From: Security Guy (security@sligoinc.com)
Date: Mon Mar 05 2007 - 13:51:38 EST
Ultimately, if they're not willing to do anything about it, that's
their decision (and responsibility for the consequences).
However, you could research various public sources of bad information:
http://www.mynetwatchman.com/ (firewall log aggregator service) has a
place where you can check IPs for reported bad activity. ORDB's, and
spam lists also come to mind--they tend to be indications of
bot-infected hosts.
Send them a report where their IPs are listed among those sites. In
that case you're not doing anything active against them, just finding
public information that's been collected about their outbound
activities.
-Karl
On 3/5/07, Barry Fawthrop <barry@ttienterprises.org> wrote:
> Thanks All
>
> I agree totally, that it is a line that should be kept away from
> But then how do you "prove" to someone that their system isn't as secure
> as they "feel"/assume it is?
> I have run into many companies where you can see the security is not
> what it should be.
> Yet you ask the IT director and they are so convinced they have perfect
> security and even report that to their
> bosses. Yet the signs are clear they don't?
>
> How do you convince them, when they won't give permission because isn't
> warning them removing them from
> Due Diligence to Due Negligence?
>
> Thanks again
> Barry
>
> Barry Fawthrop wrote:
> > Hi All
> >
> > Curious to hear other views, where does the legal and illegal line stand
> > in doing a pen test on a third party company?
> > Does it start at the IP Address/Port Scanning Stage or after say once
> > access is gained?? very vague I know
> >
> >
> > I'm also curious to hear from other external/3rd party pen-test
> > consultants, how they have managed to solve the problem
> > Where they approach a client who is convinced they have security, and
> > yet there is classic signs that they don't?
> > You know that if you did a simple pen-test you would have the evidence
> > to prove your point all would be mute
> >
> > But from my current point that would be illegal, even if no access was
> > gained. (maybe I'm wrong) ??
> >
> > Perhaps this is just a problem here where I am or perhaps it exists
> > elsewhere also?
> >
> > I look forward to your input
> >
> > Barry
> >
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> >
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
> >
> >
>
> --
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT