RE: what to do it illegal activity found during pen-test

From: Andy Meyers (andy.meyers@hushmail.com)
Date: Sat Jun 03 2006 - 00:03:38 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree with a lot of what dotzero said. But what comes to my mind are two
other additional things I don't think he mentioned (one is an opinion).

1. The country or local applicable laws.
2. Ethics: is it pirated software, child porn or terrorist plans? If it's
the latter of the two I would report it since this has to deal with
personal harm or deals with an underage person.

- -----------
Ashes
PGP: http://ashesbelow.ath.cx/public.txt

- -----Original Message-----
From: Dotzero [mailto:dotzero@gmail.com]
Sent: Friday, June 02, 2006 5:16 PM
To: Robin Wood
Cc: pen-test@securityfocus.com
Subject: Re: what to do it illegal activity found during pen-test

On 6/2/06, Robin Wood <dninja@gmail.com> wrote:
> Hi
> I was wondering the other day, what should I do if during a pen test I
> found some illegal activity (internal, not from hackers) on the
> network being tested. My initial thought was report it to the police
> and let them sort it out but then thought I suppose that depends on
> the activity taking place. One one hand you could find a ftp site with
> a couple of movies on, the other you could find a website full of
> child porn. The first may just need a mention to the company IT staff,
> the second would definitely warrant police attention.
>

This should have been specified in the initial contract. You report the
issue in writing to the security contact (which may not be IT) that was
designated in the contract at the start of the engagement. If it is by
email you encrypt it using the public key of the security contact given to
you at the initiation of the engagement. If you are not the contact person
on your side then you report it up through channels to the engagement
manager.

Unless there is immediate threat of danger to life or limb you do not
report it to the police or anyone else. My experience is that an NDA is
normally signed prior to the start of the pentest. Hopefully you read what
you signed. We review their NDA and have our attorney review it as well.
They do the same for ours. Invariably it has been redlined by someone. That
needs to get resolved. Believe me, people do get sued over these sorts of
things.

Consider the case of doing a pentest for a public company. You went to the
police and reported something. It became public and a couple of hundred
million dollars (or more) gets knocked off of their market capitalization.
Even worse, you got something wrong in the information you gave and which
was made public. You are begging to be sued....even if there wasn't an NDA.
It's a tort.

Also consider that you may be called as a witness (possibly as an expert
witness) depending on the specifics of the situation. You do not want your
footprints muddying the "scene". Every single thing that you did will be
scrutinized by one side or the other. Your expertise may be publicly
dragged through the mud in an effort to discredit you as an expert witness
(or just a witness). Someone starts rattling off a question about some RFC
or another or something obscure about packet headers. You may not know a
particular detail without referring to the RFC.

You want to be rock solid on what you are going to be asked about.
Basically, at such and such a time during a contracted pentest we found XYZ
which we believed to indicate possible illegal activity. We immediately
stopped the pentest and reported it to the company security contact as
designated in our agreement with them. Based on their response and
instructions we then did blah blah blah (Whether that is stand down or they
contracted us to investigate the matter...whatever).

The more you follow a preset script the better you address potential
liability and legal issues. One step (early) in that script should be to
contact your legal advisor if only to make sure they will be available if
needed on short notice.

What if YOU are accused of some act as part of how it plays out? After all,
you found the activity while engaged in the act of compromising their
network and servers. You may have had proper permission but if it becomes a
legal case you are fair game. You want to be squeaky clean.

> Talking to someone they suggested the case where a web cam was being
> used to watch women's toilets. Should that be reported to the company
> first to stop the activity, then to the police, or could reporting it
> to the company give the perpetrator time to clean up their activities.
>

Your obligation is to report it to the security contact designated by the
company. Your job is not to stop the activity or prevent clean up.
You have been engaged in a specific scope to provide professional services
related to security in a very specific way.... a penetration test.

> All this is just idle questions at the moment but I'm curious to see
> if anyone has come across this kind of situation and how did they
> dealt with it. As I'm in the UK I'm particularly interested in any UK
> stories.
>

I've dealt with a couple situations like this. My approach was as indicated
above. I was fortunate to have input from folks more experienced than I was
at the time. My subsequent experience pretty much meshed with their advice.

-
----------------------------------------------------------------------------
- --
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers.
Cenzic has the most comprehensive solutions to meet your application
security penetration testing and vulnerability management needs. You have
an option to go with a managed service (Cenzic ClickToSecure) or an
enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a
managed service can help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
-
----------------------------------------------------------------------------
- --

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify/
Version: Hush 2.5
Charset: UTF8

wkYEARECAAYFAkSBChkACgkQnZu7yPmLRpB7sgCgsgMsbzgo63MM3mUuMHF1ejAkq6UA
n1FIurmR8cw9jawk5vpEr2JSUS8V
=D2Rr
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT