Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: The legal / illegal line?
From: "Security Guy" <security () sligoinc com>
Date: Mon, 5 Mar 2007 13:51:38 -0500

Ultimately, if they're not willing to do anything about it, that's
their decision (and responsibility for the consequences).

However, you could research various public sources of bad information:
http://www.mynetwatchman.com/ (firewall log aggregator service) has a
place where you can check IPs for reported bad activity. ORDB's, and
spam lists also come to mind--they tend to be indications of
bot-infected hosts.

Send them a report where their IPs are listed among those sites. In
that case you're not doing anything active against them, just finding
public information that's been collected about their outbound
activities.

-Karl

On 3/5/07, Barry Fawthrop <barry () ttienterprises org> wrote:
Thanks All

I agree totally, that it is a line that should be kept away from
But then how do you "prove" to someone that their system isn't as secure
as they "feel"/assume it is?
I have run into many companies where you can see the security is not
what it should be.
Yet you ask the IT director and they are so convinced they have perfect
security and even report that to their
bosses. Yet the signs are clear they don't?

How do you convince them, when they won't give permission because isn't
warning them removing them from
Due Diligence to Due Negligence?

Thanks again
Barry

Barry Fawthrop wrote:
> Hi All
>
> Curious to hear other views, where does the legal and illegal line stand
> in doing a pen test on a third party company?
> Does it start at the IP Address/Port Scanning Stage or after say once
> access is gained?? very vague I know
>
>
> I'm also curious to hear from other external/3rd party pen-test
> consultants, how they have managed to solve the problem
> Where they approach a client who is convinced they have security, and
> yet there is classic signs that they don't?
> You know that if you did a simple pen-test you would have the evidence
> to prove your point all would be mute
>
> But from my current point that would be illegal, even if no access was
> gained. (maybe I'm wrong) ??
>
> Perhaps this is just a problem here where I am or perhaps it exists
> elsewhere also?
>
> I look forward to your input
>
> Barry
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
>

--

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault