PaulDotCom mailing list archives
Re: Learning from Leaked Insider Threat Pentest Report for Major US Oil Company
From: Jim Chrisos <jchrisos () gmail com>
Date: Thu, 12 Aug 2010 08:23:36 -0500
Anyone have even a sanitized version of the report? I'd love to see the design, sections and formatting of it. On Sat, Aug 7, 2010 at 6:31 AM, John Strand <strandjs () gmail com> wrote:
OK... I have to ask... Who was the company? On Thu, Aug 5, 2010 at 4:24 PM, David Sharpe <david () sharpesecurity com>wrote:At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company's domain. According to the detailed report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft Word could read the report in full. The file was inadvertently distributed on USB keys provided to some attendees. I guess the lesson here is that, as a service provider, you must take every absolutely every precaution to safeguard customer data. As a purchaser of pentest services, you should make sure that you contractually require your pentest vendor to take any necessary precautions to safeguard whatever reports and data they might retain. If you need boilerplate terms and services contract language, please contact me via email or at @sharpesecurity on Twitter. If there is enough demand, I may post the sample contract language online. A sanitized version of the steps used to compromise the target are available at http://sharpesecurity.blogspot.com/2010/07/major-oil-company-data-leaked-by.html . -- David blog: sharpesecurity.blogspot.com website: www.sharpesecurity.com Twitter: twitter.com/sharpesecurity _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Learning from Leaked Insider Threat Pentest Report for Major US Oil Company David Sharpe (Aug 06)
- Re: Learning from Leaked Insider Threat Pentest Report for Major US Oil Company John Strand (Aug 07)
- Re: Learning from Leaked Insider Threat Pentest Report for Major US Oil Company Jim Chrisos (Aug 12)
- Re: Learning from Leaked Insider Threat Pentest Report for Major US Oil Company John Strand (Aug 07)