Re: PT Report delivery (caveats)

[Tim <tim-pentest () sentinelchicken org>]

> It's sent in soft-copy, PDF format, PGP encrypted with my private key, 
> my public key is of course provided to them.

Ah, this highlights the concern some people probably have with sending
electronic copies.

Surely you meant "encrypted with their public key, and of course they
have their own private key".  What you stated would only amount to a
signature, which is of course important, but doesn't provide any secrecy
at all.  I'll assume you just had a brain-fart on how public key crypto
works.

Personally, I think sending encrypted electronic copies is OK, so long
as you properly authenticate the keys beforehand, both parties
understand public key crypto and know how to use the tools properly, and
you have no reason to believe their systems are currently compromised.

If I were doing a forensics investigation and didn't trust all
employees/systems within a company, I'd think twice about sending
the report via email.

tim

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------