hi ya
On Thu, Mar 10, 2005 at 07:58:40PM +0000, Bennett Todd wrote:
> Approaching people and telling them they have computer security
> vulnerabilities and offering to fix them is widely taken, both by
> potential customers and the police they call, to be a style of
> extortion.
yup .. it's a big problem ... how to get folks to harden
their servers and networks and secure their corp data is
tricky biz
until they are hacked, they usually do not spend time or sufficient
$$$ to prevent incoming attacks and therefore, prevent outgoing attacks
to other innocent 3rd parties
- you, we all, as a service providers just have to wait
or have a good buddy at a prospective clients office
- i say never do both the audit and the repair ...
- don't send spam that we fix security holes/exploits
and also nmap/nessus them without their permissions
- show and demo that they are hackable .. but do not touch
anything, as that can backfire ..
- if you go in for repairs/upgrades/hardening...
get a good legal liability paperwork and liability insurance
if you can
( their systems will temporarily break when you harden things )
- tons of "social engineering" and personalities issues far outweigh
the fact that they use open wireless, telnet, ftp, pop/imap, vpns from hom,
etc, etc and exploitable apps like mysql/apache/php/dns/mta, ... and no backups
- any and all of this is fine by itself, but the problem
is if they do not want others to be reading their emails
and login/passwd, than they have a major problem
- i was thinking ... what if one goes, innocently to a free hotspot
and run a wireless sniffer and see what you get on screen
- let them come to you and ask you ... "what is all this" ??
- the wrong answers might get you banned from that hotspot too
hotspots can be wireless hotspots and public wireless stuff
at hotels, airports, etc ( any place where you can use your laptop )
c ya
alvin
Received on Mar 11 2005
Intro
