Re: How much do you disclose to customers?

[goat <goat () severus org>]

I personally can't remember any situations where I have not given the client my IPs.  Even if the CEO/CTO/C*O of the 
company is requesting a 'black' penetration test I still give them my IPs or give them to the designated "trusted 
agent" on their tech team.  Since they're usually paying through the nose for my services, I rely on them to maintain 
the integrity of the test.

I have done announced tests on "uncooperative" sites where rogue techs working for the client did in fact block my IPs 
on certain subnets.  Unfortunately, it's nearly impossible to detect this type of block unless you're actively looking 
for it.  This is one of the primary reasons that I avoid doing penetration testing as a stand-alone activity.  A phased 
assessment that maybe starts as a 'black' test and then moves to a full inspection with access to FW rules, router 
configs and ACLs, etc, etc will uncover any admin buggery.

As for your second question:  Yes.  Without question.  How much time/money does it take to set up an old box with 
tcpdump?  How much time/money would it cost to defend yourself from an accusation with no evidence of your activities?  
Do the math and the answer becomes obvious very quickly.  In my company we've gone so far as to have a completely 
different group maintain an OpenBSD bridge that logs all of the traffic in and out of our test lab.

-- 
goat () severus org
"Rock over London, Rock on Chicago..."

---------------------------------------------------------------------------
----------------------------------------------------------------------------