A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You’re lucky if it even
takes him that long, really.
They have a point here. In most pentest contracts ( at least the ones I know of) companies will only pay for theire most vulnerable or important systems to be pentested. But a blackhat could (easily) hack one of the others that have not been pentested and then he has a totally different attack vector, one the whitehat has not been able to test because of the lack of time and/or money. Besides that in the end everything could be hacked. The only thing that prevents many systems from being hacked is time and the fact that most systems are not worth hacking.