Re: ethics of approaching vulnerable prospective clients

From: Gareth (garethwj@fastmail.fm)
Date: 11/12/02


From: "Gareth" <garethwj@fastmail.fm>
To: "Zach Forsyth" <zach.forsyth@kiandra.com>, <pen-test@securityfocus.com>
Date: Tue, 12 Nov 2002 22:51:05 -0000

From the "other side", I work for a large financial in the UK and we do get
approaches from individuals who spot (or think they spot) problems with our
online banking sites.
Some of these approaches are very welcome, when the message is delivered
appropriately, and some are not welcome at all (i.e. when they are
simultaneously posted to a newsgroup).
So I guess it depends on the delivery. Whether or not you could gain clients
in this manner is a different proposition. We have never felt the wish to
hire one of these individuals, regardless of the quality of information, as
it would usually boil down to an oversight rather than the technical ability
on offer.
I would steer very clear of approaching an existing client with a problem if
the work you were doing was not scoped and agreed beforehand.

Kilauea...

----- Original Message -----
From: "Zach Forsyth" <zach.forsyth@kiandra.com>
To: <pen-test@securityfocus.com>
Sent: Tuesday, November 12, 2002 3:38 AM
Subject: ethics of approaching vulnerable prospective clients

Been lurking for quite some time now but thought I might pose a question
to everyone on the list.

I just wanted to see what everyone's opinions were on means of
approaching vulnerable prospective clients.

Of interest especially are clients with wireless networks.

Example 1. I do a wardrive/walk around my city and find a whole lot of
wireless networks without any wep which are seemingly insecure, and
their network is broadcasting an ssid that is set as their business
name.
A simple look in the phone book or on the web reveals their office
location, which matches up with where I was when the network was
detected.
Do you think it is unethical to approach them based on those results?

Analogy to compiment example 1.
A fence builder is in my neighbourhood and notices that my front fence
is falling down. Her kindly drops his business card into my letterbox
and writes a not saying he noticed my fence was in need of some work and
subsequently wanted to offer his services to me.

Example 2. I detect a network that appears to not have wep enabled.
Their ssid however reveals nothing about who they are but is the default
linksys/cisco/etc vendors. I could connect to their wlan and snoop
around for some information that would then identify them to me and then
go about contacting them. (Or just connect to their networked printer
and print something scary out for them. Hehe)

Anology to compliment Example 2.
A plumber is in my neighbourhood and sees that my house is maybe a
little rundown. He can't really see the plumbing pipes but decides to
open the gate walk around the to back of the house and find out what
condition they are in. He then leaves a card mentioning he opened the
gate and entered my property noticed the plumbing was in need of some
work and wanted to offer his services.

I don't feel that example two is acceptable, although fun.
This would be classified as a break in so to speak, and I am sure some
sys admins would then blame you for every networking and server problem
encountered from that point in time to infinity.

Approaching a client directly sort of feels like a lawyer chasing an
ambulance, but it may be a good way to create a whole lot of work.

I realize that wireless networks and their (in)security is a very grey
legal area at the moment, and different countries will have different
enforcement of laws relating to computer crime but I am only really
looking for a general consensus.

This same topic covers pen testing from an external point of view, we
site security, web application security etc. Just thought it applied to
wireless the most .

Do you think it is bad practice to contact a vulnerable company
directly?
Does anyone on the list approach companies directly in this manner?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: ethics of approaching vulnerable prospective clients
    ... once you intentionally associate with a wireless access point that isn't ... > Of interest especially are clients with wireless networks. ... > site security, web application security etc. ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • pen test VPN
    ... I have several networks with VPN and (Ipsec ... through (Using a VPN Client or Other side) as if A host was Hijacked, ... Network Security Administrator ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Paper Release: Security Risk Factors with IP Telephony based Networks
    ... IP Telephony based networks, which might be a core part of our Telephony ... security risk is usually overshadowed by the technological hype and the ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Security Audit
    ... We have a methodology and would not hesitate in giving it to our clients, ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • IFIP NTMS2012 - Deadline Extended to 12 January 2012
    ... New Technologies, Mobility and Security ... NTMS'2012 is the Fifth International Conference on New Technologies, ... Wireless Networks, Mobile Computing, Ad hoc and Ambient Networks, QoS, ...
    (Bugtraq)