RE: Informing Companies about security vulnerabilities...

From: jason@kaddywampus.org
Date: Fri Oct 06 2006 - 09:11:06 EDT


Even beyond the legal aspects as explained below, there are ethical
questions here.

>From a professional perspective, this should not have been done to begin
with. To select a company's real-world site for penetrationg testing is
not ethical.

To put oneself and one's students in this situation is irresponsible at
best. Not only has he placed himself with the difficult decision to
inform the company of what he did and subsequently discovered, but his
students may now believe it is alright to test other sites in the same
manner.

I believe the best course of action is to own up to the action, inform the
company, apologize for the poor judgement and hope that they decide to be
understanding and don't want to pursue any legal action.

Despite the outcome of other similar situations, I can tell you I would
not want to be in the position of having to go to court to prove it was
legal. The cost, time, and stress would not be worth it.

>
> To argue the quote " I have every right to do exactly as I have done "
>
> Actually you are exceeding implied rights. This makes the action a
> trespass. I can go into the case law in detail if requested.
>
> The issue is not that this is a crime, this will vary on jurisdiction
> and it shall be one in the US if there is a resultant damage over a set
> amount. This is still not legal however.
>
> There is a lot of mis-information about what is illegal and what is
> criminal. They are not the same thing. Although it may (in some
> jurisdictions and with some results) not be criminal, it is illegal.
>
> How is it illegal you ask? It is a trespass. Trespass is a Civil action.
> That is it is not a criminal offence in itself. The company could take
> action for a violation of their rights.
>
> A tort is a civil wrong (for want of about 800 pages of basic
> explanations). Committing a tort is illegal and thus accessing the site
> in an unauthorised manner is illegal. You have exceeded the implied
> license and thus the tort is completed. Suing for $20 for instance for
> an illegal access is not likely, but than it is still not legal.
>
> This is a result of the nature of the implied action. You have an
> implied license to undertake certain functions on the site. This is the
> limit.
>
> As for criminal... there are a number of US and UK cases dealing with
> SQL injections and "testing". Even on the getting away with it basis,
> take for instance Stephan Puffer. He was acquitted of fraud on appeal -
> but this did not make the actions legal. Rather it means that the was a
> civil violation and that at best he could be sued by the county court.
> On the other hand, he did not win indemnity costs and the case still
> left him in debited.
>
> In this case the unauthorised access to a wireless network was
> considered unauthorised access - and the access was a demonstration to a
> journalist that it was possible.
>
> Sorry to be pernickety but the issue is not "But, whether something is
> legal or not" as this is clearly an illegal action. It is if it is
> criminal or not. I would not recommend either course of action.
>
> Regards,
> Craig
>
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Thor (Hammer of God)
> Sent: Thursday, 5 October 2006 7:58 AM
> To: PenTest
> Subject: Re: Informing Companies about security vulnerabilities...
>
>
> On 10/4/06 12:39 PM, "jay.tomas@infosecguru.com"
> <jay.tomas@infosecguru.com>
> spoketh to all:
>
>> One of the first things that you should teach in your class is Ethical
> and
>> Permission Granted
>> Assessments of Public Web sites. You had no right to assess their
> site, which
>> is why you probably
>> got a less than a warm reception.
>>
>> Companies contract and pay for assessment services. A good practice is
> not to
>> interact with some
>> party that has chosen to run a few tools and typing in ' or 1=1-- in
> all the
>> available input
>> fields.
>
> This really comes down to a matter of opinion, and one of law. Many
> times
> over the last several years I've "publicly" illustrated potential
> vulnerabilities at security conferences and during trainings.
>
> According to my attorney, who is a very respected subject matter expert
> on
> Internet and security law, I have every right to do exactly as I have
> done.
> Publishing a public site explicitly grants me rights to access the site.
> Going to the "search" page and entering in ' or 1=1-- is, according to
> my
> attorney, perfectly legal. They host the site publicly, and are *asking
> me*
> to enter something in search textbox. (note US law).
>
> Now, going beyond that--executing code and acquiring internal data from
> the
> back-end servers of the site, well, that's illegal (or can be). The
> "how
> much is too much" question will ultimately be decided by a judge or
> jury,
> but it does make for interesting dialog.
>
> Personally, I have no problem at all in typing in your standard "test"
> for
> injection.... But I wouldn't do something like collect data and then use
> that as an example of vulnerability to provide to the company-- that's
> just
> asking for it. A warning based on cursory input, sure-- a proof of
> concept
> with you name on it, no way.
>
> I've notified countless companies of potential problems with web-apps,
> and I
> can only think of a couple of times that someone actually got back to me
> with a "thanks for that." I think I got one "I'm going to sue" message
> that
> I just ignored- nothing ever came of it.
>
> So, is it legal to type ' or 1=1-- ? According to legal experts, yes.
> Is
> it ethical? I say "sure." Is it ethical to drop a database? No. But,
> whether something is legal or not really doesn't have anything to do
> with
> someone trying to sue you for it. So these days, when I come across
> something bad enough, the "do-gooder" in me makes me want to at least
> notify
> them - which I do via anonymous email. Unfortunately, I never know if
> they
> got it or not, but at least I tried. Statistics tell me that no one
> will
> bother doing anything about it, and CYA now dictates I do it that way,
> legal
> or not.
>
> t
>
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
> 00000008bOW
> ------------------------------------------------------------------------
>
>
> Liability limited by a scheme approved under Professional Standards
> Legislation in respect of matters arising within those States and
> Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is
> confidential. If you are not the intended recipient, you must not use or
> disclose the information. If you have received this email in error, please
> inform us promptly by reply email or by telephoning +61 2 9286 5555.
> Please delete the email and destroy any printed copy.
>
> Any views expressed in this message are those of the individual sender.
> You may not rely on this message as advice unless it has been
> electronically signed by a Partner of BDO or it is subsequently confirmed
> by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its
> attachments due to viruses, interference, interception, corruption or
> unauthorised access.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT