Re: [PEN-TEST] How to deal with others' security ?

[Domenico De Vitto <dom () DEVITTO DEMON CO UK>]

Yea, the biggest companies tend to be sloppy, so to keep the waters clear
usually have a clause to keep you out, and insist you have no right to
see/know the exact configs.  It's a dirty trick and one best delt with by
just plain terminating the contract.

After all, would you trust a security company that told you that you'll
be sue'd if you check they're locking the doors!

Dom

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Meritt, Jim
Sent: 24 August 2000 18:03
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] How to deal with others' security ?


If the systems are outsources, the company they are outsourced to may
legally go after you for conducting your tests on THEIR systems (it is their
hardware, wiring,...) through THEIR routers (tough to get to the client's
system without doing that) and there may be a network-wide IDS that your
specific client knows nothing about.

Better get the OK from ALL parties before proceeding!

Been there, done that.

V/R

Jim

_______________________
The opinions expressed above are my own.  The facts simply are and belong to
none.
James W. Meritt, CISSP, CISA
Senior Secure Systems Engineer at Wang Government Services, Inc.


> -----Original Message-----
> From: Ejovi Nuwere [mailto:ejovi () EJOVI NET]
> Sent: Wednesday, August 23, 2000 11:08 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: How to deal with others' security ?
>
>
> This should be addressed in the contract before the
> pen-test/audit begins.
> Usually you are given specific IP segments to audit. Anything
> outside of
> those networks are considered off limits, this includes ISP/ASP sites
> which the targets DNS may be pointing.
>
> Also, you will find that sometimes you are given the task to
> audit only
> one department within a corporation. Which limits you to a specific
> segment. We all make mistakes, but dont concern yourself with anything
> outside of your audit task. It can result in legal problems.
>
> If you think it may be worth looking at, mention it before hand.
> Otherwise, there isn't much you can do.
>
> e.
>
> On Tue, 22 Aug 2000, Nicolas Gregoire wrote:
>
> > Hi,
> >
> > please excuse my (very) poor english.
> >
> > My question is simple :
> > - you have to do a penetration test on a web server.
> > - you discover that there are virtual hosts on the same box
> than the web
> > site you have to check.
> >
> > first question :
> > do you know how to learn which virtual hosts are hosted on
> this machine
> > ? (reverse dns lookups, etc )
> > [I think it's very important to know that because the
> others web site
> > can have exploitable cgi, resulting in the ability to root
> the box and
> > deface all the virtual hosts]
> >
> > second question :
> > how to deal with others' virtual hosts security [ie. they
> have poor cgi]
> > ?
> > how obtain authorization to scan these virtual hosts ?
> >
> >
> > thanks in advance
> >
> > Nicob
> > nicob () 7thzone com