One often hears penetration testing described as ethical hacking. If that is so and what we are practicing here is ethical, then we must act ethically. To my mind, that means owning up to one's mistakes. If we do not, then we are little different from the other kind of hackers from which we are trying to protect our clients. Failing to act ethically in an instance such as this lowers the credibility and value of our profession. As another response to this thread indicated, an Errors and Omissions insurance policy is very important because of occurances such as these. Not only will you be better protected but so will your actual client. The client that contracted you to test his system may be at legal risk for your actions against the unintended target. If you fail to come clean and you are found out, then the victim may have recourse against both you and your client, and both your client and the victim may have recourse against you, your partners and associates. My advice is to first get legal representation and work with your attorney to contact the parties involved. Be prepared to cover any damage that may have resulted. Acquire the appropriate insurance for future engagements and be much, much more careful. -Jeffrey Gorton, CISSP MCSE CCSE IAM jpgortonat_private ----- Original Message ----- From: Dan Taylor To: pen-testat_private Sent: Thursday, August 21, 2003 2:12 PM Subject: RE: Pen Test mistake I agree with this person, if you volunteer information to this company, you could be hit with illegally scanning their systems (because you do not have consent to do so). You could very well land in jail with the local authorities possessing your systems for a few years. Even if you win your systems back, they will be so old and outdated that they will be useless. Delete your logs and redo what you were hired to do in the first place. Also, on a side note, didn't the letter stating that you were allowed to do this scan have the valid IP addresses you were allowed to scan? If it didn't, you need to have your legal department reconstruct the letter to start incorporating this valuable piece of information. I'll jump off of my soapbox now! -----Original Message----- From: RMcElroyat_private [mailto:RMcElroyat_private] Sent: Thursday, August 21, 2003 1:49 PM To: webprozeat_private; pen-testat_private Subject: RE: Pen Test mistake ERASE ALL LOGS AND RUN FOREST RUN....:) -----Original Message----- From: Jeff Johnson [mailto:webprozeat_private] Sent: Wednesday, August 20, 2003 9:48 PM To: pen-testat_private Subject: Pen Test mistake Let's just say, for theoretical purposes, that you were contracted to perform a penetration test on a company. After receiving the IP range from the company, you begin the test. You're well into the test and find several vulnerable servers, which you promptly own six ways from Sunday. Then a co-worker wanders into your company's lab and looks over your shoulder and advises you that the hosts that you're owning are a single digit in the subnet off from the hosts you're supposed to be attacking. Example, I've owned 192.168.10.35, when in actuality I was supposed to be owning 192.168.11.35. How do you handle this situation? My vote is to contact the owners of the site, advise them honestly of the mistake, offer assistance (free of charge of course) in correcting the security problem you used to own them, and walk away a bit the wiser. Anyone else have any better advice? __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 08:14:50 PDT