Penetration Testing mailing list archives
RE: "Free" pen-test
From: "Pete" <pen_test_list () petesmithcomputers com>
Date: Fri, 20 Jun 2003 13:27:41 +0100
J.A. Terranson wrote:
What you did was illegal, unethical, and *way* beyond acceptable practice. You're lucky he doesn't throw your a$$ in jail.
Another misunderstanding. I tried to explain the circumstances and most replies seem to reflect an understanding. The flames I've had stem from insecurity of a different sort, I fear. Firstly, Fred's initial look was merely a port scan. In this country my understanding is that a port scan is not considered an intrusion and is therefore legal. Secondly, we discussed a pen-test with Mr Director on the understanding that our interest was a sales meeting (to discuss a full report and/or purchase of solutions) if he had concerns. As for mixing business interests, are you really saying that security testers should not sell security? I see your point, but in the small business community we have to be practical. How do you find your clients? Pete
-----Original Message----- From: [mailto:measl () mfn org] Sent: 20 June 2003 12:35 To: pen_test_list () petesmithcomputers com Cc: pen-test () securityfocus com Subject: RE: "Free" pen-test
<snip>
Your preliminary "look" was done without any type of consent, and that makes it an intrusion under the laws of most countries and states. You then went to try and sell "services" bafter you had "scared him" with your results: this is extortion in most countries and states. In short: you are *exactly* the kind of sleazy half-baked and fully dishonest operations that has put the security industry in the position it is in now - having to try and explain to a [rightfully] wary public why we are not a problem of the same magnitude as the "hacker" we claim to want to protect against. Further, there is an inherent conflict of interest between the pen-tester and the provider of services which are suggested by the testing: to truly stay on the moral high ground you should never try to mix the two (asbestos underwear in place for all you "ethical" testers who then sell the repair "services"). Call us back when you find a clue. Even a *small* clue. -- J.A. Terranson sysadmin () mfn org-----Original Message----- From: Pete [mailto:pen_test_list () petesmithcomputers com] Sent: Thursday, 19 June 2003 19:54 PM To: pen-test () securityfocus com Subject: "Free" pen-test I'm looking for a bit of advice. I was tipped off thatcompany X hadminimal security for their large bundle of IP addresses running on Micro$oft servers. I got my mate Fred (!) to have a look and he reckoned they were _very_ vulnerable. So, we went to the security director and "sold" him a free penetration test. Fred thengot adminaccess to their web server plus bucketloads of info about their DMZ and even their 192.168.0.x network. I went back to Mr Director thinking he'd wet himself and he said "I'm not too worried about that....just carry on if you can". Well. Fred is keen to keep going. But I reckon that someone who is "not worried" that his web server could have been takendown in about4 hours is not worth wasting time on. Needless to say, the cunning plan was to sell him a pile of stuff once he was scared enough. My question is this: how do white-hatters usually approach these things? Grateful for any tips (and thanks for reading if you got to here) Pete Pete Smith www.petesmithcomputers.com--------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latesttechniques from aworld-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980-------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- "Free" pen-test Pete (Jun 19)
- <Possible follow-ups>
- RE: "Free" pen-test Zach Forsyth (Jun 19)
- RE: "Free" pen-test J.A. Terranson (Jun 20)
- RE: "Free" pen-test Pete (Jun 20)
- RE: "Free" pen-test J.A. Terranson (Jun 20)
- Re: "Free" pen-test miguel . dilaj (Jun 20)
- RE: "Free" pen-test Pete (Jun 20)