Been lurking for quite some time now but thought I might pose a question to everyone on the list. I just wanted to see what everyone's opinions were on means of approaching vulnerable prospective clients. Of interest especially are clients with wireless networks. Example 1. I do a wardrive/walk around my city and find a whole lot of wireless networks without any wep which are seemingly insecure, and their network is broadcasting an ssid that is set as their business name. A simple look in the phone book or on the web reveals their office location, which matches up with where I was when the network was detected. Do you think it is unethical to approach them based on those results? Analogy to compiment example 1. A fence builder is in my neighbourhood and notices that my front fence is falling down. Her kindly drops his business card into my letterbox and writes a not saying he noticed my fence was in need of some work and subsequently wanted to offer his services to me. Example 2. I detect a network that appears to not have wep enabled. Their ssid however reveals nothing about who they are but is the default linksys/cisco/etc vendors. I could connect to their wlan and snoop around for some information that would then identify them to me and then go about contacting them. (Or just connect to their networked printer and print something scary out for them. Hehe) Anology to compliment Example 2. A plumber is in my neighbourhood and sees that my house is maybe a little rundown. He can't really see the plumbing pipes but decides to open the gate walk around the to back of the house and find out what condition they are in. He then leaves a card mentioning he opened the gate and entered my property noticed the plumbing was in need of some work and wanted to offer his services. I don't feel that example two is acceptable, although fun. This would be classified as a break in so to speak, and I am sure some sys admins would then blame you for every networking and server problem encountered from that point in time to infinity. Approaching a client directly sort of feels like a lawyer chasing an ambulance, but it may be a good way to create a whole lot of work. I realize that wireless networks and their (in)security is a very grey legal area at the moment, and different countries will have different enforcement of laws relating to computer crime but I am only really looking for a general consensus. This same topic covers pen testing from an external point of view, we site security, web application security etc. Just thought it applied to wireless the most . Do you think it is bad practice to contact a vulnerable company directly? Does anyone on the list approach companies directly in this manner? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 14:02:40 PST