RE: "Free" pen-test

From: Pete (pen_test_list@petesmithcomputers.com)
Date: Fri Jun 20 2003 - 08:27:41 EDT

• Next message: Alfred Huger: "Dead Thread / Troll : RE: "Free" pen-test"
• Previous message: J.A. Terranson: "RE: "Free" pen-test"
• In reply to: J.A. Terranson: "RE: "Free" pen-test"
• Next in thread: miguel.dilaj@pharma.novartis.com: "Re: "Free" pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

J.A. Terranson wrote:
>
> What you did was illegal, unethical, and *way* beyond
> acceptable practice. You're lucky he doesn't throw your a$$ in jail.
>

Another misunderstanding. I tried to explain the circumstances and most
replies seem to reflect an understanding. The flames I've had stem from
insecurity of a different sort, I fear.

Firstly, Fred's initial look was merely a port scan. In this country my
understanding is that a port scan is not considered an intrusion and is
therefore legal.

Secondly, we discussed a pen-test with Mr Director on the understanding
that our interest was a sales meeting (to discuss a full report and/or
purchase of solutions) if he had concerns.

As for mixing business interests, are you really saying that security
testers should not sell security? I see your point, but in the small
business community we have to be practical.

How do you find your clients?

Pete

> -----Original Message-----
> From: [mailto:measl@mfn.org]
> Sent: 20 June 2003 12:35
> To: pen_test_list@petesmithcomputers.com
> Cc: pen-test@securityfocus.com
> Subject: RE: "Free" pen-test
>
>
<snip>

> Your preliminary "look" was done without any type of consent,
> and that makes it an intrusion under the laws of most
> countries and states. You then went to try and sell
> "services" bafter you had "scared him" with your
> results: this is extortion in most countries and states.
>
> In short: you are *exactly* the kind of sleazy half-baked and
> fully dishonest operations that has put the security industry
> in the position it is in now - having to try and explain to a
> [rightfully] wary public why we are not a problem of the same
> magnitude as the "hacker" we claim to want to protect against.
>
> Further, there is an inherent conflict of interest between
> the pen-tester and the provider of services which are
> suggested by the testing: to truly stay on the moral high
> ground you should never try to mix the two (asbestos
> underwear in place for all you "ethical" testers who then
> sell the repair "services").
>
> Call us back when you find a clue. Even a *small* clue.
>
> --
> J.A. Terranson
> sysadmin@mfn.org
>
>
> > -----Original Message-----
> > From: Pete [mailto:pen_test_list@petesmithcomputers.com]
> > Sent: Thursday, 19 June 2003 19:54 PM
> > To: pen-test@securityfocus.com
> > Subject: "Free" pen-test
> >
> >
> > I'm looking for a bit of advice. I was tipped off that
> company X had
> > minimal security for their large bundle of IP addresses running on
> > Micro$oft servers. I got my mate Fred (!) to have a look and he
> > reckoned they were _very_ vulnerable. So, we went to the security
> > director and "sold" him a free penetration test. Fred then
> got admin
> > access to their web server plus bucketloads of info about their DMZ
> > and even their 192.168.0.x network. I went back to Mr Director
> > thinking he'd wet himself and he said "I'm not too worried about
> > that....just carry on if you can".
> >
> > Well. Fred is keen to keep going. But I reckon that someone who is
> > "not worried" that his web server could have been taken
> down in about
> > 4 hours is not worth wasting time on. Needless to say, the cunning
> > plan was to sell him a pile of stuff once he was scared enough.
> >
> > My question is this: how do white-hatters usually approach these
> > things?
> >
> > Grateful for any tips (and thanks for reading if you got to here)
> >
> > Pete
> >
> > Pete Smith
> > www.petesmithcomputers.com
> >
> >
> >
> >
> ----------------------------------------------------------------------
> > -----
> > Latest attack techniques.
> >
> > You're a pen tester, but is google.com still your R&D team? Now you
> > can get
> > trustworthy commercial-grade exploits and the latest
> techniques from a
> > world-class research group.
> >
> > Visit us at: www.coresecurity.com/promos/sf_ept1
> > or call 617-399-6980
> >
> --------------------------------------------------------------
> --------------
> >
> >
> >
>
>
>
>

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------

• Next message: Alfred Huger: "Dead Thread / Troll : RE: "Free" pen-test"
• Previous message: J.A. Terranson: "RE: "Free" pen-test"
• In reply to: J.A. Terranson: "RE: "Free" pen-test"
• Next in thread: miguel.dilaj@pharma.novartis.com: "Re: "Free" pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT