ethics of approaching vulnerable prospective clients

From: Zach Forsyth (zach.forsyth@kiandra.com)
Date: Mon Nov 11 2002 - 22:38:08 EST


Been lurking for quite some time now but thought I might pose a question
to everyone on the list.

I just wanted to see what everyone's opinions were on means of
approaching vulnerable prospective clients.

Of interest especially are clients with wireless networks.

Example 1. I do a wardrive/walk around my city and find a whole lot of
wireless networks without any wep which are seemingly insecure, and
their network is broadcasting an ssid that is set as their business
name.
A simple look in the phone book or on the web reveals their office
location, which matches up with where I was when the network was
detected.
Do you think it is unethical to approach them based on those results?

Analogy to compiment example 1.
A fence builder is in my neighbourhood and notices that my front fence
is falling down. Her kindly drops his business card into my letterbox
and writes a not saying he noticed my fence was in need of some work and
subsequently wanted to offer his services to me.

Example 2. I detect a network that appears to not have wep enabled.
Their ssid however reveals nothing about who they are but is the default
linksys/cisco/etc vendors. I could connect to their wlan and snoop
around for some information that would then identify them to me and then
go about contacting them. (Or just connect to their networked printer
and print something scary out for them. Hehe)

Anology to compliment Example 2.
A plumber is in my neighbourhood and sees that my house is maybe a
little rundown. He can't really see the plumbing pipes but decides to
open the gate walk around the to back of the house and find out what
condition they are in. He then leaves a card mentioning he opened the
gate and entered my property noticed the plumbing was in need of some
work and wanted to offer his services.

I don't feel that example two is acceptable, although fun.
This would be classified as a break in so to speak, and I am sure some
sys admins would then blame you for every networking and server problem
encountered from that point in time to infinity.

Approaching a client directly sort of feels like a lawyer chasing an
ambulance, but it may be a good way to create a whole lot of work.

I realize that wireless networks and their (in)security is a very grey
legal area at the moment, and different countries will have different
enforcement of laws relating to computer crime but I am only really
looking for a general consensus.

This same topic covers pen testing from an external point of view, we
site security, web application security etc. Just thought it applied to
wireless the most .

Do you think it is bad practice to contact a vulnerable company
directly?
Does anyone on the list approach companies directly in this manner?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT