Pen-Testing Disclosure was Re: Dreaming of Summer

[dailydave () menaced net]

Quoting David Maynor <dave () 0dayspray com>:
> On Sat, 2003-12-06 at 23:43, Sean Batt wrote:
> > Hello Daves et al,
> >
> > I can't quite understand how a whitehat would use a 0day. Isn't a whitehat
> > ethically bound to fix or report vulnerabilities?
> What is wrong with using code I worte to perform my job? This would be
> diffrent if I were just out defacing random webpages, but if its my job,
> there seems to be a big diffrence to me.

When you contract for a pen test be sure to read all documents you sign 
carefully.  I've never agreed to a contract where the pen testing team does not 
disclose all tools used and a packet capture of all traffic for the pen test.  
Keeping a "0day" to use for pen testing seems very hokey to me.  A "whitehat" 
isn't ethically bound to fix anything.  But you usually work out an agreement 
that requires proper disclosure of all risks identified along with all tools 
utilized to identify those risks.

> As I said before security is a process. As a security professional it is
> my job to help protect my client against all threats, known or
> otherwise. You do this by limiting exposure so if there is a 0day the
> effect will be reduced. How do you test the affects a remote 0day would
> have on a client unless you have them?

Fluff and buzzwords... 

To help answer Sean's questions about:

"Am I being naive thinking that ethical stance is the difference between
black and white hats? I guess I'm missing something (probably a lot) about
the utility of 0days and the practice of penetration testing and if anyone
can comment on that I'd appreciate it."

I offer this:

There's no difference between "black and white hats."  Those are just media 
words to help colorize their publications.  To perform proper penetration 
testing one does not need 0day exploits.  0day exploits come from a good R&D 
team that has time on their hands.  A pen test team should be able to come up 
with attacks on the fly based upon the environment being tested.  These could 
eb called 0day, but more often than not they just wind up in the report given 
to the client at the end of an engagement.  If they have far reaching effects 
they'll go to the vendor of the application for a fix.  Either the pen test 
team/organization submits to the vendor or the company that recieved the pen 
test will notify the vendor.  If the pen test team/org doesn't have any 
contacts with a particular vendor they'll use the already established contacts 
that the client has made when purchasing the application/product.

My basic comment can be summed up completely with this:  Keeping a 0day exploit 
for yourself to use for pen testing is lame.  The only reason for keeping an 
attack secret would be to gather more business and make yourself look good in 
the process.  Oooh ooh, lookey lookey, I keep getting into every sight I've 
been contracted to pen test that runs application code XYZ version 1.0.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave