Re: [PEN-TEST] Ethics Scenario

[Spy Fox <nebula_61 () HOTMAIL COM>]

I recently had a souring experience related to this.  I have been tracking a
hacker (or hackers) that appear to be hijacking unprotected PCs that are
located at IT Placement firms, then using those PCs to launch further probes
and attacks targeted elsewhere.

I was able to track this intruder back to two PCs located at two different
geographically located offices for this business.  I sent a friendly email
message to the IT department, giving my full name and contact information,
along with the IP addresses and NetBIOS names of the two machines involved.
I explained my suspicions that their PCs had been hijacked and told him how
it was most likely done.

At no time did I push my services as an Information Security Consultant,
only mentioning my services at the end of the email message.  My reward was
an angry phone call from the IT Director, bluntly asking why I was probing
his networks.  When I made an effort to calmly explain the situation and
told him that I was informing him of my findings as a public service, he
immediately got defensive and again began to accuse me of illicit probes of
his network.  I again explained that I was only following the trail left by
someone attempting to penetrate my network and in doing so, found his PCs
unprotected and wide open via their DSL connections. Finally, when he
accused me of trying to use extortion to get his business, I interrupted him
and told him I had to thank him.  When he asked what for, I replied, "It is
IT managers like you that keep me in business" and I ended the phone
conversation.

My inclination now is to never try to do "the right thing" by telling
someone of a blatant security hole.  I will simply continue to rely on
referrals and standard marketing efforts.  Yet on the other hand, I have
reported this situation to two other IT Placement firms that I believe this
hacker is hijacking, and they were both very gracious and appreciative of
the information.  I should point out that none of these "good deeds" has yet
to develop into any additional business for me.

Regards -

Todd Eastman
Spy Fox


> The question is this:
> Do we tell the website company who we are and that we have discovered a
> vulnerability and then offer to provide them assistance with the
> vulnerability (for pay of course).  i.e. offering them a full pen-test or
> an IDS or something...?
>
>
> Or does this tend to fall into the "chasing ambulances" type of business
> marketing strategy?

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.