From: Rapaille Maxime (Max.Rapaille@nbb.be)
Date: Thu Jan 12 2006 - 03:23:41 EST
Hi,
While i Can agree on some point, I think that offering your services to
the installer won't help.
I did it some times with company I had good contact with. I told their
installer there were some Security issue, and offered to help them
secure it. They politely refused and never corrected anything. More,
they discredited us to their customer..
The fact is that a non security aware installer will react in 2 possible
ways :
- Who are those guys trying to tell me my job. The are paranoid... No
need for Security
- Hey, those guy will tell my customer I'm incompetent, and try to steal
my business. Go out !.
And perhaps the customer will also think some of these options or get
convinced/confused by the installer defending his bread..
The best way is sometimes to offer your services, and wait/hope they
will awake some days, or perhaps too late, when they got attacked...
CHeers
Maxime
-----Original Message-----
From: Ron Yount [mailto:rony@co.island.wa.us]
Sent: donderdag 12 januari 2006 0:48
To: Rapaille Maxime; Password Crackers, Inc.; pen-test@securityfocus.com
Subject: RE: Pre-Scanning for Marketing
The controlling interest of the network has to have a inclination to
secure and maintain there network. Institutions which are concerned
with the integrity of there information, computers and networks do
perform audits and make efforts to secure and maintain the them. Other
institutions only care that the computers and network "works". They have
no inclination to maintain the networks beyond a basic connection.
The only way to change this is through the management of an institution
realizing what there computers, networks and information are worth.
In the case of pre-scanning is seen as cold calling to some and outright
criminal activity by others. The networks are still vulnerable none the
less. I think it is a bad situation for both the potential client and
the security professional.
A better way may be to find out who installed the network and offer to
the installer your services.
Ron
-----Original Message-----
From: Rapaille Maxime [mailto:Max.Rapaille@nbb.be]
Sent: Tuesday, January 10, 2006 11:56 PM
To: Password Crackers, Inc.; pen-test@securityfocus.com
Subject: RE: Pre-Scanning for Marketing
Hi,
During some site survey or wireless audit, I have found some companies
(other that the current customer) having badly protected Wifi network.
And a lot of non protected at all, advertising the name of the company
or the university as SSID.
I have found myself in the same dilemna : contact or not contac them ?
I tried once, and got a 'very' negative reaction.. Never did it again
But Yes, it's very frustrating to see all those companies need our
services, and you can't help.
Perhaps, for example, if it's very critical for your country (some gov
institution or the like) you could try to contact a kind of computer
Crime unit (like we have in Belgium) and explain them the situation..
If they understand what you are speaking about they woumld probably
react, but, they won't be able to give your company's name as a
reference..
Frustrating dilemna...
Regards
Max
-----Original Message-----
From: Password Crackers, Inc. [mailto:pwcrack@pwcrack.com]
Sent: woensdag 11 januari 2006 3:43
To: pen-test@securityfocus.com
Subject: RE: Pre-Scanning for Marketing
Please allow me to clarify that I have NOT done anything like this, I am
not advocating it and have no plans to do so. I am aware that many
prospects would potentially view this negatively. I mentioned in my
original post that I understood this. Doing so could permanently impact
someone's reputation. So, let's all understand that we are speaking
about a hypothetical. I was interested to know if anyone had done so
previously and what the reaction was. Clearly, it appears that other
than a few free offers (I've made two of these in the past -- both with
no response), this type of approach seems to be so negatively viewed
that nobody would even attempt it.
However, doesn't anyone else view this as something of a dilemma? As a
group we are incapacitated from offering services to those who may need
them (unless we do so inefficiently) even though certainly
vulnerabilities are easily and efficiently identified. Unfortunately,
the best analogy I can come up with is ambulance chasing lawyers -- who
seem to be hated, so we probably don't want to follow their lead
professionally. Has anyone effectively resolved this dilemma in their
practice? Possibly that is how I should have phrased the original post.
Bob Weiss
Password Crackers, Inc.
-----Original Message-----
From: Clement Dupuis [mailto:cdupuis@cccure.org]
Sent: Tuesday, January 10, 2006 8:19 PM
To: 'Password Crackers, Inc.'
Subject: RE: Pre-Scanning for Marketing
I would definitively say: DON'T
What right do you have to test my environment without me asking. What
differentiate you from any other cracker out there. You are just
another one of them as far as I am concerned.
Would you get any business this way? Probably some but very little and
not from the client your really wish to build a long term relationship
with.
Thinks of the negative publicity and the fact that someone will take you
to court for attempting to intruder on their communication means.
Overall I would definitively NOT do it
Clement
-----Original Message-----
From: Password Crackers, Inc. [mailto:pwcrack@pwcrack.com]
Sent: Tuesday, January 10, 2006 10:11 AM
To: pen-test@securityfocus.com
Subject: Pre-Scanning for Marketing
I am interested if anyone on the list has ever tested or implemented a
marketing program that involved pre-scanning (wired or wireless) a
prospect and then sending a letter or email describing potential
vulnerabilities and offering assistance in closing these
vulnerabilities. I have never done this because of the anticipated
negative reaction, but I am curious as to what the outcome was if anyone
else has done it. Single instances would be interesting, but I am more
curious if anyone has implemented this in a more broad-based way and has
positive and/or negative response rate statistics.
Bob Weiss
Password Crackers, Inc.
------------------------------------------------------------------------
---- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ---- --- ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ----------------------------------------- Visit our website! http://www.nbb.be "DISCLAIMER: The content of this e-mail message should not be construed as binding on the part of the National Bank of Belgium (NBB) unless otherwise and previously stated. The opinions expressed in this message are solely those of the author and do not necessarily reflect NBB viewpoints, particularly when the content of this message, or part thereof, is private by nature or does not fall within the professional scope of its author." ------------------------------------------------------------------------ ---- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ---- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:21 EDT