Penetration Testing mailing list archives
Re: The legal / illegal line?
From: Chris Travers <chris () metatrontech com>
Date: Mon, 05 Mar 2007 15:24:04 -0800
Hi; I suppose I didn't add all the appropriate caveats I should have.1) I have only resorted to this technique in the past when I have other customers relying on a given product and a small vendor is not taking that seriously. It needs to be a small vendor because as you say, you need to *know* that the person who authorizes it has the power to do so. In these cases where I have done it, it has come from appropriate C-level execs. This is also important because in this case you want to *know* that the person also has the power to fix the problem. Furthermore, even full disclosure on Bugtraq in this instance had not been enough to convince the developer that there was a problem!
2) I would prefer to take the following actions (in order of preference):a) Demonstrate the problem on systems I control No possibility of trespassing there. This is what I did for my customers.
b) Demonstrate on non-production systems with low visibilityc) Demonstrate on public demo systems (not preferred at all, but what I had to resort to for the vendor)
d) On production systems, you want some sort of indemnification.3) Never forget that customers pay you to have an opinion. They are not paying you to force them to take action. So I would not alienate customers like this.
Interestingly in the case I mentioned above, it caused a lot of political problems between the vendor and I (why I wouldn't do with my customers) but he has started since then to take my security reports seriously provided that they meet certain minimal sets of criteria. Since this still isn't enough, I chose to migrate my customers away from his software (he only fixes problems that can be exploited without a valid login). But it is still a start.
I would not do it where I wasn't absolutely certain that the person I was dealing with had the authority to authorize it. I would not do it for a customer (only a vendor of my customers). I would not run the exploit on a production system. And I would not do it where there was not already substantial contact between that vendor and myself.
Best WIshes, Chris Travers Craig Wright wrote:
A contract can be verbal. All that is required for a contract is offer, acceptance and consideration. This said there is the issue of evidence. Martin is correct when he states " Never _ever_ engage in anything without a signed "get of of jail letter"." You may have a contract with a verbal agreement, but you try and prove it in court. Worse, an email (though taken as a written agreement) does not give you the ability to presume authority. The system admin may not have the rights to have you do the test. At least with a Deed (a signed, sealed and delivered contract for ease of explanation), you have something to fall on and cover your arse. If the other party had falsely attested that they could authorise you to do the scan, you have a piece of paper supporting this and you can make your own life much easier in the long run. Regards, Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Martin Zimmermann Sent: Tuesday, 6 March 2007 8:53 AM To: Dotzero Cc: pen-test () securityfocus com Subject: Re: The legal / illegal line? Never _ever_ engage in anything without a signed "get of of jail letter" + an quite specific agreement stating what you are authorized to do and what the potentiel riscs are. Dotzero is very right in concluding that they are _not_ in any way a client until a signed agreement exsists. I can only imagine very few (and somewhat far fetched) situations where you "discover" a vulnerability without "crossing the line", both in relation to the law and morally. Besides no serious client would everhire a pen-test team that "pre-pens" them. It shows a complete lack of professionalism and often borders on black-mail in most situations of cases I've come across. And it qiute frankly sounds like you crossed theline! Just my 1½ cent Martin - Dotzero skrev:The original question from Barry was about legal vs illegal. There is only one (IMHO) answer to that question. It depends on jurisdiction. The laws that apply in one jurisdiction may not apply in another. I'm also concerned about Barry asking about when others "approach a client" to tell them about their insecurities following a "simple pen-test".. They are NOT your client unless they have engaged you. They are a potential client. They have no relationship with you and you have not been authorized by them to do anything on their behalf. Even if you haven't done anything illegal, most companies I'm familiar with would be unlikely to hire you or your company under such circumstances. The actions you describe are indicative of a failure to recognize appropriate boundaries. A more reasonable approach (and one more likely to attract business) would be to have your sales people pitch a free security assessment. Have a standard agreement authorizing a standard but limited set of activities that you can then use to show a potential client how they might benefit from your services. As usual, just my 2 cents. dotzeroLiability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMERThe information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Attachment:
chris.vcf
Description:
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: The legal / illegal line?, (continued)
- Re: The legal / illegal line? Martin Zimmermann (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- Re: The legal / illegal line? David Swafford (Mar 05)
- Re: The legal / illegal line? Paul Robertson (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Justin Ross (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Higinio Orsini (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 06)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available