RE: Informing Companies about security vulnerabilities...

Even beyond the legal aspects as explained below, there are ethical
questions here.

From a professional perspective, this should not have been done to begin
with. To select a company's real-world site for penetrationg testing is
not ethical.

To put oneself and one's students in this situation is irresponsible at
best. Not only has he placed himself with the difficult decision to
inform the company of what he did and subsequently discovered, but his
students may now believe it is alright to test other sites in the same

I believe the best course of action is to own up to the action, inform the
company, apologize for the poor judgement and hope that they decide to be
understanding and don't want to pursue any legal action.

Despite the outcome of other similar situations, I can tell you I would
not want to be in the position of having to go to court to prove it was
legal. The cost, time, and stress would not be worth it.

To argue the quote " I have every right to do exactly as I have done "

Actually you are exceeding implied rights. This makes the action a
trespass. I can go into the case law in detail if requested.

The issue is not that this is a crime, this will vary on jurisdiction
and it shall be one in the US if there is a resultant damage over a set
amount. This is still not legal however.

There is a lot of mis-information about what is illegal and what is
criminal. They are not the same thing. Although it may (in some
jurisdictions and with some results) not be criminal, it is illegal.

How is it illegal you ask? It is a trespass. Trespass is a Civil action.
That is it is not a criminal offence in itself. The company could take
action for a violation of their rights.

A tort is a civil wrong (for want of about 800 pages of basic
explanations). Committing a tort is illegal and thus accessing the site
in an unauthorised manner is illegal. You have exceeded the implied
license and thus the tort is completed. Suing for $20 for instance for
an illegal access is not likely, but than it is still not legal.

This is a result of the nature of the implied action. You have an
implied license to undertake certain functions on the site. This is the

As for criminal... there are a number of US and UK cases dealing with
SQL injections and "testing". Even on the getting away with it basis,
take for instance Stephan Puffer. He was acquitted of fraud on appeal -
but this did not make the actions legal. Rather it means that the was a
civil violation and that at best he could be sued by the county court.
On the other hand, he did not win indemnity costs and the case still
left him in debited.

In this case the unauthorised access to a wireless network was
considered unauthorised access - and the access was a demonstration to a
journalist that it was possible.

Sorry to be pernickety but the issue is not "But, whether something is
legal or not" as this is clearly an illegal action. It is if it is
criminal or not. I would not recommend either course of action.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, 5 October 2006 7:58 AM
To: PenTest
Subject: Re: Informing Companies about security vulnerabilities...

On 10/4/06 12:39 PM, "jay.tomas@xxxxxxxxxxxxxxx"
spoketh to all:

One of the first things that you should teach in your class is Ethical
Permission Granted
Assessments of Public Web sites. You had no right to assess their
site, which
is why you probably
got a less than a warm reception.

Companies contract and pay for assessment services. A good practice is
not to
interact with some
party that has chosen to run a few tools and typing in ' or 1=1-- in
all the
available input

This really comes down to a matter of opinion, and one of law. Many
over the last several years I've "publicly" illustrated potential
vulnerabilities at security conferences and during trainings.

According to my attorney, who is a very respected subject matter expert
Internet and security law, I have every right to do exactly as I have
Publishing a public site explicitly grants me rights to access the site.
Going to the "search" page and entering in ' or 1=1-- is, according to
attorney, perfectly legal. They host the site publicly, and are *asking
to enter something in search textbox. (note US law).

Now, going beyond that--executing code and acquiring internal data from
back-end servers of the site, well, that's illegal (or can be). The
much is too much" question will ultimately be decided by a judge or
but it does make for interesting dialog.

Personally, I have no problem at all in typing in your standard "test"
injection.... But I wouldn't do something like collect data and then use
that as an example of vulnerability to provide to the company-- that's
asking for it. A warning based on cursory input, sure-- a proof of
with you name on it, no way.

I've notified countless companies of potential problems with web-apps,
and I
can only think of a couple of times that someone actually got back to me
with a "thanks for that." I think I got one "I'm going to sue" message
I just ignored- nothing ever came of it.

So, is it legal to type ' or 1=1-- ? According to legal experts, yes.
it ethical? I say "sure." Is it ethical to drop a database? No. But,
whether something is legal or not really doesn't have anything to do
someone trying to sue you for it. So these days, when I come across
something bad enough, the "do-gooder" in me makes me want to at least
them - which I do via anonymous email. Unfortunately, I never know if
got it or not, but at least I tried. Statistics tell me that no one
bother doing anything about it, and CYA now dictates I do it that way,
or not.


This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information contained in this email and any attachments is
confidential. If you are not the intended recipient, you must not use or
disclose the information. If you have received this email in error, please
inform us promptly by reply email or by telephoning +61 2 9286 5555.
Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender.
You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently confirmed
by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.