RE: Informing Companies about security vulnerabilities...



Even beyond the legal aspects as explained below, there are ethical
questions here.

From a professional perspective, this should not have been done to begin
with. To select a company's real-world site for penetrationg testing is
not ethical.

To put oneself and one's students in this situation is irresponsible at
best. Not only has he placed himself with the difficult decision to
inform the company of what he did and subsequently discovered, but his
students may now believe it is alright to test other sites in the same
manner.

I believe the best course of action is to own up to the action, inform the
company, apologize for the poor judgement and hope that they decide to be
understanding and don't want to pursue any legal action.

Despite the outcome of other similar situations, I can tell you I would
not want to be in the position of having to go to court to prove it was
legal. The cost, time, and stress would not be worth it.


To argue the quote " I have every right to do exactly as I have done "

Actually you are exceeding implied rights. This makes the action a
trespass. I can go into the case law in detail if requested.

The issue is not that this is a crime, this will vary on jurisdiction
and it shall be one in the US if there is a resultant damage over a set
amount. This is still not legal however.

There is a lot of mis-information about what is illegal and what is
criminal. They are not the same thing. Although it may (in some
jurisdictions and with some results) not be criminal, it is illegal.

How is it illegal you ask? It is a trespass. Trespass is a Civil action.
That is it is not a criminal offence in itself. The company could take
action for a violation of their rights.

A tort is a civil wrong (for want of about 800 pages of basic
explanations). Committing a tort is illegal and thus accessing the site
in an unauthorised manner is illegal. You have exceeded the implied
license and thus the tort is completed. Suing for $20 for instance for
an illegal access is not likely, but than it is still not legal.

This is a result of the nature of the implied action. You have an
implied license to undertake certain functions on the site. This is the
limit.

As for criminal... there are a number of US and UK cases dealing with
SQL injections and "testing". Even on the getting away with it basis,
take for instance Stephan Puffer. He was acquitted of fraud on appeal -
but this did not make the actions legal. Rather it means that the was a
civil violation and that at best he could be sued by the county court.
On the other hand, he did not win indemnity costs and the case still
left him in debited.

In this case the unauthorised access to a wireless network was
considered unauthorised access - and the access was a demonstration to a
journalist that it was possible.

Sorry to be pernickety but the issue is not "But, whether something is
legal or not" as this is clearly an illegal action. It is if it is
criminal or not. I would not recommend either course of action.

Regards,
Craig


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, 5 October 2006 7:58 AM
To: PenTest
Subject: Re: Informing Companies about security vulnerabilities...


On 10/4/06 12:39 PM, "jay.tomas@xxxxxxxxxxxxxxx"
<jay.tomas@xxxxxxxxxxxxxxx>
spoketh to all:

One of the first things that you should teach in your class is Ethical
and
Permission Granted
Assessments of Public Web sites. You had no right to assess their
site, which
is why you probably
got a less than a warm reception.

Companies contract and pay for assessment services. A good practice is
not to
interact with some
party that has chosen to run a few tools and typing in ' or 1=1-- in
all the
available input
fields.

This really comes down to a matter of opinion, and one of law. Many
times
over the last several years I've "publicly" illustrated potential
vulnerabilities at security conferences and during trainings.

According to my attorney, who is a very respected subject matter expert
on
Internet and security law, I have every right to do exactly as I have
done.
Publishing a public site explicitly grants me rights to access the site.
Going to the "search" page and entering in ' or 1=1-- is, according to
my
attorney, perfectly legal. They host the site publicly, and are *asking
me*
to enter something in search textbox. (note US law).

Now, going beyond that--executing code and acquiring internal data from
the
back-end servers of the site, well, that's illegal (or can be). The
"how
much is too much" question will ultimately be decided by a judge or
jury,
but it does make for interesting dialog.

Personally, I have no problem at all in typing in your standard "test"
for
injection.... But I wouldn't do something like collect data and then use
that as an example of vulnerability to provide to the company-- that's
just
asking for it. A warning based on cursory input, sure-- a proof of
concept
with you name on it, no way.

I've notified countless companies of potential problems with web-apps,
and I
can only think of a couple of times that someone actually got back to me
with a "thanks for that." I think I got one "I'm going to sue" message
that
I just ignored- nothing ever came of it.

So, is it legal to type ' or 1=1-- ? According to legal experts, yes.
Is
it ethical? I say "sure." Is it ethical to drop a database? No. But,
whether something is legal or not really doesn't have anything to do
with
someone trying to sue you for it. So these days, when I come across
something bad enough, the "do-gooder" in me makes me want to at least
notify
them - which I do via anonymous email. Unfortunately, I never know if
they
got it or not, but at least I tried. Statistics tell me that no one
will
bother doing anything about it, and CYA now dictates I do it that way,
legal
or not.

t




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential. If you are not the intended recipient, you must not use or
disclose the information. If you have received this email in error, please
inform us promptly by reply email or by telephoning +61 2 9286 5555.
Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender.
You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently confirmed
by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------





------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages