I know people differ quite a bit on this topic. My personal opinion is that once you intentionally associate with a wireless access point that isn't yours without permission (emphasis on intentionally...if you're just sniffing it's possible to do this unintentionally), you have just performed a system penetration and that is not ethical. This is regardless of whether you can actually see or do anything with that association. Yes it is true, and unfortunate, that so many people leave their systems wide open, but that doesn't make it any more "right" for you to go around and access their networks to verify their SSID or use of WEP. If you leave your car door open on the street, is it ok for me to open the door and sit down just because your car was insecure? What if I tried pulling out your stereo to see if it's locked in or not (analogy..verifying use of WEP). Yes my car was out in public (like the wireless traffic going through the air) and highly insecure (available to anyone nearby, just like wireless traffic), but that doesn't make a difference. Just because you can do something like this, and it's so easy to do it, doesn't mean you should do it. Keep in mind that when companies buy security services, they want to make sure the people they're hiring are ethical. Before you even slip your card in the mailbox, you've already proven you're not. ----- Original Message ----- From: "Zach Forsyth" <zach.forsythat_private> To: <pen-testat_private> Sent: Monday, November 11, 2002 9:38 PM Subject: ethics of approaching vulnerable prospective clients > Been lurking for quite some time now but thought I might pose a question > to everyone on the list. > > I just wanted to see what everyone's opinions were on means of > approaching vulnerable prospective clients. > > Of interest especially are clients with wireless networks. > > Example 1. I do a wardrive/walk around my city and find a whole lot of > wireless networks without any wep which are seemingly insecure, and > their network is broadcasting an ssid that is set as their business > name. > A simple look in the phone book or on the web reveals their office > location, which matches up with where I was when the network was > detected. > Do you think it is unethical to approach them based on those results? > > Analogy to compiment example 1. > A fence builder is in my neighbourhood and notices that my front fence > is falling down. Her kindly drops his business card into my letterbox > and writes a not saying he noticed my fence was in need of some work and > subsequently wanted to offer his services to me. > > Example 2. I detect a network that appears to not have wep enabled. > Their ssid however reveals nothing about who they are but is the default > linksys/cisco/etc vendors. I could connect to their wlan and snoop > around for some information that would then identify them to me and then > go about contacting them. (Or just connect to their networked printer > and print something scary out for them. Hehe) > > Anology to compliment Example 2. > A plumber is in my neighbourhood and sees that my house is maybe a > little rundown. He can't really see the plumbing pipes but decides to > open the gate walk around the to back of the house and find out what > condition they are in. He then leaves a card mentioning he opened the > gate and entered my property noticed the plumbing was in need of some > work and wanted to offer his services. > > I don't feel that example two is acceptable, although fun. > This would be classified as a break in so to speak, and I am sure some > sys admins would then blame you for every networking and server problem > encountered from that point in time to infinity. > > Approaching a client directly sort of feels like a lawyer chasing an > ambulance, but it may be a good way to create a whole lot of work. > > I realize that wireless networks and their (in)security is a very grey > legal area at the moment, and different countries will have different > enforcement of laws relating to computer crime but I am only really > looking for a general consensus. > > This same topic covers pen testing from an external point of view, we > site security, web application security etc. Just thought it applied to > wireless the most . > > Do you think it is bad practice to contact a vulnerable company > directly? > Does anyone on the list approach companies directly in this manner? > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 02:51:33 PST