Penetration Testing mailing list archives
Re: The legal / illegal line?
From: "Justin Ross" <RossJ () sddpc org>
Date: Mon, 05 Mar 2007 11:51:14 -0800
I have to side with others who recommend not approaching companies out of the blue with scan results, etc. I am not a lawyer but as far as the legalities go, that would of course be dependant on the applicable laws of the jurisdiction in question, but you would be in a very grey and potentially dangerous area personally and professionally. If we are talking about port scanning, we are talking about accessing services, even though the risk (or damage potential) of access is mitigated to a syn/syn ack, or query/response (other flags), or perhaps even a connect() port scan it is still utilizing and accessing resources. Any response the company may take to your port scans, such as configuring ACL's, modifying/Tuning IDS/IPS in response, human resource examining the logs for your host and access attempts (time pay/loss of revenue pay) among other things would be recoverable or used to calculate fines/punishment. In California for example (I cut out irrelevant sections and paragraphs): California Penal Code 502 (a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data. (b) For the purposes of this section, the following terms have the following meanings: (1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network. ... (4) "Computer services" includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network. ... (c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense: ... (3) Knowingly and without permission uses or causes to be used computer services. .... (d) ... (2) Any person who violates paragraph (3) of subdivision (c) is punishable as follows: (A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (B) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000) or in an injury, or if the value of the computer services used exceeds four hundred dollars ($400), or for any second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. The likelihood of being prosecuted for port scanning is very low; however, I think saying it is "lawful" is arguable at best, and could be very costly at worst. A better approach might be to contact companies and speak with their CTO/IT Manager and offer a free third-party port scanning service, with their written permission. It could also be a good way to talk about the differences from your competition, and other services you may offer. Just my 0.02 Justin.Ross CCNA, CCSE, MCSE, CISSP
"David Swafford" <dswafford () alterhighschool org> 3/5/2007 6:55:43 AM >>>
Hi Barry, Here are my suggestions regarding your message. In terms of approaching an "insecure" organization, I would not suggest that you do this outright. Most organizations/clients that I have worked with would immediately take the offensive side if you were to approach them out of the blue regarding their network. Some feel that this is an invasion of privacy, etc. In talking with others I have heard that it is best to let them find you via word of mouth and from other clients that you have worked with, also publishing research information in the community helps spread your name as well. In terms of the legal perspective (I am not an attorney nor is this the absolute truth) but in my opinion I think your cross the line of doing ethical hacking and into black hat hacking when you start to probe a network without the appropriate contract / "get out of jail free" documentation. If you were to approach a company whom you never worked for and present evidence of a port scan or even a further probe they may take the offensive and immediately see you as the bad guy, also keep in mind that probing a network is all that you need to have the possibility of a lawsuit against you. I think that a client who thinks they are secure though they are not is one of the more challenging ones to work with. I would not try to convince them that their network is insecure directly but show them commonly misunderstood insecurities from a sales pitch perspective. For example contact a company and ask to have a meeting and come in and demonstrate that you have knowledge that can help them--show them some common items that are often forgotten in terms of the security view point and explain to them that you would be willing to help bring another perspective in to aid them in protecting their network. It also helps if you have already done similiar work with other companies as then you have some better references to provide to new clients (with the previous client's permission of course). Hope this insight helps, I'm interested in what others have to say as well as I'm still relatively new to the security field though I've done network specific work for a few years now. David. CEH, CCNA, SECURITY+, NETWORK+
Barry Fawthrop <barry () ttienterprises org> 3/1/2007 8:46 pm >>>
Hi All Curious to hear other views, where does the legal and illegal line stand in doing a pen test on a third party company? Does it start at the IP Address/Port Scanning Stage or after say once access is gained?? very vague I know I'm also curious to hear from other external/3rd party pen-test consultants, how they have managed to solve the problem Where they approach a client who is convinced they have security, and yet there is classic signs that they don't? You know that if you did a simple pen-test you would have the evidence to prove your point all would be mute But from my current point that would be illegal, even if no access was gained. (maybe I'm wrong) ?? Perhaps this is just a problem here where I am or perhaps it exists elsewhere also? I look forward to your input Barry ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: The legal / illegal line?, (continued)
- Re: The legal / illegal line? Tim Shea (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Dotzero (Mar 05)
- Re: The legal / illegal line? Martin Zimmermann (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- Re: The legal / illegal line? David Swafford (Mar 05)
- Re: The legal / illegal line? Paul Robertson (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Justin Ross (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Higinio Orsini (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 06)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available