Penetration Testing mailing list archives
Re: [PEN-TEST] Ethics Scenario
From: Spy Fox <nebula_61 () HOTMAIL COM>
Date: Mon, 2 Oct 2000 18:28:41 EDT
I recently had a souring experience related to this. I have been tracking a hacker (or hackers) that appear to be hijacking unprotected PCs that are located at IT Placement firms, then using those PCs to launch further probes and attacks targeted elsewhere. I was able to track this intruder back to two PCs located at two different geographically located offices for this business. I sent a friendly email message to the IT department, giving my full name and contact information, along with the IP addresses and NetBIOS names of the two machines involved. I explained my suspicions that their PCs had been hijacked and told him how it was most likely done. At no time did I push my services as an Information Security Consultant, only mentioning my services at the end of the email message. My reward was an angry phone call from the IT Director, bluntly asking why I was probing his networks. When I made an effort to calmly explain the situation and told him that I was informing him of my findings as a public service, he immediately got defensive and again began to accuse me of illicit probes of his network. I again explained that I was only following the trail left by someone attempting to penetrate my network and in doing so, found his PCs unprotected and wide open via their DSL connections. Finally, when he accused me of trying to use extortion to get his business, I interrupted him and told him I had to thank him. When he asked what for, I replied, "It is IT managers like you that keep me in business" and I ended the phone conversation. My inclination now is to never try to do "the right thing" by telling someone of a blatant security hole. I will simply continue to rely on referrals and standard marketing efforts. Yet on the other hand, I have reported this situation to two other IT Placement firms that I believe this hacker is hijacking, and they were both very gracious and appreciative of the information. I should point out that none of these "good deeds" has yet to develop into any additional business for me. Regards - Todd Eastman Spy Fox
The question is this: Do we tell the website company who we are and that we have discovered a vulnerability and then offer to provide them assistance with the vulnerability (for pay of course). i.e. offering them a full pen-test or an IDS or something...? Or does this tend to fall into the "chasing ambulances" type of business marketing strategy?
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Current thread:
- [PEN-TEST] Ethics Scenario Christopher M. Bergeron (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Edward Mitchell (Oct 02)
- Re: [PEN-TEST] Ethics Scenario SM (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Erik Tayler (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Erik Tayler (Oct 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Ethics Scenario Dunker, Noah (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Steve (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Tonick, Mike (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Gallicchio, Florindo (2282) (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Darryl Rathbun (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Spy Fox (Oct 02)