Security Basics: Re: Telling prospective wi-fi customers they are open to hacking

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Basics mailing list archives

Re: Telling prospective wi-fi customers they are open to hacking

From: Alvin Oga <alvin.sec () Virtual Linux-Sec net>
Date: Thu, 10 Mar 2005 13:53:13 -0800


hi  ya

On Thu, Mar 10, 2005 at 07:58:40PM +0000, Bennett Todd wrote:

Approaching people and telling them they have computer security
vulnerabilities and offering to fix them is widely taken, both by
potential customers and the police they call, to be a style of
extortion.


yup .. it's a big problem ... how to get folks to harden
their servers and networks and secure their corp data is 
tricky biz

until they are hacked, they usually do not spend time or sufficient
$$$ to prevent incoming attacks and therefore, prevent outgoing attacks
to other innocent 3rd parties

- you, we all, as a service providers just have to wait 
  or have a good buddy at a prospective clients office

- i say never do both the audit and the repair ...

        - don't send spam that we fix security holes/exploits 
        and also nmap/nessus them without their permissions

        - show and demo that they are hackable .. but do not touch
        anything, as that can backfire ..

        - if you go in for repairs/upgrades/hardening...
        get a good legal liability paperwork and liability insurance 
        if you can
        ( their systems will temporarily break when you harden things )

- tons of "social engineering" and personalities issues far outweigh
  the fact that they use open wireless, telnet, ftp, pop/imap, vpns from hom,
  etc, etc and exploitable apps like mysql/apache/php/dns/mta, ... and no backups

        - any and all of this is fine by itself, but the problem
        is if they do not want others to be reading their emails
        and login/passwd, than they have a major problem

- i was thinking ... what if one goes, innocently to a free hotspot
  and run a wireless sniffer and see what you get on screen 

        - let them come to you and ask you ... "what is all this" ??

        - the wrong answers might get you banned from that hotspot too

        hotspots can be wireless hotspots and public wireless stuff
        at hotels, airports, etc ( any place where you can use your laptop )

c ya
alvin

By Date By Thread

Current thread:

Telling prospective wi-fi customers they are open to hacking Greg (Mar 10)
- Re: Telling prospective wi-fi customers they are open to hacking Bennett Todd (Mar 10)
  - Re: Telling prospective wi-fi customers they are open to hacking Alvin Oga (Mar 11)
  - Re: Telling prospective wi-fi customers they are open to hacking Kinnell (Mar 11)
- <Possible follow-ups>
- RE: Telling prospective wi-fi customers they are open to hacking Pat Smith (Mar 10)
  - Re: Telling prospective wi-fi customers they are open to hacking Steve (Mar 11)
    - Re: Telling prospective wi-fi customers they are open to hacking neo (Mar 11)
    - Re: Telling prospective wi-fi customers they are open to hacking Alvin Oga (Mar 14)