re: Odd situation, advice needed on penentration test results

["R. DuFresne" <dufresne () sysinfo com>]

If the pentesters signed off on a NDC, then they have no choice but to
leave it to the client to deal with this issue.

Also, should others face something like this in their work, they should
now understand, once something like this is discovered they should end
further testing while they inform the client of the breach they have
spotted and allow their clients time to secure the comprimised systems
before continuing.  A crime was witnessed and thus the testers were
obligated to deal with their client ASAP on the issue noted before
continuing on further.  Anything more or less than this would constitute
something on the order of aiding and abetting in the commision of a
felony, and at the least a moral lack of professional integrity.

Thanks,

Ron DuFresne


On Thu, 27 Mar 2003, Desmond Irvine wrote:

> I think the reason for the original post is because the customer is a
> fortune 500 company they may choose to keep knowledge of the intrusion in
> house to avoid embarrassment.  What should the pen-testers do in this
> case?  Due to what has been seen it sounds like a fairly sophisticated
> intrusion that needs to be analyzed and reported so that the security
> community will know about it.  Most certainly the companies whose software
> is involved should know about it.  However, the pen-tester is under
> contract with the customer and most likely there are clauses on
> confidentiality that precludes the tester independently choosing what
> actions should be taken or how far the information about the breech can be
> disseminated.  In the end it's the customers decision isn't it?
>
> On Wed, 26 Mar 2003, Harlan Carvey wrote:
>
> > From what I understand of your situation, during the
> > course of a pen-test, you ran across a potential
> > intruder, potentially in the process of committing a
> > crime.
> >
> > If this is the situation, I have to wonder why you're
> > bothering to ask the list what to do.  One would think
> > that if your customer is potentially loosing something
> > very important and valuable, that you'd immediatly
> > switch from pen-test mode to forensics mode...or at
> > the very least inform the customer.
> >
> > I guess I just don't understand why there's any
> > indecision at all...
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
> > http://platinum.yahoo.com
> >
> > top spam and e-mail risk at the gateway.
> > SurfControl E-mail Filter puts the brakes on spam & viruses
> > and gives you the reports to prove it. See exactly how much
> > junk never even makes it in the door. Free 30-day trial:
> > http://www.surfcontrol.com/go/zsfptl1
>
>
> top spam and e-mail risk at the gateway.
> SurfControl E-mail Filter puts the brakes on spam & viruses
> and gives you the reports to prove it. See exactly how much
> junk never even makes it in the door. Free 30-day trial:
> http://www.surfcontrol.com/go/zsfptl1

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1