Security Basics mailing list archives
Re: Telling prospective wi-fi customers they are open to hacking
From: Alvin Oga <alvin.sec () Virtual Linux-Sec net>
Date: Thu, 10 Mar 2005 13:53:13 -0800
hi ya On Thu, Mar 10, 2005 at 07:58:40PM +0000, Bennett Todd wrote:
Approaching people and telling them they have computer security vulnerabilities and offering to fix them is widely taken, both by potential customers and the police they call, to be a style of extortion.
yup .. it's a big problem ... how to get folks to harden
their servers and networks and secure their corp data is
tricky biz
until they are hacked, they usually do not spend time or sufficient
$$$ to prevent incoming attacks and therefore, prevent outgoing attacks
to other innocent 3rd parties
- you, we all, as a service providers just have to wait
or have a good buddy at a prospective clients office
- i say never do both the audit and the repair ...
- don't send spam that we fix security holes/exploits
and also nmap/nessus them without their permissions
- show and demo that they are hackable .. but do not touch
anything, as that can backfire ..
- if you go in for repairs/upgrades/hardening...
get a good legal liability paperwork and liability insurance
if you can
( their systems will temporarily break when you harden things )
- tons of "social engineering" and personalities issues far outweigh
the fact that they use open wireless, telnet, ftp, pop/imap, vpns from hom,
etc, etc and exploitable apps like mysql/apache/php/dns/mta, ... and no backups
- any and all of this is fine by itself, but the problem
is if they do not want others to be reading their emails
and login/passwd, than they have a major problem
- i was thinking ... what if one goes, innocently to a free hotspot
and run a wireless sniffer and see what you get on screen
- let them come to you and ask you ... "what is all this" ??
- the wrong answers might get you banned from that hotspot too
hotspots can be wireless hotspots and public wireless stuff
at hotels, airports, etc ( any place where you can use your laptop )
c ya
alvin
Current thread:
- Telling prospective wi-fi customers they are open to hacking Greg (Mar 10)
- Re: Telling prospective wi-fi customers they are open to hacking Bennett Todd (Mar 10)
- Re: Telling prospective wi-fi customers they are open to hacking Alvin Oga (Mar 11)
- Re: Telling prospective wi-fi customers they are open to hacking Kinnell (Mar 11)
- <Possible follow-ups>
- RE: Telling prospective wi-fi customers they are open to hacking Pat Smith (Mar 10)
- Re: Telling prospective wi-fi customers they are open to hacking Steve (Mar 11)
- Re: Telling prospective wi-fi customers they are open to hacking neo (Mar 11)
- Re: Telling prospective wi-fi customers they are open to hacking Alvin Oga (Mar 14)
- Re: Telling prospective wi-fi customers they are open to hacking Greg (Mar 16)
- Re: Telling prospective wi-fi customers they are open to hacking Kinnell (Mar 17)
- Re: Telling prospective wi-fi customers they are open to hacking Steve (Mar 11)
- Re: Telling prospective wi-fi customers they are open to hacking Bennett Todd (Mar 10)
- RE: Telling prospective wi-fi customers they are open to hacking Andrew Shore (Mar 11)
- RE: Telling prospective wi-fi customers they are open to hacking Andrew Shore (Mar 14)