while I agree somewhat with some of the specifics I disagree strongly with the main
implication.
the main implication of this email is that "it's OK to test the clients web site on a
hosted system as long as the client requests it"
uh uh. you have no agreement with the hosting company and that's the box/application
you are testing. makes no difference if the customer of hosting company has asked you
to do it UNLESS that privilege is specifically granted to the client in their
agreement with the hosting company. In my experience this is highly unlikely to say
the least. Doesn't matter how "benign" the tests. If you are attempting to hack the
box the hosting company can chase you (and in my opinion should).
Does your client proivide you with an "indemnify and hold harmless" clause in your
written contract with them? does it specifically address this area? I'll bet not.
Even if they do, the hosting company can still come after you, at best indemnify and
hold harmless will just make the client pay your legal costs and any civil damages and
will not help at all in a criminal case.
It *IS* your repsonsibility to ensure that your ass is covered. That means written
agreement between all three parties describing what will and will not be done by each
of the parties.
>first, poking around the website is fairly benign as long as any exploits
>yoo poke at it with are specifically only at forms, CGIs, applets, and
>scripts for the customer's particular website.
NOPE. The application and the platform itself are at the hosting company, on their
network and are their business. If they catch you and their policy is to pursue for
criminal or civil damages an agreement with your client makes no difference. It's
almost like you and me having an agreement that its ok to hack Mitnicks site.
>It is also up to the client to tell the ISP what he is asking for and it is
>your job to remind the client of this. You are not to notify the ISP nor
yeah, well the client may not be able to "tell" the isp anything. typically these
relationships are governed by contract language. Most IT shops are really terrible
about negotiating agreements and don't know how to read or write contract language.
Typically legal departments only know enough about IT operations to make sure the
contract is binding *NOT* that it lets you do what you want. The results? Vendor
paper is completely one-sided and biased. I have never seen any standard vendor paper
that lets any arbitrary person attack the hosting site regardless of any other
agreeements.
and lets be clear here, there is NO difference between an attack and a security test
other than the intent. Certainly no difference that an ISP cares about when you
threaten their business.
>get involved in their contract dispute over whether or not they may
>authorize a security test. You may not test anything that isn't similar to
>normal web traffic or which may disrupt the other customers hosted on that
>server or with that ISP. You are restricted to mostly the Information
>Security Testing modules of the OSSTMM (www.osstmm.org).
while it is not your business to get in a contract dispute it is your business to
ensure that what you are doing is legal. that means that you need to have been
granted the responsibility and authoriity for performing the tests BY AN ENTITY THAT
HAS THE LEGAL RIGHT TO GRANT SAID AUTHORITY. If the agreement between the ISP and
client does not grant your client that authority specifically, you have no legal basis
for conducting the test.
>You must also tell the client that while he is virtually hosted, there is
>nothing you can do for him in the way of security that can't be undone by
>the insecurity of other hosts. I don't remember who it was anymore, but one
>hacker's claim to fame was defacing 900 web pages in a minute-- he broke
>into a web server and scripted a replce of all the index pages on the server
>which affected some 900 customers on that server.
right on!
>-pete.
>www.isecom.org
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 07, 2003 8:01 AM
To: [EMAIL PROTECTED]
Subject: how to isolate a virtual hosted website, in order to do a A&P?
a customer has asked me to take a look at his web page and "poke around",
initial investigation shows that it is hosted on a large web hosting
companies IP# and is a virtual host off of that IP#.
Obviously hammering that main webhosting companies box would be a no no,
so how can i focus my security review on that clients specific box?
they are using apache, not IIS.
Any thoughts?
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
