Hosting Provided By

RE: ethics of approaching vulnerable prospective clients

From: Brooke, O'neil (EXP) <o'neil.brooke(at)lmco.com>
Date: Tue Nov 12 2002 - 17:54:30 EST

Who would you call in that company? Are you going to call the receptionist and ask for the computer guy? Your cold calling and have just as much chance of irritating and/or frightening the prospective client. Not only that, they may call the police and report your calls. Even if you have done absolutely nothing wrong, do you want to explain yourself to the police? What if they are subsequently hacked from the wireless segment and think you did it. Assuming that you had nothing to do with it and that they had no evidence, you may still have to defend yourself from that charge. Not worth it.

>Example 2. I detect a network that appears to not have wep enabled.
>Their ssid however reveals nothing about who they are but is the default
>linksys/cisco/etc vendors. I could connect to their wlan and snoop
>around for some information that would then identify them to me and then
>go about contacting them. (Or just connect to their networked printer
>and print something scary out for them. Hehe)

In Canada I think this activity would definitely be illegal.

Perhaps I could present a third example for the list to comment on:

Example 3. Speak to a lawyer and find out how much information you can legally collect about a WAP in your jurisdiction. War drive around the city and generate some local statistics. "Within the downtown core 100 WAP's were found, of which only 8 had WEP installed." "On the North Shore 300 WAP's were found, however people on the North Shore seem to be more interested in security as 225 of the WAPS had WEP enabled." Generate some buzz about the topic by sending press releases to your local newspapers. Tell them that you are planning on doing it on a regular basis (perhaps quarterly), you might get the newspapers computer column to mention you. Blanket the neighbourhoods that you war drove with a glossy marketing flyer stating the results of the study and your services. TALK TO A LAWYER FIRST! Depending on where you are this activity may be considered illegal. Failure to follow this due diligence step could be very costly.

This idea does not leave the prospective client feeling targeted. By sending out the press releases and flyers you are increasing the overall public awareness. It gets your name out there and lets the clients seek you out if they feel they need your services.

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Wed Nov 13 06:13:42 2002

This message: [ Message body ]
Next message: Joe Luna: "Terminal Server brute force"
Previous message: Darren Van Booven: "Re: ethics of approaching vulnerable prospective clients"
Maybe in reply to: Zach Forsyth: "ethics of approaching vulnerable prospective clients"
In reply to giraffe9(at)optusnet.com.au: "RE: ethics of approaching vulnerable prospective clients"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:31 EDT

Do you need help?