RE: "Free" pen-test

["Pete" <pen_test_list () petesmithcomputers com>]

J.A. Terranson wrote:
> What you did was illegal, unethical, and *way* beyond 
> acceptable practice.  You're lucky he doesn't throw your a$$ in jail.

Another misunderstanding. I tried to explain the circumstances and most
replies seem to reflect an understanding. The flames I've had stem from
insecurity of a different sort, I fear.

Firstly, Fred's initial look was merely a port scan. In this country my
understanding is that a port scan is not considered an intrusion and is
therefore legal.

Secondly, we discussed a pen-test with Mr Director on the understanding
that our interest was a sales meeting (to discuss a full report and/or
purchase of solutions) if he had concerns.

As for mixing business interests, are you really saying that security
testers should not sell security? I see your point, but in the small
business community we have to be practical. 

How do you find your clients?

Pete


> -----Original Message-----
> From:  [mailto:measl () mfn org] 
> Sent: 20 June 2003 12:35
> To: pen_test_list () petesmithcomputers com
> Cc: pen-test () securityfocus com
> Subject: RE: "Free" pen-test
<snip>

> Your preliminary "look" was done without any type of consent, 
> and that makes it an intrusion under the laws of most 
> countries and states.  You then went to try and sell 
> "services" bafter you had "scared him" with your
> results: this is extortion in most countries and states.
>
> In short: you are *exactly* the kind of sleazy half-baked and 
> fully dishonest operations that has put the security industry 
> in the position it is in now - having to try and explain to a 
> [rightfully] wary public why we are not a problem of the same 
> magnitude as the "hacker" we claim to want to protect against.
>
> Further, there is an inherent conflict of interest between 
> the pen-tester and the provider of services which are 
> suggested by the testing: to truly stay on the moral high 
> ground you should never try to mix the two (asbestos 
> underwear in place for all you "ethical" testers who then 
> sell the repair "services").
>
> Call us back when you find a clue.  Even a *small* clue.
>
> --
> J.A. Terranson
> sysadmin () mfn org
>
>
> > -----Original Message-----
> > From: Pete [mailto:pen_test_list () petesmithcomputers com]
> > Sent: Thursday, 19 June 2003 19:54 PM
> > To: pen-test () securityfocus com
> > Subject: "Free" pen-test
> >
> >
> > I'm looking for a bit of advice. I was tipped off that 
> company X had 
> > minimal security for their large bundle of IP addresses running on 
> > Micro$oft servers. I got my mate Fred (!) to have a look and he 
> > reckoned they were _very_ vulnerable. So, we went to the security 
> > director and "sold" him a free penetration test. Fred then 
> got admin 
> > access to their web server plus bucketloads of info about their DMZ 
> > and even their 192.168.0.x network. I went back to Mr Director 
> > thinking he'd wet himself and he said "I'm not too worried about 
> > that....just carry on if you can".
> >
> > Well. Fred is keen to keep going. But I reckon that someone who is 
> > "not worried" that his web server could have been taken 
> down in about 
> > 4 hours is not worth wasting time on. Needless to say, the cunning 
> > plan was to sell him a pile of stuff once he was scared enough.
> >
> > My question is this: how do white-hatters usually approach these 
> > things?
> >
> > Grateful for any tips (and thanks for reading if you got to here)
> >
> > Pete
> >
> > Pete Smith
> > www.petesmithcomputers.com
> ----------------------------------------------------------------------
> > -----
> > Latest attack techniques.
> >
> > You're a pen tester, but is google.com still your R&D team? Now you 
> > can get
> > trustworthy commercial-grade exploits and the latest 
> techniques from a 
> > world-class research group.
> >
> > Visit us at: www.coresecurity.com/promos/sf_ept1
> > or call 617-399-6980
> --------------------------------------------------------------
> --------------
> >


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------