Re: Pen Test mistake

From: Byron Copeland (nodialtone@comcast.net)
Date: Thu Aug 21 2003 - 17:01:42 EDT


Lessons Learned?

Verify the IP list you were given yourself and have it checked again by
someone else.

As others have said, probably best advice is to consult a lawyer about
your options.

I wouldn't want sit around to wait until Company B notices and then
tries to sue Company A for corporate espionage either.

Catch 22.

On Thu, 2003-08-21 at 00:47, Jeff Johnson wrote:
> Let's just say, for theoretical purposes, that you
> were contracted to perform a penetration test on a
> company. After receiving the IP range from the
> company, you begin the test. You're well into the
> test and find several vulnerable servers, which you
> promptly own six ways from Sunday. Then a co-worker
> wanders into your company's lab and looks over your
> shoulder and advises you that the hosts that you're
> owning are a single digit in the subnet off from the
> hosts you're supposed to be attacking.
>
> Example, I've owned 192.168.10.35, when in actuality I
> was supposed to be owning 192.168.11.35.
>
> How do you handle this situation?
>
> My vote is to contact the owners of the site, advise
> them honestly of the mistake, offer assistance (free
> of charge of course) in correcting the security
> problem you used to own them, and walk away a bit the
> wiser.
>
> Anyone else have any better advice?
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT