RE: Pen Test mistake

From: Jennifer Fountain (JFountainat_private)
Date: Thu Aug 21 2003 - 12:34:51 PDT

  • Next message: MILES John M: "RE: Pen Test mistake"

    Walk away:
    http://www.securityfocus.com/columnists/179
    
    -----Original Message-----
    From: Patrick Dolan [mailto:dolanat_private] 
    Sent: Thursday, August 21, 2003 2:59 PM
    To: Jeff Johnson
    Cc: pen-testat_private
    Subject: Re: Pen Test mistake
    
    
    I say you pray that they don't press charges, and follow instructions
    better! You're probably safer just walking away from it.  People are
    getting thrown in 
    jail these days just for reporting vulnerabilities.
    
    On Wednesday 20 August 2003 11:47 pm, Jeff Johnson wrote:
    > Let's just say, for theoretical purposes, that you
    > were contracted to perform a penetration test on a
    > company.  After receiving the IP range from the
    > company, you begin the test.  You're well into the
    > test and find several vulnerable servers, which you
    > promptly own six ways from Sunday.  Then a co-worker
    > wanders into your company's lab and looks over your
    > shoulder and advises you that the hosts that you're
    > owning are a single digit in the subnet off from the
    > hosts you're supposed to be attacking.
    >
    > Example, I've owned 192.168.10.35, when in actuality I
    > was supposed to be owning 192.168.11.35.
    >
    > How do you handle this situation?
    >
    > My vote is to contact the owners of the site, advise
    > them honestly of the mistake, offer assistance (free
    > of charge of course) in correcting the security
    > problem you used to own them, and walk away a bit the
    > wiser.
    >
    > Anyone else have any better advice?
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! SiteBuilder - Free, easy-to-use web site design software 
    > http://sitebuilder.yahoo.com
    >
    > 
    >-----------------------------------------------------------------------
    ----
    > Attend Black Hat Briefings & Training Federal, September 29-30
    (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
    > technical IT security event.  Modeled after the famous Black Hat event
    in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symanetc is the Diamond sponsor.  Early-bird registration ends
    September 6
    > Visit: www.blackhat.com
    >
    ------------------------------------------------------------------------
    ---
    >-
    
    -- 
    Patrick Dolan
    UNT Information Security
    
    PGP ID: E5571154
    Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0  6F8D B13B 2456 E557
    1154
    
    
    ------------------------------------------------------------------------
    ---
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s
    premier 
    technical IT security event.  Modeled after the famous Black Hat event
    in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symanetc is the Diamond sponsor.  Early-bird registration ends September
    6 Visit: www.blackhat.com
    ------------------------------------------------------------------------
    ----
    
    
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 13:51:35 PDT