Re: Pen Test mistake

From: Kurt Seifried (bt@seifried.org)
Date: Thu Aug 21 2003 - 15:25:17 EDT


> Example, I've owned 192.168.10.35, when in actuality I
> was supposed to be owning 192.168.11.35.
>
> How do you handle this situation?
>
> My vote is to contact the owners of the site, advise
> them honestly of the mistake, offer assistance (free
> of charge of course) in correcting the security
> problem you used to own them, and walk away a bit the
> wiser.
>
> Anyone else have any better advice?

You did not excercise due care and dilligence. In hindsight you'll wish you
had insured yourself, so when a company sues you for something like this you
can afford to settle out of court quickly. That and get a good criminal
lawyer, if the company goes to law enforcement you'll need it.

I would be exceedingly contrite and apologetic, and would bend over
backwards, so that later on "Bubba" (your cell mate) isn't bending you over.

I'd be surprised if the affected company didn't threaten to sue you for a
rather large amount, tempering that threat with the threat of law
enforcement/criminal charges, and settle out of court for a large amount of
money. Walking away from the mess and ignoring it though means that if/when
they do find out they'll be really angry.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT