RE: ethics of approaching vulnerable prospective clients

From: Brooke, O'neil (EXP) (o'neil.brooke@lmco.com)
Date: 11/12/02

  • Next message: Joe Luna: "Terminal Server brute force" 

    Date: Tue, 12 Nov 2002 17:54:30 -0500
From: "Brooke, O'neil (EXP)" <o'neil.brooke@lmco.com>
To: "'Zach Forsyth'" <zach.forsyth@kiandra.com>, pen-test@securityfocus.com

    >-----Original Message-----
    >From: Zach Forsyth [mailto:zach.forsyth@kiandra.com]
    >Sent: November 11, 2002 10:38 PM
    >To: pen-test@securityfocus.com
    >Subject: ethics of approaching vulnerable prospective clients
    >
    >I just wanted to see what everyone's opinions were on means of
    >approaching vulnerable prospective clients.
    >
    >Of interest especially are clients with wireless networks.
    >
    >Example 1. I do a wardrive/walk around my city and find a whole lot of
    >wireless networks without any wep which are seemingly insecure, and
    >their network is broadcasting an ssid that is set as their business
    >name. A simple look in the phone book or on the web reveals their office
    >location, which matches up with where I was when the network was
    >detected.
    >Do you think it is unethical to approach them based on those results?

    Who would you call in that company? Are you going to call the receptionist
    and ask for the computer guy? Your cold calling and have just as much chance
    of irritating and/or frightening the prospective client. Not only that, they
    may call the police and report your calls. Even if you have done absolutely
    nothing wrong, do you want to explain yourself to the police? What if they
    are subsequently hacked from the wireless segment and think you did it.
    Assuming that you had nothing to do with it and that they had no evidence,
    you may still have to defend yourself from that charge. Not worth it.

    >Example 2. I detect a network that appears to not have wep enabled.
    >Their ssid however reveals nothing about who they are but is the default
    >linksys/cisco/etc vendors. I could connect to their wlan and snoop
    >around for some information that would then identify them to me and then
    >go about contacting them. (Or just connect to their networked printer
    >and print something scary out for them. Hehe)

    In Canada I think this activity would definitely be illegal.

    Perhaps I could present a third example for the list to comment on:

    Example 3. Speak to a lawyer and find out how much information you can
    legally collect about a WAP in your jurisdiction. War drive around the city
    and generate some local statistics. "Within the downtown core 100 WAP's were
    found, of which only 8 had WEP installed." "On the North Shore 300 WAP's
    were found, however people on the North Shore seem to be more interested in
    security as 225 of the WAPS had WEP enabled." Generate some buzz about the
    topic by sending press releases to your local newspapers. Tell them that you
    are planning on doing it on a regular basis (perhaps quarterly), you might
    get the newspapers computer column to mention you. Blanket the
    neighbourhoods that you war drove with a glossy marketing flyer stating the
    results of the study and your services. TALK TO A LAWYER FIRST! Depending on
    where you are this activity may be considered illegal. Failure to follow
    this due diligence step could be very costly.

    This idea does not leave the prospective client feeling targeted. By sending
    out the press releases and flyers you are increasing the overall public
    awareness. It gets your name out there and lets the clients seek you out if
    they feel they need your services.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    Relevant Pages

    • Re: Has anyone ever started a pen testing company?
      ... Ive been thinking about this for sometime now, and im looking to start a pen testing company & forensics. ... you can sell their skills to prospective clients. ... Developing a partnership or affiliation with some security vendors ... You have an option to go with a managed service or an enterprise software. ...
      (Pen-Test)
    • Re: Wireless network security
      ... All this to implement security to web browse?! ... about web browsing that require so much security? ... >In my opinion, WEP, as implemented in most 802.11b equipment today, can hardly ... Use strong encryption for communications on such networks, ...
      (comp.security.firewalls)