Re: Odd situation, advice needed on penentration test results

[Desmond Irvine <desmond.irvine () sheridanc on ca>]

Harlan Carvey wrote:
> Desmond,
>
> > I think the reason for the original post is because
> > the customer is a
> > fortune 500 company they may choose to keep
> > knowledge of the intrusion in
> > house to avoid embarrassment. 
>
> I don't see how that matters.  If that is the
> case...then why did the OP post at all?  If the client
> wanted to keep it in house, the OP could have simply
> gone to the client and said something.  Informing the
> client doesn't mean that the OP had to inform LEOs, as
> well.  

Yes, they should have informed the client that was what the last line of my 
message said.

> Yet, instead of informing the client, the OP posted to
> a public list for advice.  How difficult would it be
> to perhaps track down where the post originated from,
> and make assumptions as to who the OP works for, and
> then guess who the client might be?

As I was trying to get across in my message I think the OP was trying to get 
advice on what to do because this was a situation that they felt was 
extraordinary, at least for them so they are looking for advice from their peers.

> > What should the pen-testers do in this
> > case?  
>
> One would think that the answer is pretty obvious. 
> Regardless of what the contract for the pen-test
> states, one would think that the only *right* thing to
> do is to inform the customer.

Once again, I think this is what my message said.

> Remember the problem Microsoft had w/ emails a couple
> of years ago, w/ regards to the suit brought against
> them?  Well, now, we have a post to a public list. 
> What happens if someone familiar w/ the incident,
> maybe even the client themselves, see the post?  

Yes, I agree that someone familiar with the incident who sees the post will be 
able to link the two and this could lead to any number of bad outcomes for the 
OP, etc.  The intruder could see the posting and "do something very bad". 
Measuring the likelyhood of this is part of the choice (risk analysis) that the 
poster choose to take.  If I were the customer and found out I would certainly 
rethink my hiring choice at the very least.

> > Due to what has been seen it sounds like a
> > fairly sophisticated
> > intrusion that needs to be analyzed and reported so
> > that the security
> > community will know about it. 
>
> Reviewing the original post, there's nothing in it
> that really speaks to the sophistication of the
> intrusion.  Saying that the intrusion is
> "sophisticated" is assuming facts that are not in
> evidence.  The public list has no idea of the
> infrastructure or security posture of the client.

You're right I did assume it was sophisticated based on the mention of source 
code from unnamed vendors being present on the machine.  It's fair to say that 
this does not mean the intrusion was "sophisticated".  However, I think the 
presence of the source code is part of the reason for the posting.  Once again, 
I'm assuming that the source code isn't from an open source firewall so the 
poster was concerned, confused and wanted to do the right thing.

> Regarding analyzing the intrusion and reporting it to
> the security community...well, if you know of a site
> or sites that list such things, please send me the
> link.

Isn't that what happens on various security lists all the time.  Dave Dittrich, 
eEye and the honeynet project amongst others have made available quite detailed 
reports on intrusions or what has led to many intrusions at various times.

> > Most certainly the companies whose software
> > is involved should know about it.  However, the
> > pen-tester is under
> > contract with the customer and most likely there are
> > clauses on
> > confidentiality that precludes the tester
> > independently choosing what
> > actions should be taken or how far the information
> > about the breech can be
> > disseminated.  In the end it's the customers
> > decision isn't it?
>  
> Sure.  But don't you think that the customer should
> have the opportunity to make the decision?  The OP
> basically said that this intrusion was
> discovered...what do we do now?  The OP specifically
> stated that the client hadn't been informed.  It
> should be incumbent upon the OP to inform the client,
> and let them make the decision.  If the client is
> worried about embarrassment due to public disclosure
> of the intrusion...oh, well, kind of late for that,
> isn't it?  

It will be too late for the client if and when someone links them to incident 
which may or may not ever get reported.  The poster gave away more information 
that they needed to ask their question, but they have tried to maintain some 
level of anonymity for everyone involved (no company names, etc. have been 
mentioned).  I once again think my last line is fairly clear in stating that I 
think "In the end it's the customers decision..."


top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1