Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 6 Oct 2006 12:30:44 +1000
To argue the quote " I have every right to do exactly as I have done " Actually you are exceeding implied rights. This makes the action a trespass. I can go into the case law in detail if requested. The issue is not that this is a crime, this will vary on jurisdiction and it shall be one in the US if there is a resultant damage over a set amount. This is still not legal however. There is a lot of mis-information about what is illegal and what is criminal. They are not the same thing. Although it may (in some jurisdictions and with some results) not be criminal, it is illegal. How is it illegal you ask? It is a trespass. Trespass is a Civil action. That is it is not a criminal offence in itself. The company could take action for a violation of their rights. A tort is a civil wrong (for want of about 800 pages of basic explanations). Committing a tort is illegal and thus accessing the site in an unauthorised manner is illegal. You have exceeded the implied license and thus the tort is completed. Suing for $20 for instance for an illegal access is not likely, but than it is still not legal. This is a result of the nature of the implied action. You have an implied license to undertake certain functions on the site. This is the limit. As for criminal... there are a number of US and UK cases dealing with SQL injections and "testing". Even on the getting away with it basis, take for instance Stephan Puffer. He was acquitted of fraud on appeal - but this did not make the actions legal. Rather it means that the was a civil violation and that at best he could be sued by the county court. On the other hand, he did not win indemnity costs and the case still left him in debited. In this case the unauthorised access to a wireless network was considered unauthorised access - and the access was a demonstration to a journalist that it was possible. Sorry to be pernickety but the issue is not "But, whether something is legal or not" as this is clearly an illegal action. It is if it is criminal or not. I would not recommend either course of action. Regards, Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Thor (Hammer of God) Sent: Thursday, 5 October 2006 7:58 AM To: PenTest Subject: Re: Informing Companies about security vulnerabilities... On 10/4/06 12:39 PM, "jay.tomas () infosecguru com" <jay.tomas () infosecguru com> spoketh to all:
One of the first things that you should teach in your class is Ethical
and
Permission Granted Assessments of Public Web sites. You had no right to assess their
site, which
is why you probably got a less than a warm reception. Companies contract and pay for assessment services. A good practice is
not to
interact with some party that has chosen to run a few tools and typing in ' or 1=1-- in
all the
available input fields.
This really comes down to a matter of opinion, and one of law. Many times over the last several years I've "publicly" illustrated potential vulnerabilities at security conferences and during trainings. According to my attorney, who is a very respected subject matter expert on Internet and security law, I have every right to do exactly as I have done. Publishing a public site explicitly grants me rights to access the site. Going to the "search" page and entering in ' or 1=1-- is, according to my attorney, perfectly legal. They host the site publicly, and are *asking me* to enter something in search textbox. (note US law). Now, going beyond that--executing code and acquiring internal data from the back-end servers of the site, well, that's illegal (or can be). The "how much is too much" question will ultimately be decided by a judge or jury, but it does make for interesting dialog. Personally, I have no problem at all in typing in your standard "test" for injection.... But I wouldn't do something like collect data and then use that as an example of vulnerability to provide to the company-- that's just asking for it. A warning based on cursory input, sure-- a proof of concept with you name on it, no way. I've notified countless companies of potential problems with web-apps, and I can only think of a couple of times that someone actually got back to me with a "thanks for that." I think I got one "I'm going to sue" message that I just ignored- nothing ever came of it. So, is it legal to type ' or 1=1-- ? According to legal experts, yes. Is it ethical? I say "sure." Is it ethical to drop a database? No. But, whether something is legal or not really doesn't have anything to do with someone trying to sue you for it. So these days, when I come across something bad enough, the "do-gooder" in me makes me want to at least notify them - which I do via anonymous email. Unfortunately, I never know if they got it or not, but at least I tried. Statistics tell me that no one will bother doing anything about it, and CYA now dictates I do it that way, legal or not. t ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: RE: Informing Companies about security vulnerabilities..., (continued)
- Re: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- RE: RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... mr . nasty (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... stillnone (Oct 05)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- RE: Informing Companies about security vulnerabilities... jason (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- Informing Companies about security vulnerabilities... Erin Carroll (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... v0083mw02 (Oct 06)
- Informing Companies about security vulnerabilities... me (Oct 06)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 09)