VA gone Wrong: INQ7.com vs. MB.com.ph

A couple of weeks ago, while reading the sunday edition of the Philippine Daily Inquirer, I saw a "public apology" from a certain Art Samaniego, a Manila Bulletin employee, basically saying that they are sorry for doing an "unauthorized vulnerability testing(VA)" of the inq7.net website. This struck a cord in me because I just came from a week-long Certified Penetration Testing training.

One of the things that has been taught to us was to *never ever* do an unauthorized VA of any website. Unauthorized vulnerability testing tantamounts to a hacking attempt because such exercises exposes a "target" website's weaknesses. If caught, an unauthorized "penetration tester" is liable under the E-Commerce Law. Apparently, inq7's Intrusion Detection System (IDS) was able to detect suspicious port scanning on their website which in turn traced it to the Manila Bulletin's public IP Addresses.

Note to self: do not perform penetration testing without proper authorization.

technorati tags: security, inq7.net, mb.com.ph, hacking