Convicted Pen-tester
Results 1 to 7 of 7

Thread: Convicted Pen-tester

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    21

    Convicted Pen-tester

    Just saw this article on slashdot thought it might spark some interest.
    http://it.slashdot.org/article.pl?si...12259&from=rss
    This ain\'t about me im better them you\'ll ever be. You dont concern me i know you\'ll never get to me. You want a shot? I can take your best bring it on. - Slayer
    Gentoo Linux

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    This has been circulating for a few weeks now, but there's a few things to take note of:

    A) He's not a "pen-tester" and was not acting in any official way... He's currently a consultant... which in IT generally means "unemployed"

    B) Had he stumbled upon the flaw and notified USC immediately this never would have happened. He was actively looking for the flaw... that's a violation of the law.

    C) Instead of contacting USC directly, he chose to provide the information to SecurityFocus... while it may be a great way to provide anonymity... most institutions will be much more harsh if you reveal their problems to a third party first.

    D) He turned around and created an email account along the lines of "ihackedusc@gmail.com"

    This isn't some innocent pen-tester doing legal work... authorized work... or even legit research... This is someone doing what they shouldn't have been doing and getting caught doing it.

    Peace
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmmm,

    [A] Yes, this was not penetration testing. It does serve to emphasise that anyone involved in such activity or other security testing must get written authority first. Not only is that a sensible CYA approach, it will give you a formal, contractual definition of your responsibilities which can be useful for billing the client afterwards

    B] It might even be far worse than that?.................I suspect that he probably
    knew about the flaw whilst he was still in their employment. There does not appear to have been any defence that he had warned them and they did nothing. At best, it is as HT~ says; a deliberate search for vulnerabilities on a system to which he was not authorised.

    [C] It seems that Security Focus did the right thing and advised USC first. Sometimes things have to be revealed to third parties to get anything done at all. I would suggest that Secunia is a good example of this. In this case I suspect that revenge or "sour grapes" was the motivation, rather than any noble hearted public spiritedness or academic interest.

    Where I see the guy going wrong is that he used the USC mailing system to contact people on their database. That is $h1t stirring, pure and simple, and could serve no useful purpose. In other circumstances it would be classed as spamming. It would be illegal over here, for certain.

    I think that he was lucky in that the prosecution seem to have screwed up their case. He should certainly have been done over the e-mails.


  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I love the use of the term "pen tester". We had a case where a consultant did some war driving in attempts to drum up business. Needless to say, he nearly found himself behind federal bars. Oh and no, he never did get anything useful, we saw him coming a mile a way.

    The point is that people can label themselves anything they want but the fact of the matter is that this clown and others like him are out looking to make a name for themselves or snake someone out of cash.

    --TH13, Esq.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Regardless of his qualification or legal capacity, hiring external agencies to pen test or audit your network is a huge risk. Just like allowing any coder or vendor access to your internal network. In most (if not all) cases the benefits outweigh the risk One should follow up on credentials and reputation and document the process in case something like this does happen.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by RoadClosed
    Regardless of his qualification or legal capacity, hiring external agencies to pen test or audit your network is a huge risk. Just like allowing any coder or vendor access to your internal network. In most (if not all) cases the benefits outweigh the risk One should follow up on credentials and reputation and document the process in case something like this does happen.
    That's why you deal with specific companies that have good reputations... Usually cities aren't flooded with pen-testing companies, so you can easily find someone that's reputable....

    I also want to point out that this wasn't a hired pen-tester.. this was some guy over the internet...
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Even with reputable companies you can get a jack ass. Like one I had that was IMing his girlfriend while in "stealth" mode.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •