Penetration Testing mailing list archives
Re: Pentester convicted..
From: Karyn Pichnarczyk <karyn () sandstorm net>
Date: Fri, 12 May 2006 13:55:03 -0400
Let me list some actual damage. The company now knows that someone who was not authorized, and did not have the best interests of the company in mind (or else they would have contacted the company with their findings, not the company's customers or journalists) had access to basically Anything and Everything in their computer systems. Therefore, the Actual Damage is the re-evaluation of all systems, and verification of all data on those compromised systems, to ensure that the company's data has not been twiddled with/changed/modified. What assurance does the company have that this criminal (and yes, it it criminal to break into a system without authorization) didn't fiddle with the data, perhaps even putting in code that will either cause the company to automatically send out payments to someone who doesn't deserve them, or erase records of expected payments, etc.? What if the criminal set up something on these computers to make it appear as if the company itself was performing a criminal activity, that will later cause the leaders of the company to be arrested? A defense of "I didn't do anything" does not lead much credence to a criminal's testimony. It costs lots of money to pay employees (and likely expert consultants as well) for their time to clean up and verify the systems. And what if they aren't as diligent as the original criminal thinks they should be? If something was planted by the criminal, this Criminal can now come back and once again report to the media and the company's customers that the cleanup was not done properly. Thus the company has to spend more money being diligent in their response. Money is Actual Damage, Mr. Cooper. Art Cooper wrote:
Because I BELIEVE there is a "LOT" more here than meets the eye.. I wonder if he took the evidence to the Univ. and they ignore him.. If so, then perhaps he had an axe to grind.. My point is this - what ACTUAL DAMAGE was caused? Most lawyers will tell you that you MUST prove there was malice and ACTUAL DAMAGE.
------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Re: Pentester convicted.., (continued)
- Re: Pentester convicted.. Thor (Hammer of God) (May 11)
- Re: Pentester convicted.. Ian Scott (May 11)
- RE: Pentester convicted.. Mike Wright (May 11)
- Re: Pentester convicted.. Davide Carnevali (May 11)
- Re: Pentester convicted.. Karyn Pichnarczyk (May 11)
- Re: Pentester convicted.. Stuart Thomas (May 11)
- Re: Pentester convicted.. Jason Mayer (May 11)
- Re: Pentester convicted.. Art Cooper (May 11)
- Re: Pentester convicted.. lee . e . rian (May 12)
- Re: Pentester convicted.. Art Cooper (May 12)
- Re: Pentester convicted.. Karyn Pichnarczyk (May 12)
- Re: Pentester convicted.. Art Cooper (May 12)
- Re: Pentester convicted.. Phoebe Tunstall (May 12)
- Re: Pentester convicted.. lee . e . rian (May 12)
- Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Michael Sierchio (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Dana (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Jeremiah Cornelius (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Dotzero (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Paul Asadoorian (May 12)