From: Ebeling, Jr., Herman Frederick (hfebelingjr@lycos.com)
Date: Wed Jun 07 2006 - 15:55:57 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----Original Message----
From: Dotzero [mailto:dotzero@gmail.com]
Sent: Friday, 02 June, 2006 20:16
To: Robin Wood
Cc: pen-test@securityfocus.com
Subject: Re: what to do it illegal activity found during pen-test
: On 6/2/06, Robin Wood <dninja@gmail.com> wrote:
: : Hi
: : I was wondering the other day, what should I do if during a pen
: : test I found some illegal activity (internal, not from hackers)
: : on the network being tested. My initial
: : thought was report it to the police and let them sort it out but
: : then thought I suppose that depends on the activity taking place.
: : On one hand you could find a ftp site with a couple of movies
: : on, the other you could find a website full of child porn. The
: : first may just need a mention to the company IT staff, the second
: : would definitely warrant police attention.
: :
:
: This should have been specified in the initial contract. You report
: the issue in writing to the security contact (which may not be IT)
: that was designated in the contract at the start of the engagement.
: If it is by email you encrypt it using the public key of the
security
: contact given to you at the initiation of the engagement. If you
are
: not the contact person on your side then you report it up through
: channels to the engagement manager.
Ah but the problem with that IF I'm not mistaken is that you cannot
contract to commit an illegal act. Or I would presume to "cover one
up," either.
:
: Unless there is immediate threat of danger to life or limb you do
: not report it to the police or anyone else. My experience is that
: an NDA is normally signed prior to the start of the pentest.
: Hopefully you read what you signed. We review their NDA and have
: our attorney review it as well. They do the same for ours.
Invariably
: it has been redlined by someone. That needs to get resolved.
Believe
: me, people do get sued over these sorts of things.
In the case of kiddie porn, I don't think that one needs to "wait
and see" if there is "immediate" threat to life or limb. Or in the
case of finding plans for a terrorist plot.
:
: Consider the case of doing a pentest for a public company. You went
: to the police and reported something. It became public and a
couple
: of hundred million dollars (or more) gets knocked off of their
market
: capitalization. Even worse, you got something wrong in the
information
: you gave and which was made public. You are begging to be
sued....even
: if there wasn't an NDA. It's a tort.
But in the case of finding kiddie porn, or terrorist plots, wouldn't
it be better to err on the side of reporting it then not and giving
them the chance to move it to someplace where it might not be found?
:
: Also consider that you may be called as a witness (possibly as an
: expert witness) depending on the specifics of the situation. You do
: not want your footprints muddying the "scene". Every single thing
: that you did will be scrutinized by one side or the other. Your
: expertise may be publicly dragged through the mud in an effort to
: discredit you as an expert witness (or just a witness). Someone
: starts rattling off a question about some RFC or another or
something
: obscure about packet headers. You may not know a particular detail
without
: referring to the RFC.
But in the case of "kiddie porn" isn't it better that one's
reputation takes a "hit" then for those slime bags to hurt another
child?
:
: You want to be rock solid on what you are going to be asked about.
: Basically, at such and such a time during a contracted pentest we
: found XYZ which we believed to indicate possible illegal activity.
: We immediately stopped the pentest and reported it to the company
: security contact as designated in our agreement with them. Based on
: their response and instructions we then did blah blah blah (Whether
: that is stand down or they contracted us to investigate the
: matter...whatever).
What if the person that yer suppose to deal with, is the one who is
responsible for the illegal activity in the first place? I mean
that's always a possibility. And in the case of terrorist plans
isn't it conceivable that if ya reported it back to the contact
specified in the contract, and that they're part of said terrorist
plans that ya could be putting your life in jeopardy by reporting to
them before going to the police??? I mean as the old saying goes
"Just because you're paranoid, doesn't mean that there isn't someone
after you. . ."
:
: The more you follow a preset script the better you address
potential
: liability and legal issues. One step (early) in that script should
: be to contact your legal advisor if only to make sure they will be
: available if needed on short notice.
:
: What if YOU are accused of some act as part of how it plays out?
: After all, you found the activity while engaged in the act of
: compromising their network and servers. You may have had proper
: permission but if it becomes a legal case you are fair game. You
: want to be squeaky clean.
Ah, but shouldn't/wouldn't the logs show how long those files had
been there??? As well as possibly who has had access to them?
:
: : Talking to someone they suggested the case where a web cam was
: : being used to watch women's toilets. Should that be reported to
: : the company first to stop the activity, then to the police, or
: : could reporting it to the company give the perpetrator time to
: : clean up their activities.
: :
:
: Your obligation is to report it to the security contact designated
: by the company. Your job is not to stop the activity or prevent
clean
: up. You have been engaged in a specific scope to provide
professional
: services related to security in a very specific way.... a
: penetration test.
Again, though what if the contact person is the one who is
responsible for the illegal actions? Then whom do you report to?
:
: : All this is just idle questions at the moment but I'm curious to
: : see if anyone has come across this kind of situation and how did
: : they dealt with it. As I'm in the UK I'm particularly interested
: : in any UK stories.
: :
:
: I've dealt with a couple situations like this. My approach was as
: indicated above. I was fortunate to have input from folks more
: experienced than I was at the time. My subsequent experience pretty
: much meshed with their advice.
:
That's good to hear, but every case/situation is different. And
what worked for one case/situation may not work for another
case/situation.
- -----
Herman
Live Long and Prosper
___________________ _-_
\==============_=_/ ____.---'---`---.____
\_ \ \----._________.----/
\ \ / / `-_-'
__,--`.`-'..'-_
/____ ||-
`--.____,-'
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: Space the Final Frontier
iQA/AwUBRIcvSR/i52nbE9vTEQK+AgCdHEbfaVi/+R5U0VqtQGnZ87dJ/FkAoOXE
Y5JHMM91N2dxuSErL1xyvCKO
=K0d/
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:03 EDT