First thing you should do is check your contract with the hosting company. Many hosts now expressly forbid such tests, or at the very least require you to notify them in advance. Furthermore, even though the host you are testing is yours in a ethereal sense, the physical equipment belongs to the hosting company and any testing you do can legitimately be construed as an attack. That puts you in a big old boiling pot of hot water if you don't have permission in advance. I've never been involved in such a test so I don't actually know what will happen if you do it, but I would strongly recommend you not initiate the pen-test without permission from the hosting company (and get permission in writing from a person or two or three very high up in the hosting organization). Standard legal disclaimer - I am not a lawyer and the above is only my best guess thinking on the situation. Randy Graham -- You're kind of trying to pick between "horible disaster" and "attrocious disaster" -- Paul D. Robertson (on VNC vs. PPTP) > -----Original Message----- > From: Franklin DeMatto [mailto:franklinat_private] > Sent: Sunday, May 20, 2001 4:42 PM > To: pen-testat_private > Subject: Pen testing a off-site web server > > > Anyone know how to handle the legal/bueracratic aspects of > pen-testing a web server which is not in-house, but property > of a hosting company?? > > The hosting company may not take lightly to suggestions that > it may be vulnerable, and may be afraid of damage caused by a > test. Worse, if the server is not dedicated, but rather uses > virtual hosts, other clients could be affected by the testing. > > Any real-world advice, forms, paperwork, or legal info. would > be appreciated. > > Franklin DeMatto > franklinat_private > qDefense - DEFENDING THE ELECTRONIC FRONTIER > > > >
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 16:41:22 PDT