>-----Original Message----- >From: Zach Forsyth [mailto:zach.forsythat_private] >Sent: November 11, 2002 10:38 PM >To: pen-testat_private >Subject: ethics of approaching vulnerable prospective clients > >I just wanted to see what everyone's opinions were on means of >approaching vulnerable prospective clients. > >Of interest especially are clients with wireless networks. > >Example 1. I do a wardrive/walk around my city and find a whole lot of >wireless networks without any wep which are seemingly insecure, and >their network is broadcasting an ssid that is set as their business >name. A simple look in the phone book or on the web reveals their office >location, which matches up with where I was when the network was >detected. >Do you think it is unethical to approach them based on those results? Who would you call in that company? Are you going to call the receptionist and ask for the computer guy? Your cold calling and have just as much chance of irritating and/or frightening the prospective client. Not only that, they may call the police and report your calls. Even if you have done absolutely nothing wrong, do you want to explain yourself to the police? What if they are subsequently hacked from the wireless segment and think you did it. Assuming that you had nothing to do with it and that they had no evidence, you may still have to defend yourself from that charge. Not worth it. >Example 2. I detect a network that appears to not have wep enabled. >Their ssid however reveals nothing about who they are but is the default >linksys/cisco/etc vendors. I could connect to their wlan and snoop >around for some information that would then identify them to me and then >go about contacting them. (Or just connect to their networked printer >and print something scary out for them. Hehe) In Canada I think this activity would definitely be illegal. Perhaps I could present a third example for the list to comment on: Example 3. Speak to a lawyer and find out how much information you can legally collect about a WAP in your jurisdiction. War drive around the city and generate some local statistics. "Within the downtown core 100 WAP's were found, of which only 8 had WEP installed." "On the North Shore 300 WAP's were found, however people on the North Shore seem to be more interested in security as 225 of the WAPS had WEP enabled." Generate some buzz about the topic by sending press releases to your local newspapers. Tell them that you are planning on doing it on a regular basis (perhaps quarterly), you might get the newspapers computer column to mention you. Blanket the neighbourhoods that you war drove with a glossy marketing flyer stating the results of the study and your services. TALK TO A LAWYER FIRST! Depending on where you are this activity may be considered illegal. Failure to follow this due diligence step could be very costly. This idea does not leave the prospective client feeling targeted. By sending out the press releases and flyers you are increasing the overall public awareness. It gets your name out there and lets the clients seek you out if they feel they need your services. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 03:13:53 PST