RE: ethics of approaching vulnerable prospective clients

From: Brooke, O'neil (EXP) (o'neil.brooke@lmco.com)
Date: Tue Nov 12 2002 - 17:54:30 EST


>-----Original Message-----
>From: Zach Forsyth [mailto:zach.forsyth@kiandra.com]
>Sent: November 11, 2002 10:38 PM
>To: pen-test@securityfocus.com
>Subject: ethics of approaching vulnerable prospective clients
>
>I just wanted to see what everyone's opinions were on means of
>approaching vulnerable prospective clients.
>
>Of interest especially are clients with wireless networks.
>
>Example 1. I do a wardrive/walk around my city and find a whole lot of
>wireless networks without any wep which are seemingly insecure, and
>their network is broadcasting an ssid that is set as their business
>name. A simple look in the phone book or on the web reveals their office
>location, which matches up with where I was when the network was
>detected.
>Do you think it is unethical to approach them based on those results?

Who would you call in that company? Are you going to call the receptionist
and ask for the computer guy? Your cold calling and have just as much chance
of irritating and/or frightening the prospective client. Not only that, they
may call the police and report your calls. Even if you have done absolutely
nothing wrong, do you want to explain yourself to the police? What if they
are subsequently hacked from the wireless segment and think you did it.
Assuming that you had nothing to do with it and that they had no evidence,
you may still have to defend yourself from that charge. Not worth it.

>Example 2. I detect a network that appears to not have wep enabled.
>Their ssid however reveals nothing about who they are but is the default
>linksys/cisco/etc vendors. I could connect to their wlan and snoop
>around for some information that would then identify them to me and then
>go about contacting them. (Or just connect to their networked printer
>and print something scary out for them. Hehe)

In Canada I think this activity would definitely be illegal.

Perhaps I could present a third example for the list to comment on:

Example 3. Speak to a lawyer and find out how much information you can
legally collect about a WAP in your jurisdiction. War drive around the city
and generate some local statistics. "Within the downtown core 100 WAP's were
found, of which only 8 had WEP installed." "On the North Shore 300 WAP's
were found, however people on the North Shore seem to be more interested in
security as 225 of the WAPS had WEP enabled." Generate some buzz about the
topic by sending press releases to your local newspapers. Tell them that you
are planning on doing it on a regular basis (perhaps quarterly), you might
get the newspapers computer column to mention you. Blanket the
neighbourhoods that you war drove with a glossy marketing flyer stating the
results of the study and your services. TALK TO A LAWYER FIRST! Depending on
where you are this activity may be considered illegal. Failure to follow
this due diligence step could be very costly.

This idea does not leave the prospective client feeling targeted. By sending
out the press releases and flyers you are increasing the overall public
awareness. It gets your name out there and lets the clients seek you out if
they feel they need your services.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT