|
-
May 13th, 2006, 04:11 AM
#1
Junior Member
Convicted Pen-tester
Just saw this article on slashdot thought it might spark some interest.
http://it.slashdot.org/article.pl?si...12259&from=rss 
This ain\'t about me im better them you\'ll ever be. You dont concern me i know you\'ll never get to me. You want a shot? I can take your best bring it on. - Slayer
Gentoo Linux
-
May 13th, 2006, 08:44 AM
#2
Hey Hey,
This has been circulating for a few weeks now, but there's a few things to take note of:
A) He's not a "pen-tester" and was not acting in any official way... He's currently a consultant... which in IT generally means "unemployed"
B) Had he stumbled upon the flaw and notified USC immediately this never would have happened. He was actively looking for the flaw... that's a violation of the law.
C) Instead of contacting USC directly, he chose to provide the information to SecurityFocus... while it may be a great way to provide anonymity... most institutions will be much more harsh if you reveal their problems to a third party first.
D) He turned around and created an email account along the lines of "[email protected]"
This isn't some innocent pen-tester doing legal work... authorized work... or even legit research... This is someone doing what they shouldn't have been doing and getting caught doing it.
Peace
HT
-
May 13th, 2006, 10:32 AM
#3
Hmmmm,
[A] Yes, this was not penetration testing. It does serve to emphasise that anyone involved in such activity or other security testing must get written authority first. Not only is that a sensible CYA approach, it will give you a formal, contractual definition of your responsibilities which can be useful for billing the client afterwards
B] It might even be far worse than that?.................I suspect that he probably
knew about the flaw whilst he was still in their employment. There does not appear to have been any defence that he had warned them and they did nothing. At best, it is as HT~ says; a deliberate search for vulnerabilities on a system to which he was not authorised.
[C] It seems that Security Focus did the right thing and advised USC first. Sometimes things have to be revealed to third parties to get anything done at all. I would suggest that Secunia is a good example of this. In this case I suspect that revenge or "sour grapes" was the motivation, rather than any noble hearted public spiritedness or academic interest.
Where I see the guy going wrong is that he used the USC mailing system to contact people on their database. That is $h1t stirring, pure and simple, and could serve no useful purpose. In other circumstances it would be classed as spamming. It would be illegal over here, for certain.
I think that he was lucky in that the prosecution seem to have screwed up their case. He should certainly have been done over the e-mails.
-
May 13th, 2006, 12:21 PM
#4
I love the use of the term "pen tester". We had a case where a consultant did some war driving in attempts to drum up business. Needless to say, he nearly found himself behind federal bars. Oh and no, he never did get anything useful, we saw him coming a mile a way.
The point is that people can label themselves anything they want but the fact of the matter is that this clown and others like him are out looking to make a name for themselves or snake someone out of cash.
--TH13, Esq.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 16th, 2006, 03:20 PM
#5
Regardless of his qualification or legal capacity, hiring external agencies to pen test or audit your network is a huge risk. Just like allowing any coder or vendor access to your internal network. In most (if not all) cases the benefits outweigh the risk One should follow up on credentials and reputation and document the process in case something like this does happen.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
May 16th, 2006, 03:45 PM
#6
Originally posted here by RoadClosed
Regardless of his qualification or legal capacity, hiring external agencies to pen test or audit your network is a huge risk. Just like allowing any coder or vendor access to your internal network. In most (if not all) cases the benefits outweigh the risk One should follow up on credentials and reputation and document the process in case something like this does happen.
That's why you deal with specific companies that have good reputations... Usually cities aren't flooded with pen-testing companies, so you can easily find someone that's reputable....
I also want to point out that this wasn't a hired pen-tester.. this was some guy over the internet...
-
May 16th, 2006, 04:14 PM
#7
Even with reputable companies you can get a jack ass.  Like one I had that was IMing his girlfriend while in "stealth" mode.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
