Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The legal / illegal line?

From: Chris Travers <chris () metatrontech com>
Date: Mon, 05 Mar 2007 11:49:37 -0800
Craig Wright wrote:

Do you have an explicit agreement with the third party?

If the answer is No, than all access is prohibited.
Agreed. But those who unintentionally hide their heads in the sand often will give you permission if asked. My approach is: 

1)  "I am concerned about...."
2) When told that it is under control, I will usually challenge them. Get them a little defensive. "How sure are you? Is it really worth your risk? 3) I will usually then ask via email "so if you are sure this isn't a problem, would it be OK with you if I take a look and check it out? I am pretty sure I can x, y, and z."
Then when I get the go-head, they can't say I didn't have permission. I asked and got it. I just don't go outside of doing what I said I would.
I used this technique once to show a web-based software developer that I could break into all servers with his software installed. He didn't believe me, so I goaded him into giving me permission. I didn't do anything outside the scope of the permission, but I did demo the problem to him and he did fix it as a result... 

Best Wishes,
Chris Travers


There is no license (implied or otherwise) to pen test a site unless it
is explicitly granted. There are civil penalties at the least.

You are more likely asking if the action is criminal in nature or not
and this will vary on the act and juristiction. Without express
permission for the owner/possessor of the property, it is illegal.
Criminal and Illegal are not the same thing. All criminal activity is
illegal, though some illegal actions are not criminal.

Regards,
Craig

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Barry Fawthrop
Sent: Friday, 2 March 2007 12:47 PM
To: pen-test () securityfocus com
Subject: The legal / illegal line?

Hi All

Curious to hear other views, where does the legal and illegal line stand
in doing a pen test on a third party company?
Does it start at the IP Address/Port Scanning Stage or after say once
access is gained?? very vague I know


I'm also curious to hear from other external/3rd party pen-test
consultants, how they have managed to solve the problem
Where they approach a client who is convinced they have security, and
yet there is classic signs that they don't?
You know that if you did a simple pen-test you would have the evidence
to prove your point all would be mute

But from my current point that would be illegal, even if no access was
gained. (maybe I'm wrong) ??

Perhaps this is just a problem here where I am or perhaps it exists
elsewhere also?

I look forward to your input

Barry


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Attachment: chris.vcf
Description: 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: