Re: Pen Test mistake
From: Byron Copeland (nodialtone_at_comcast.net)
Date: 08/21/03
- Previous message: MILES John M: "RE: Pen Test mistake"
- In reply to: Jeff Johnson: "Pen Test mistake"
- Next in thread: Dave Powell: "Re: Pen Test mistake"
- Reply: Dave Powell: "Re: Pen Test mistake"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jeff Johnson <webproze@yahoo.com> Date: 21 Aug 2003 17:01:42 -0400
Lessons Learned?
Verify the IP list you were given yourself and have it checked again by
someone else.
As others have said, probably best advice is to consult a lawyer about
your options.
I wouldn't want sit around to wait until Company B notices and then
tries to sue Company A for corporate espionage either.
Catch 22.
On Thu, 2003-08-21 at 00:47, Jeff Johnson wrote:
> Let's just say, for theoretical purposes, that you
> were contracted to perform a penetration test on a
> company. After receiving the IP range from the
> company, you begin the test. You're well into the
> test and find several vulnerable servers, which you
> promptly own six ways from Sunday. Then a co-worker
> wanders into your company's lab and looks over your
> shoulder and advises you that the hosts that you're
> owning are a single digit in the subnet off from the
> hosts you're supposed to be attacking.
>
> Example, I've owned 192.168.10.35, when in actuality I
> was supposed to be owning 192.168.11.35.
>
> How do you handle this situation?
>
> My vote is to contact the owners of the site, advise
> them honestly of the mistake, offer assistance (free
> of charge of course) in correcting the security
> problem you used to own them, and walk away a bit the
> wiser.
>
> Anyone else have any better advice?
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
> ----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------
- Previous message: MILES John M: "RE: Pen Test mistake"
- In reply to: Jeff Johnson: "Pen Test mistake"
- Next in thread: Dave Powell: "Re: Pen Test mistake"
- Reply: Dave Powell: "Re: Pen Test mistake"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
