[ganoushoreilly]

There are some cases of drone use in pentests that while less exciting than flying in vent pipes I still enjoyed. I had a pentest with a large cargo and shipping facility on the east coast and used off the shelf commodity equipment. We stripped hardware to the bare minimum in size to reduce weight, connected a cellular modem to a raspberry pi powered by battery and landed the drone on top of a building on the yard (that turned out to be a union break facility). The intention was to design it so that we would never recover it(granted it was authorized so we indeed recovered it). It gave us enough time to passively collect the data needed to breach the wifi in the break room / building, which in turn was hard lined into the main network.

All in I think the expenses were around $1200 total for the drone and this was like 8 years ago. Not something most would be willing to waste, but with time and effort you could make something now for probably a third the cost.

We also used a similar setup wired into a Jetski that we left attached to an adjacent dock once too. I can only imagine what others are doing ;D

[idiotsecant]

Always curious about this - I work in infrastructure that would be a major public safety issue if it was compromised, and our security seems equal parts useless and overly focused on things that don't matter. We did some pentesting at one point and when it was demonstrated that security was demonstrably trivial to breach rather than getting to work fixing things it was hushed up internally and nobody important ever saw it.

Do your customers actually pay you to break security and then act on what is found? Or are most of them paying you to demonstrate that their security is perfect and then quietly burying results if they don't go that way?

[ganoushoreilly]

It's a good question and it's one that can go either way depending on the pentesting company. In my first Security Startup I founded, we took most contracts large and small with only standard questioning. We found that while sometimes we made less upfront, the clients that were more in sync with solving a known or suspected problem and were using the pentest as part of moving forward.

There are tons of companies looking for simple check boxes, or affirmations. Tons that don't acknowledge their issues. I can say first hand that I had a project I was involved with that identified a substantial breach at a company under acquisition for an obscene amount of money. Most M&A seem to skip technical diligence beyond code review. Long story short there were actually three separate issues / actors within the network. They even had one authorized access by a competitor that a salesman had naively setup under the guise of a collaboration. They paid for the onsite investigation then realized that it was going to create a PR nightmare based on our findings. It would have been a huge exposure that would counter the obscene amount of marketing they were doing for the tech acquired. Their response was to not only ignore us (i'm assuming they eventually fixed things) but refuse to pay for the investigation performed and basically said.. we're a billion dollar company what are you going to do, sue us? We got stiffed with probably a quarter mill in work because they were right. Worst part is we called them to let them know originally because we found EXTREMELY sensitive source code and documentations of a crypto nature. Incidentally we saw some 0-days later on that leveraged undocumented functions that were curiously documented in our findings.

So yeah.. you see it all. That's why I love working with startups, make less, but they're appreciative and long term relationships are more worth it for us.