RE: Informing Companies about security vulnerabilities...

["Craig Wright" <cwright () bdosyd com au>]

To argue the quote " I have every right to do exactly as I have done "

Actually you are exceeding implied rights. This makes the action a
trespass. I can go into the case law in detail if requested.

The issue is not that this is a crime, this will vary on jurisdiction
and it shall be one in the US if there is a resultant damage over a set
amount. This is still not legal however.

There is a lot of mis-information about what is illegal and what is
criminal. They are not the same thing. Although it may (in some
jurisdictions and with some results) not be criminal, it is illegal.

How is it illegal you ask? It is a trespass. Trespass is a Civil action.
That is it is not a criminal offence in itself. The company could take
action for a violation of their rights.

A tort is a civil wrong (for want of about 800 pages of basic
explanations). Committing a tort is illegal and thus accessing the site
in an unauthorised manner is illegal. You have exceeded the implied
license and thus the tort is completed. Suing for $20 for instance for
an illegal access is not likely, but than it is still not legal.

This is a result of the nature of the implied action. You have an
implied license to undertake certain functions on the site. This is the
limit.

As for criminal... there are a number of US and UK cases dealing with
SQL injections and "testing". Even on the getting away with it basis,
take for instance Stephan Puffer. He was acquitted of fraud on appeal -
but this did not make the actions legal. Rather it means that the was a
civil violation and that at best he could be sued by the county court.
On the other hand, he did not win indemnity costs and the case still
left him in debited.

In this case the unauthorised access to a wireless network was
considered unauthorised access - and the access was a demonstration to a
journalist that it was possible.

Sorry to be pernickety but the issue is not "But, whether something is
legal or not" as this is clearly an illegal action. It is if it is
criminal or not. I would not recommend either course of action.

Regards,
Craig


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, 5 October 2006 7:58 AM
To: PenTest
Subject: Re: Informing Companies about security vulnerabilities...


On 10/4/06 12:39 PM, "jay.tomas () infosecguru com"
<jay.tomas () infosecguru com>
spoketh to all:

> One of the first things that you should teach in your class is Ethical
and
> Permission Granted
> Assessments of Public Web sites. You had no right to assess their
site, which
> is why you probably
> got a less than a warm reception.
>
> Companies contract and pay for assessment services. A good practice is
not to
> interact with some
> party that has chosen to run a few tools and typing in ' or 1=1-- in
all the
> available input
> fields.

This really comes down to a matter of opinion, and one of law.  Many
times
over the last several years I've "publicly" illustrated potential
vulnerabilities at security conferences and during trainings.

According to my attorney, who is a very respected subject matter expert
on
Internet and security law, I have every right to do exactly as I have
done.
Publishing a public site explicitly grants me rights to access the site.
Going to the "search" page and entering in ' or 1=1-- is, according to
my
attorney, perfectly legal. They host the site publicly, and are *asking
me*
to enter something in search textbox. (note US law).

Now, going beyond that--executing code and acquiring internal data from
the
back-end servers of the site, well, that's illegal (or can be).  The
"how
much is too much" question will ultimately be decided by a judge or
jury,
but it does make for interesting dialog.

Personally, I have no problem at all in typing in your standard "test"
for
injection.... But I wouldn't do something like collect data and then use
that as an example of vulnerability to provide to the company-- that's
just
asking for it.  A warning based on cursory input, sure-- a proof of
concept
with you name on it, no way.

I've notified countless companies of potential problems with web-apps,
and I
can only think of a couple of times that someone actually got back to me
with a "thanks for that."  I think I got one "I'm going to sue" message
that
I just ignored- nothing ever came of it.

So, is it legal to type ' or 1=1-- ?  According to legal experts, yes.
Is
it ethical?  I say "sure." Is it ethical to drop a database?  No.  But,
whether something is legal or not really doesn't have anything to do
with
someone trying to sue you for it. So these days, when I come across
something bad enough, the "do-gooder" in me makes me want to at least
notify
them - which I do via anonymous email.  Unfortunately, I never know if
they
got it or not, but at least I tried.  Statistics tell me that no one
will
bother doing anything about it, and CYA now dictates I do it that way,
legal
or not.

t




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------