Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: "Free" pen-test
From: "Pete" <pen_test_list () petesmithcomputers com>
Date: Fri, 20 Jun 2003 13:27:41 +0100

J.A. Terranson wrote:

What you did was illegal, unethical, and *way* beyond 
acceptable practice.  You're lucky he doesn't throw your a$$ in jail.


Another misunderstanding. I tried to explain the circumstances and most
replies seem to reflect an understanding. The flames I've had stem from
insecurity of a different sort, I fear.

Firstly, Fred's initial look was merely a port scan. In this country my
understanding is that a port scan is not considered an intrusion and is
therefore legal.

Secondly, we discussed a pen-test with Mr Director on the understanding
that our interest was a sales meeting (to discuss a full report and/or
purchase of solutions) if he had concerns.

As for mixing business interests, are you really saying that security
testers should not sell security? I see your point, but in the small
business community we have to be practical. 

How do you find your clients?

Pete


-----Original Message-----
From:  [mailto:measl () mfn org] 
Sent: 20 June 2003 12:35
To: pen_test_list () petesmithcomputers com
Cc: pen-test () securityfocus com
Subject: RE: "Free" pen-test


<snip>

Your preliminary "look" was done without any type of consent, 
and that makes it an intrusion under the laws of most 
countries and states.  You then went to try and sell 
"services" bafter you had "scared him" with your
results: this is extortion in most countries and states.

In short: you are *exactly* the kind of sleazy half-baked and 
fully dishonest operations that has put the security industry 
in the position it is in now - having to try and explain to a 
[rightfully] wary public why we are not a problem of the same 
magnitude as the "hacker" we claim to want to protect against.

Further, there is an inherent conflict of interest between 
the pen-tester and the provider of services which are 
suggested by the testing: to truly stay on the moral high 
ground you should never try to mix the two (asbestos 
underwear in place for all you "ethical" testers who then 
sell the repair "services").

Call us back when you find a clue.  Even a *small* clue.

--
J.A. Terranson
sysadmin () mfn org


-----Original Message-----
From: Pete [mailto:pen_test_list () petesmithcomputers com]
Sent: Thursday, 19 June 2003 19:54 PM
To: pen-test () securityfocus com
Subject: "Free" pen-test


I'm looking for a bit of advice. I was tipped off that 
company X had 
minimal security for their large bundle of IP addresses running on 
Micro$oft servers. I got my mate Fred (!) to have a look and he 
reckoned they were _very_ vulnerable. So, we went to the security 
director and "sold" him a free penetration test. Fred then 
got admin 
access to their web server plus bucketloads of info about their DMZ 
and even their 192.168.0.x network. I went back to Mr Director 
thinking he'd wet himself and he said "I'm not too worried about 
that....just carry on if you can".

Well. Fred is keen to keep going. But I reckon that someone who is 
"not worried" that his web server could have been taken 
down in about 
4 hours is not worth wasting time on. Needless to say, the cunning 
plan was to sell him a pile of stuff once he was scared enough.

My question is this: how do white-hatters usually approach these 
things?

Grateful for any tips (and thanks for reading if you got to here)

Pete

Pete Smith
www.petesmithcomputers.com




----------------------------------------------------------------------
-----
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you 
can get
trustworthy commercial-grade exploits and the latest 
techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980

--------------------------------------------------------------
--------------









---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault