Re: Pen Test mistake

From: Jeff Steeves (steejef@co-opsonline.com)
Date: Thu Aug 21 2003 - 12:14:52 PDT

  • Next message: Jonathan Rickman: "Re: Pen Test mistake"

    Jeff,
    
    Mistakes happen, and while your choice of action would be the right thing in
    most cases, I'd recommend erring on the side of caution here. Several
    instances of Security Pros or Hobbyists bringing vulnerabilities or security
    breaches to the attention of the affected parties have been in the news
    lately. The common result has been criminal investigations, charges and
    lawsuits. For example, the guy who showed a state office their wireless
    network was vulnerable right in front of staff and ended up arrested for
    hacking. The way I understand it, you can be investigated and charged for
    just scanning a network, and as you say, you were able to 'own' these
    servers.
    
    Best advice, talk to a lawyer.
    
    
    ----- Original Message ----- 
    From: <RMcElroyat_private>
    To: <webprozeat_private>; <pen-testat_private>
    Sent: Thursday, August 21, 2003 2:49 PM
    Subject: RE: Pen Test mistake
    
    
    ERASE ALL LOGS AND RUN FOREST RUN....:)
    
    -----Original Message-----
    From: Jeff Johnson [mailto:webprozeat_private]
    Sent: Wednesday, August 20, 2003 9:48 PM
    To: pen-testat_private
    Subject: Pen Test mistake
    
    
    Let's just say, for theoretical purposes, that you
    were contracted to perform a penetration test on a
    company.  After receiving the IP range from the
    company, you begin the test.  You're well into the
    test and find several vulnerable servers, which you
    promptly own six ways from Sunday.  Then a co-worker
    wanders into your company's lab and looks over your
    shoulder and advises you that the hosts that you're
    owning are a single digit in the subnet off from the
    hosts you're supposed to be attacking.
    
    Example, I've owned 192.168.10.35, when in actuality I
    was supposed to be owning 192.168.11.35.
    
    How do you handle this situation?
    
    My vote is to contact the owners of the site, advise
    them honestly of the mistake, offer assistance (free
    of charge of course) in correcting the security
    problem you used to own them, and walk away a bit the
    wiser.
    
    Anyone else have any better advice?
    
    
    
    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com
    
    ------------------------------------------------------------------------
    ---
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s
    premier
    technical IT security event.  Modeled after the famous Black Hat event
    in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor.  Early-bird registration ends September
    6 Visit: www.blackhat.com
    ------------------------------------------------------------------------
    ----
    
    
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
    technical IT security event.  Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor.  Early-bird registration ends September 6
    Visit: www.blackhat.com
    ----------------------------------------------------------------------------
    
    
    
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 12:34:07 PDT