Re: Pen Test mistake

From: Byron Copeland (nodialtoneat_private)
Date: Thu Aug 21 2003 - 14:01:42 PDT

Next message: Ranjeet Shetye: "Re: Pen Test mistake"

Previous message: MILES John M: "RE: Pen Test mistake"
In reply to: Jeff Johnson: "Pen Test mistake"
Next in thread: Dave Powell: "Re: Pen Test mistake"
Next in thread: Brad Bemis: "RE: Pen Test mistake"
Reply: Dave Powell: "Re: Pen Test mistake"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lessons Learned?  

Verify the IP list you were given yourself and have it checked again by
someone else.  

As others have said, probably best advice is to consult a lawyer about
your options.

I wouldn't want sit around to wait until Company B notices and then
tries to sue Company A for corporate espionage either.

Catch 22.

On Thu, 2003-08-21 at 00:47, Jeff Johnson wrote:
> Let's just say, for theoretical purposes, that you
> were contracted to perform a penetration test on a
> company.  After receiving the IP range from the
> company, you begin the test.  You're well into the
> test and find several vulnerable servers, which you
> promptly own six ways from Sunday.  Then a co-worker
> wanders into your company's lab and looks over your
> shoulder and advises you that the hosts that you're
> owning are a single digit in the subnet off from the
> hosts you're supposed to be attacking.
> 
> Example, I've owned 192.168.10.35, when in actuality I
> was supposed to be owning 192.168.11.35.  
> 
> How do you handle this situation?  
> 
> My vote is to contact the owners of the site, advise
> them honestly of the mistake, offer assistance (free
> of charge of course) in correcting the security
> problem you used to own them, and walk away a bit the
> wiser.
> 
> Anyone else have any better advice?  
> 
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier 
> technical IT security event.  Modeled after the famous Black Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
> Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
> ----------------------------------------------------------------------------
> 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------

Next message: Ranjeet Shetye: "Re: Pen Test mistake"
Previous message: MILES John M: "RE: Pen Test mistake"
In reply to: Jeff Johnson: "Pen Test mistake"
Next in thread: Dave Powell: "Re: Pen Test mistake"
Next in thread: Brad Bemis: "RE: Pen Test mistake"
Reply: Dave Powell: "Re: Pen Test mistake"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 14:27:13 PDT