Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Thu, 5 Oct 2006 14:20:49 -0500
On ethical grounds re: extortion, I completely agree with you. However, we still have no recourse to a solution. Playing nice doesn't work. What do we do about this? What have other industries done? Regulation? Class-action lawsuits American style? Crusaders and public voices? More mailing-list pontification? Take this web stuff, right now, probably not a lot of impact in terms of costing human lives. As one who's suffered hours dealing with identity-theft due to a site compromise, there is definitely impact, but not enough yet that most folks care. Do we have to wait until these things start costing human life to matter? Is that the pattern of most industries? -ae
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Wednesday, October 04, 2006 9:53 PM To: pand0ra; pen-test () securityfocus com Subject: RE: Informing Companies about security vulnerabilities... Legally this is bad - it is extortion. Either release or not, but do not hold it over them. Taking the law into your own hands is not a good idea Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pand0ra Sent: Thursday, 5 October 2006 9:31 AM To: pen-test () securityfocus com Subject: Re: Informing Companies about security vulnerabilities... "You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so." Ethically, that is bad. You should never force (or threaten) anyone into doing something they don't want to. I agree completely with Jay and Dan. Joseph, 1. Never test a system unless you have written authorization (also known as the "get out of jail free" card). Period. 2. I know it is your responsability to teach your students how to identify an attack but you also have to show them what is ethical as well. By teaching them to attack another company's web application without permission is promoting behavior that could land your students in jail. What happens after the student is arrested when they tell the media that they learned how to do what they did in your class? 3. It's good that you notified the newspaper of the problem but you should not have been there in the first place. The suggestion for using hackme bank is perfect and won't land you in prison/jail/fines. On 10/4/06, Andreas Putzo <putzoa () gmx de> wrote:On Oct 04, Joseph McCray wrote:Usually when we do this we only find a few simple things (XXS for example) - no big deal right. With this particular website we justkeptfinding another, after another and on and on. Over 600instances of XXS,over 200 SQL Injection - this was bad. After a while it started togetboring there was so many.... So I drafted a letter to the editor as well as several otherprominentpeople at the newspaper. It detailed my finding andrecommended somepossible mitigation strategies. After emailing this I didn't hear anything for a few days, so I emailed it again andfollowed up with aphone call. After getting no response to the second email and then having been bounced around from department to department when Icalled Ijust said forget it.You can try to set them an ultimatum pretending to disclosethe holesto the public. Perhaps they are more willing to react if they areforcedto do so. Depending on the information you can get through thewebsite (customerdata anywhere?) and the laws in your country (IANAL, btw.) you may go to the intrigued publicity, indeed. They gotta have to dosomething ifsomeone defaced their website actually. -- regards, Andreas Putzo-------------------------------------------------------------- ----------This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php ?camp=7016 00000008bOW-------------------------------------------------------------- ---------- -------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ?camp=7016 00000008bOW -------------------------------------------------------------- ---------- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. -------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ?camp=701600000008bOW -------------------------------------------------------------- ----------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Informing Companies about security vulnerabilities..., (continued)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- RE: Informing Companies about security vulnerabilities... Krpata, Tyler (Oct 04)
- Re: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 04)
- Re: Informing Companies about security vulnerabilities... techlists (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 05)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 05)
- RE: Informing Companies about security vulnerabilities... alan (Oct 05)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 05)
- Re: Informing Companies about security vulnerabilities... mailing lists (Oct 05)
- Re: RE: Informing Companies about security vulnerabilities... jay.tomas (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- WAS Informing Companies NOW Announcing ' or 1=1-- Thor (Hammer of God) (Oct 06)
- Re: WAS Informing Companies NOW Announcing ' or 1=1-- Ian Scott (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)