Penetration Testing mailing list archives
Re: ethics of approaching vulnerable prospective clients
From: "Gareth" <garethwj () fastmail fm>
Date: Tue, 12 Nov 2002 22:51:05 -0000
From the "other side", I work for a large financial in the UK and we do get
approaches from individuals who spot (or think they spot) problems with our online banking sites. Some of these approaches are very welcome, when the message is delivered appropriately, and some are not welcome at all (i.e. when they are simultaneously posted to a newsgroup). So I guess it depends on the delivery. Whether or not you could gain clients in this manner is a different proposition. We have never felt the wish to hire one of these individuals, regardless of the quality of information, as it would usually boil down to an oversight rather than the technical ability on offer. I would steer very clear of approaching an existing client with a problem if the work you were doing was not scoped and agreed beforehand. Kilauea... ----- Original Message ----- From: "Zach Forsyth" <zach.forsyth () kiandra com> To: <pen-test () securityfocus com> Sent: Tuesday, November 12, 2002 3:38 AM Subject: ethics of approaching vulnerable prospective clients Been lurking for quite some time now but thought I might pose a question to everyone on the list. I just wanted to see what everyone's opinions were on means of approaching vulnerable prospective clients. Of interest especially are clients with wireless networks. Example 1. I do a wardrive/walk around my city and find a whole lot of wireless networks without any wep which are seemingly insecure, and their network is broadcasting an ssid that is set as their business name. A simple look in the phone book or on the web reveals their office location, which matches up with where I was when the network was detected. Do you think it is unethical to approach them based on those results? Analogy to compiment example 1. A fence builder is in my neighbourhood and notices that my front fence is falling down. Her kindly drops his business card into my letterbox and writes a not saying he noticed my fence was in need of some work and subsequently wanted to offer his services to me. Example 2. I detect a network that appears to not have wep enabled. Their ssid however reveals nothing about who they are but is the default linksys/cisco/etc vendors. I could connect to their wlan and snoop around for some information that would then identify them to me and then go about contacting them. (Or just connect to their networked printer and print something scary out for them. Hehe) Anology to compliment Example 2. A plumber is in my neighbourhood and sees that my house is maybe a little rundown. He can't really see the plumbing pipes but decides to open the gate walk around the to back of the house and find out what condition they are in. He then leaves a card mentioning he opened the gate and entered my property noticed the plumbing was in need of some work and wanted to offer his services. I don't feel that example two is acceptable, although fun. This would be classified as a break in so to speak, and I am sure some sys admins would then blame you for every networking and server problem encountered from that point in time to infinity. Approaching a client directly sort of feels like a lawyer chasing an ambulance, but it may be a good way to create a whole lot of work. I realize that wireless networks and their (in)security is a very grey legal area at the moment, and different countries will have different enforcement of laws relating to computer crime but I am only really looking for a general consensus. This same topic covers pen testing from an external point of view, we site security, web application security etc. Just thought it applied to wireless the most . Do you think it is bad practice to contact a vulnerable company directly? Does anyone on the list approach companies directly in this manner? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- ethics of approaching vulnerable prospective clients Zach Forsyth (Nov 12)
- Re: ethics of approaching vulnerable prospective clients Gareth (Nov 12)
- Re: ethics of approaching vulnerable prospective clients Darren Van Booven (Nov 13)
- <Possible follow-ups>
- Re: ethics of approaching vulnerable prospective clients Stephen Friedl (Nov 12)
- RE: ethics of approaching vulnerable prospective clients giraffe9 (Nov 12)