RE: Pre-Scanning for Marketing : Analogy Day

From: Wolf, Glenn (glenn.wolf@we-inc.com)
Date: Wed Jan 11 2006 - 16:59:10 EST


Bob,

Let's put this another way. Would you really appreciate it if someone came
to your neighborhood and picked the lock of your front door, to tell you
that your lock had a significant vulnerability? Probably not. What if
someone offered to demonstrate that your roof could catch fire with simple
matches you can get at any store or bar, or that people could be
electrocuted if they unscrewed the wall plates from the electrical outlets
with simple screwdrivers you can buy anywhere? Isn't your car vulnerable to
being broken into with a simple rock, which I've heard are usually found
lying around pretty much anywhere?

Of course, the analogies can be taken to absurd extremes. It's not an issue
of demonstrating vulnerabilities people "need" to know about. It's about
respecting other people's property, systems, and networks. You will only
get business by having (and demonstrating) the utmost standards for respect
for your clients and potential clients.

Good luck,
Glenn Wolf, CISSP

-----Original Message-----
From: Password Crackers, Inc. [mailto:pwcrack@pwcrack.com]
Sent: Tuesday, January 10, 2006 4:43 PM
To: pen-test@securityfocus.com
Subject: RE: Pre-Scanning for Marketing

Please allow me to clarify that I have NOT done anything like this, I am not
advocating it and have no plans to do so. I am aware that many prospects
would potentially view this negatively. I mentioned in my original post
that I understood this. Doing so could permanently impact someone's
reputation. So, let's all understand that we are speaking about a
hypothetical. I was interested to know if anyone had done so previously and
what the reaction was. Clearly, it appears that other than a few free
offers (I've made two of these in the past -- both with no response), this
type of approach seems to be so negatively viewed that nobody would even
attempt it.

However, doesn't anyone else view this as something of a dilemma? As a
group we are incapacitated from offering services to those who may need them
(unless we do so inefficiently) even though certainly vulnerabilities are
easily and efficiently identified. Unfortunately, the best analogy I can
come up with is ambulance chasing lawyers -- who seem to be hated, so we
probably don't want to follow their lead professionally. Has anyone
effectively resolved this dilemma in their practice? Possibly that is how I
should have phrased the original post.

Bob Weiss
Password Crackers, Inc.

-----Original Message-----
From: Clement Dupuis [mailto:cdupuis@cccure.org]
Sent: Tuesday, January 10, 2006 8:19 PM
To: 'Password Crackers, Inc.'
Subject: RE: Pre-Scanning for Marketing

I would definitively say: DON'T

What right do you have to test my environment without me asking. What
differentiate you from any other cracker out there. You are just another
one of them as far as I am concerned.

Would you get any business this way? Probably some but very little and not
from the client your really wish to build a long term relationship with.
Thinks of the negative publicity and the fact that someone will take you to
court for attempting to intruder on their communication means.

Overall I would definitively NOT do it

Clement

-----Original Message-----
From: Password Crackers, Inc. [mailto:pwcrack@pwcrack.com]
Sent: Tuesday, January 10, 2006 10:11 AM
To: pen-test@securityfocus.com
Subject: Pre-Scanning for Marketing

I am interested if anyone on the list has ever tested or implemented a
marketing program that involved pre-scanning (wired or wireless) a prospect
and then sending a letter or email describing potential vulnerabilities and
offering assistance in closing these vulnerabilities. I have never done
this because of the anticipated negative reaction, but I am curious as to
what the outcome was if anyone else has done it. Single instances would be
interesting, but I am more curious if anyone has implemented this in a more
broad-based way and has positive and/or negative response rate statistics.

Bob Weiss
Password Crackers, Inc.

----------------------------------------------------------------------------

--
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
----------------------------------------------------------------------------
--
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:21 EDT