From: Craig Wright (cwright@bdosyd.com.au)
Date: Sun Jun 04 2006 - 21:53:49 EDT
Hi,
Actually, not reporting an offence may be an offence. Some examples
include"
Failure to report computer child porn is an offense in most countries.
Reporting provisions under the US Patriot Act are just a start in the
US.
Reporting provisions in cases of material fraud apply in most countries
Provisions for not reporting under the Cybercrime Act 2001 (Cwlth), and
the provisions covering - computer-related forgery for example apply in
Australia.
There is the UK "Duties to Report and the Proceeds Of Crime Act 2002"
"Section 330 of the Proceeds of Crime Act 2002 - Failure to disclose"
In France there are offences that specifically punish failures to
report, namely Articles 434-1, 434-2 and 434-3.
Contracts do not allow privity in cases where the act is illegal. You
can not exclude liability for not reporting a crime. You can agree
procedures. "By choosing to carry out a profession, the individual is
assumed to have chosen the responsibilities and duties that come with
it" (Dr Rachael Stretch, Nottingham Trent University).
So, "Unless there is immediate threat of danger to life or limb you do
not report it to the police or anyone else" is not generally correct.
Regards
Craig
-----Original Message-----
From: Dotzero [mailto:dotzero@gmail.com]
Sent: Saturday, 3 June 2006 10:16 AM
To: Robin Wood
Cc: pen-test@securityfocus.com
Subject: Spam: Re: what to do it illegal activity found during pen-test
On 6/2/06, Robin Wood <dninja@gmail.com> wrote:
> Hi
> I was wondering the other day, what should I do if during a pen test I
> found some illegal activity (internal, not from hackers) on the
> network being tested. My initial
> thought was report it to the police and let them sort it out but then
> thought I suppose that depends on the activity taking place. One one
> hand you could find a ftp site with a couple of movies on, the other
> you could find a website full of child porn. The first may just need a
> mention to the company IT staff, the second would definitely warrant
> police attention.
>
This should have been specified in the initial contract. You report
the issue in writing to the security contact (which may not be IT)
that was designated in the contract at the start of the engagement. If
it is by email you encrypt it using the public key of the security
contact given to you at the initiation of the engagement. If you are
not the contact person on your side then you report it up through
channels to the engagement manager.
Unless there is immediate threat of danger to life or limb you do not
report it to the police or anyone else. My experience is that an NDA
is normally signed prior to the start of the pentest. Hopefully you
read what you signed. We review their NDA and have our attorney review
it as well. They do the same for ours. Invariably it has been redlined
by someone. That needs to get resolved. Believe me, people do get sued
over these sorts of things.
Consider the case of doing a pentest for a public company. You went to
the police and reported something. It became public and a couple of
hundred million dollars (or more) gets knocked off of their market
capitalization. Even worse, you got something wrong in the information
you gave and which was made public. You are begging to be sued....even
if there wasn't an NDA. It's a tort.
Also consider that you may be called as a witness (possibly as an
expert witness) depending on the specifics of the situation. You do
not want your footprints muddying the "scene". Every single thing that
you did will be scrutinized by one side or the other. Your expertise
may be publicly dragged through the mud in an effort to discredit you
as an expert witness (or just a witness). Someone starts rattling off
a question about some RFC or another or something obscure about packet
headers. You may not know a particular detail without referring to the
RFC.
You want to be rock solid on what you are going to be asked about.
Basically, at such and such a time during a contracted pentest we
found XYZ which we believed to indicate possible illegal activity. We
immediately stopped the pentest and reported it to the company
security contact as designated in our agreement with them. Based on
their response and instructions we then did blah blah blah (Whether
that is stand down or they contracted us to investigate the
matter...whatever).
The more you follow a preset script the better you address potential
liability and legal issues. One step (early) in that script should be
to contact your legal advisor if only to make sure they will be
available if needed on short notice.
What if YOU are accused of some act as part of how it plays out? After
all, you found the activity while engaged in the act of compromising
their network and servers. You may have had proper permission but if
it becomes a legal case you are fair game. You want to be squeaky
clean.
> Talking to someone they suggested the case where a web cam was being
> used to watch women's toilets. Should that be reported to the company
> first to stop the activity, then to the police, or could reporting it
> to the company give the perpetrator time to clean up their activities.
>
Your obligation is to report it to the security contact designated by
the company. Your job is not to stop the activity or prevent clean up.
You have been engaged in a specific scope to provide professional
services related to security in a very specific way.... a penetration
test.
> All this is just idle questions at the moment but I'm curious to see
> if anyone has come across this kind of situation and how did they
> dealt with it. As I'm in the UK I'm particularly interested in any UK
> stories.
>
I've dealt with a couple situations like this. My approach was as
indicated above. I was fortunate to have input from folks more
experienced than I was at the time. My subsequent experience pretty
much meshed with their advice.
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT