re: Odd situation, advice needed on penentration test results

[Harlan Carvey <keydet89 () yahoo com>]

Desmond,

> I think the reason for the original post is because
> the customer is a
> fortune 500 company they may choose to keep
> knowledge of the intrusion in
> house to avoid embarrassment. 

I don't see how that matters.  If that is the
case...then why did the OP post at all?  If the client
wanted to keep it in house, the OP could have simply
gone to the client and said something.  Informing the
client doesn't mean that the OP had to inform LEOs, as
well.  

Yet, instead of informing the client, the OP posted to
a public list for advice.  How difficult would it be
to perhaps track down where the post originated from,
and make assumptions as to who the OP works for, and
then guess who the client might be?

> What should the pen-testers do in this
> case?  

One would think that the answer is pretty obvious. 
Regardless of what the contract for the pen-test
states, one would think that the only *right* thing to
do is to inform the customer.

Remember the problem Microsoft had w/ emails a couple
of years ago, w/ regards to the suit brought against
them?  Well, now, we have a post to a public list. 
What happens if someone familiar w/ the incident,
maybe even the client themselves, see the post?  

> Due to what has been seen it sounds like a
> fairly sophisticated
> intrusion that needs to be analyzed and reported so
> that the security
> community will know about it. 

Reviewing the original post, there's nothing in it
that really speaks to the sophistication of the
intrusion.  Saying that the intrusion is
"sophisticated" is assuming facts that are not in
evidence.  The public list has no idea of the
infrastructure or security posture of the client.

Regarding analyzing the intrusion and reporting it to
the security community...well, if you know of a site
or sites that list such things, please send me the
link.

> Most certainly the companies whose software
> is involved should know about it.  However, the
> pen-tester is under
> contract with the customer and most likely there are
> clauses on
> confidentiality that precludes the tester
> independently choosing what
> actions should be taken or how far the information
> about the breech can be
> disseminated.  In the end it's the customers
> decision isn't it?

Sure.  But don't you think that the customer should
have the opportunity to make the decision?  The OP
basically said that this intrusion was
discovered...what do we do now?  The OP specifically
stated that the client hadn't been informed.  It
should be incumbent upon the OP to inform the client,
and let them make the decision.  If the client is
worried about embarrassment due to public disclosure
of the intrusion...oh, well, kind of late for that,
isn't it?  


__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1