Re: [Full-disclosure] Wi-fi. Approaching customers

From: Matthew Sabin (matthew_at_sabin.com)
Date: 03/15/05

  • Next message: Richard Farina: "Re: [Full-disclosure] Wi-fi. Approaching customers"
    To: "Wade Woolwine" <wade@sivodd.com>, Gregh <chows@ozemail.com.au>
    Date: Tue, 15 Mar 2005 16:07:00 -0500
    
    

    I'm not sure I can help you on the contacting process, but question you assumptions.

    My company has made a conscious decision to leave our WiFi open to visitors, while our internal machines connect via IPSec on the open airwaves.
    A drive-by would show the open nature of our WiFi, but wouldn't immediately tell you that we've secured our business fairly well.

    --Matthew Sabin

    ----- Original Message -----
    From: "Wade Woolwine" <wade@sivodd.com>
    To: Gregh <chows@ozemail.com.au>
    Subject: Re: [Full-disclosure] Wi-fi. Approaching customers
    Date: Tue, 15 Mar 2005 15:55:22 -0500 (EST)

    >
    > Gregh,
    > IMO, you're covered legally. I know it sounds fishy to approach a
    > potential client already knowing they're insecure...but don't all of us to
    > that on a regular basis? I mean I will hit google with a vengence before I
    > go into the kick-off meeting...I want to know what I'm up against.
    > I would respectfully request some time from a technical manager to present
    > your findings (show a kismet/netstumbler scan) and explain the dangers
    > (not the solutions of course). Hopefully, this will rattle the manager
    > enough to get the word up to upper management, and if you've left some
    > marketing material for them to look at, they can contact you for your
    > services.
    >
    > Good luck!
    > Wade
    >
    > > I have asked this on another list and there has been discussion but
    > > nothing that really seems like an answer so I am asking for help in here.
    > >
    > >
    > > I did a war drive (and in MY terms that means just driving along
    > > gathering SSID data showing open and closed and nothing else BUT that)
    > > and found one HELL of a lot more wi-fi in my area than I had previously
    > > been aware existed. Most of the SSIDs broadcasted didn't openly identify
    > > the company involved though most of them were open. The idea in doing
    > > this was that I could note an area where wi-fi is and approach the
    > > company (or individual) and offer my services to LEGALLY lock their open
    > > wi-fi down. I realise that with open wi-fi, I could be doing anything I
    > > wanted to or with their systems but that isn't the point. I work in the
    > > area doing I.T. related work and so far have a very good reputation for
    > > an inexpensive service and I am self employed so doing the wrong thing
    > > would quickly kill all that.
    > >
    > > My question is, then, how to approach someone to legally get work from
    > > them fixing their badly installed wi-fi and ensuring it is all locked
    > > down. If I turn up saying "Your wireless networking is open to hacking
    > > and I can fix it" that sounds somewhat suspicious to me if you look at it
    > > from the point of view of a user who knows nothing much about it all. Eg,
    > > I am telling them something they don't want to hear, for a start and then
    > > telling them that if they pay me, they can have it fixed on the spot. I
    > > already know how strange it can sound. I happened to pick up the SSID
    > > ToysRus which was open and realising they would have their own company
    > > employed I.T. people, I just rang them to do them a favour and wasn't I
    > > met with suspicion? Yep! All I did was say "You know you have wireless
    > > networking?" and they answered "yes...." and I added "It's open and
    > > unsecured. You better fix it before someone else finds it" and then got
    > > asked 100 questions including "How do YOU know?" blah blah by someone you
    > > would think KNOWS the game.
    > >
    > > How do YOU approach prospective new customers to tell them their wi-fi is
    > > unsecured and needs attention and that you can fix it for a fee?
    > >
    > > Any help appreciated.
    > >
    > >
    > > Greg.
    > > _______________________________________________
    > > Full-Disclosure - We believe in it.
    > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > > Hosted and sponsored by Secunia - http://www.secunia.com/
    > >
    > >
    >
    >
    > "The reason why you have people breaking into your software is because
    > your software sucks."
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://www.secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/


  • Next message: Richard Farina: "Re: [Full-disclosure] Wi-fi. Approaching customers"