Penetration Testing mailing list archives
RE: Pre-Scanning for Marketing : Analogy Day
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Thu, 12 Jan 2006 06:21:51 -0500
That's not really the same thing - with wireless insecurity, I can be sitting in the parking lot of a neighboring business and see the unencrypted data. In the instances where I have reported to a business that they it looked like they might have an insecure wireless installation, it was completely passive unlike picking a lock. Picking the lock is what I was asking permission to test for them....actually, there wasn't even a lock (wep) in most cases. -----Original Message----- From: Wolf, Glenn [mailto:glenn.wolf () we-inc com] Sent: Wednesday, January 11, 2006 4:59 PM To: pen-test () securityfocus com Subject: RE: Pre-Scanning for Marketing : Analogy Day Bob, Let's put this another way. Would you really appreciate it if someone came to your neighborhood and picked the lock of your front door, to tell you that your lock had a significant vulnerability? Probably not. What if someone offered to demonstrate that your roof could catch fire with simple matches you can get at any store or bar, or that people could be electrocuted if they unscrewed the wall plates from the electrical outlets with simple screwdrivers you can buy anywhere? Isn't your car vulnerable to being broken into with a simple rock, which I've heard are usually found lying around pretty much anywhere? Of course, the analogies can be taken to absurd extremes. It's not an issue of demonstrating vulnerabilities people "need" to know about. It's about respecting other people's property, systems, and networks. You will only get business by having (and demonstrating) the utmost standards for respect for your clients and potential clients. Good luck, Glenn Wolf, CISSP -----Original Message----- From: Password Crackers, Inc. [mailto:pwcrack () pwcrack com] Sent: Tuesday, January 10, 2006 4:43 PM To: pen-test () securityfocus com Subject: RE: Pre-Scanning for Marketing Please allow me to clarify that I have NOT done anything like this, I am not advocating it and have no plans to do so. I am aware that many prospects would potentially view this negatively. I mentioned in my original post that I understood this. Doing so could permanently impact someone's reputation. So, let's all understand that we are speaking about a hypothetical. I was interested to know if anyone had done so previously and what the reaction was. Clearly, it appears that other than a few free offers (I've made two of these in the past -- both with no response), this type of approach seems to be so negatively viewed that nobody would even attempt it. However, doesn't anyone else view this as something of a dilemma? As a group we are incapacitated from offering services to those who may need them (unless we do so inefficiently) even though certainly vulnerabilities are easily and efficiently identified. Unfortunately, the best analogy I can come up with is ambulance chasing lawyers -- who seem to be hated, so we probably don't want to follow their lead professionally. Has anyone effectively resolved this dilemma in their practice? Possibly that is how I should have phrased the original post. Bob Weiss Password Crackers, Inc. -----Original Message----- From: Clement Dupuis [mailto:cdupuis () cccure org] Sent: Tuesday, January 10, 2006 8:19 PM To: 'Password Crackers, Inc.' Subject: RE: Pre-Scanning for Marketing I would definitively say: DON'T What right do you have to test my environment without me asking. What differentiate you from any other cracker out there. You are just another one of them as far as I am concerned. Would you get any business this way? Probably some but very little and not from the client your really wish to build a long term relationship with. Thinks of the negative publicity and the fact that someone will take you to court for attempting to intruder on their communication means. Overall I would definitively NOT do it Clement -----Original Message----- From: Password Crackers, Inc. [mailto:pwcrack () pwcrack com] Sent: Tuesday, January 10, 2006 10:11 AM To: pen-test () securityfocus com Subject: Pre-Scanning for Marketing I am interested if anyone on the list has ever tested or implemented a marketing program that involved pre-scanning (wired or wireless) a prospect and then sending a letter or email describing potential vulnerabilities and offering assistance in closing these vulnerabilities. I have never done this because of the anticipated negative reaction, but I am curious as to what the outcome was if anyone else has done it. Single instances would be interesting, but I am more curious if anyone has implemented this in a more broad-based way and has positive and/or negative response rate statistics. Bob Weiss Password Crackers, Inc. ------------------------------------------------------------------------ ---- -- Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ---- --- ------------------------------------------------------------------------ ---- -- Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ---- --- ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Pre-Scanning for Marketing : Analogy Day Wolf, Glenn (Jan 12)
- <Possible follow-ups>
- RE: Pre-Scanning for Marketing : Analogy Day Shenk, Jerry A (Jan 12)