Penetration Testing mailing list archives
Re: The legal / illegal line?
From: "David Swafford" <dswafford () alterhighschool org>
Date: Mon, 05 Mar 2007 09:55:43 -0500
Hi Barry, Here are my suggestions regarding your message. In terms of approaching an "insecure" organization, I would not suggest that you do this outright. Most organizations/clients that I have worked with would immediately take the offensive side if you were to approach them out of the blue regarding their network. Some feel that this is an invasion of privacy, etc. In talking with others I have heard that it is best to let them find you via word of mouth and from other clients that you have worked with, also publishing research information in the community helps spread your name as well. In terms of the legal perspective (I am not an attorney nor is this the absolute truth) but in my opinion I think your cross the line of doing ethical hacking and into black hat hacking when you start to probe a network without the appropriate contract / "get out of jail free" documentation. If you were to approach a company whom you never worked for and present evidence of a port scan or even a further probe they may take the offensive and immediately see you as the bad guy, also keep in mind that probing a network is all that you need to have the possibility of a lawsuit against you. I think that a client who thinks they are secure though they are not is one of the more challenging ones to work with. I would not try to convince them that their network is insecure directly but show them commonly misunderstood insecurities from a sales pitch perspective. For example contact a company and ask to have a meeting and come in and demonstrate that you have knowledge that can help them--show them some common items that are often forgotten in terms of the security view point and explain to them that you would be willing to help bring another perspective in to aid them in protecting their network. It also helps if you have already done similiar work with other companies as then you have some better references to provide to new clients (with the previous client's permission of course). Hope this insight helps, I'm interested in what others have to say as well as I'm still relatively new to the security field though I've done network specific work for a few years now. David. CEH, CCNA, SECURITY+, NETWORK+
Barry Fawthrop <barry () ttienterprises org> 3/1/2007 8:46 pm >>>
Hi All Curious to hear other views, where does the legal and illegal line stand in doing a pen test on a third party company? Does it start at the IP Address/Port Scanning Stage or after say once access is gained?? very vague I know I'm also curious to hear from other external/3rd party pen-test consultants, how they have managed to solve the problem Where they approach a client who is convinced they have security, and yet there is classic signs that they don't? You know that if you did a simple pen-test you would have the evidence to prove your point all would be mute But from my current point that would be illegal, even if no access was gained. (maybe I'm wrong) ?? Perhaps this is just a problem here where I am or perhaps it exists elsewhere also? I look forward to your input Barry ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: The legal / illegal line?, (continued)
- Re: The legal / illegal line? Security Guy (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Barry Fawthrop (Mar 05)
- RE: The legal / illegal line? McCarty, Eric C. (Mar 05)
- Re: The legal / illegal line? Tim Shea (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Dotzero (Mar 05)
- Re: The legal / illegal line? Martin Zimmermann (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Security Guy (Mar 05)
- Re: The legal / illegal line? David Swafford (Mar 05)
- Re: The legal / illegal line? Paul Robertson (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Justin Ross (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Higinio Orsini (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 06)