RE: Pre-Scanning for Marketing

["Ken Kousky" <kkousky () ip3inc com>]

I don't recall the company's name but there is folklore about a company in
San Diego that did this on a military site and ended up with criminal
charges filed against them. 

It's hard to imagine you can make a credible case for how serious the
vulnerabilities might be without crossing the line and actually being
invasive.

I, for one, wouldn't want a client that was impressed by this kind of
marketing.

KWK

-----Original Message-----
From: Kurt Seifried [mailto:bt () seifried org] 
Sent: Saturday, January 14, 2006 1:57 AM
To: Nathan Einwechter; 'Password Crackers, Inc.'; pen-test () securityfocus com
Subject: Re: Pre-Scanning for Marketing

> I am interested if anyone on the list has ever tested or implemented a
> marketing program that involved pre-scanning (wired or wireless) a
> prospect
> and then sending a letter or email describing potential vulnerabilities
> and
> offering assistance in closing these vulnerabilities.  I have never done
> this because of the anticipated negative reaction, but I am curious as
> to
> what the outcome was if anyone else has done it.  Single instances would
> be
> interesting, but I am more curious if anyone has implemented this in a
> more
> broad-based way and has positive and/or negative response rate
> statistics.
>
> Bob Weiss
> Password Crackers, Inc.

I believe there is a term for this form of "marketing".. what's the term... 
Oh yes:

"Protection racket"

A protection racket is an extortion scheme whereby a powerful organization 
coerces individuals or businesses to pay "protection money" which allegedly 
serves to purchase the powerful organization's protection services against 
various external threats, whereas the actual threat comes from the powerful 
organization itself. Those who do not buy into the protection plan are 
targeted by the powerful organization and are harassed to try to force 
payment of the protection money.

Honestly if someone sent me such a letter my first reaction would be to call

corporate counsel which would probably be followed by a call to law 
enforcement.

-Kurt 


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are

futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------