Re: Odd situation, advice needed on penentration test results

Harlan Carvey wrote:
> Desmond,
>

>>I think the reason for the original post is because
>>the customer is a
>>fortune 500 company they may choose to keep
>>knowledge of the intrusion in
>>house to avoid embarrassment. 

Yes, they should have informed the client that was what the last line of my message said.

> Yet, instead of informing the client, the OP posted to

As I was trying to get across in my message I think the OP was trying to get advice on what to do because this was a situation that they felt was extraordinary, at least for them so they are looking for advice from their peers.

>>What should the pen-testers do in this
>>case?  

Once again, I think this is what my message said.

> Remember the problem Microsoft had w/ emails a couple

Yes, I agree that someone familiar with the incident who sees the post will be able to link the two and this could lead to any number of bad outcomes for the OP, etc. The intruder could see the posting and "do something very bad". Measuring the likelyhood of this is part of the choice (risk analysis) that the poster choose to take. If I were the customer and found out I would certainly rethink my hiring choice at the very least.

>>Due to what has been seen it sounds like a
>>fairly sophisticated
>>intrusion that needs to be analyzed and reported so
>>that the security
>>community will know about it. 

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

You're right I did assume it was sophisticated based on the mention of source code from unnamed vendors being present on the machine. It's fair to say that this does not mean the intrusion was "sophisticated". However, I think the presence of the source code is part of the reason for the posting. Once again, I'm assuming that the source code isn't from an open source firewall so the poster was concerned, confused and wanted to do the right thing.

> Regarding analyzing the intrusion and reporting it to

Isn't that what happens on various security lists all the time. Dave Dittrich, eEye and the honeynet project amongst others have made available quite detailed reports on intrusions or what has led to many intrusions at various times.

>>Most certainly the companies whose software
>>is involved should know about it.  However, the
>>pen-tester is under
>>contract with the customer and most likely there are
>>clauses on
>>confidentiality that precludes the tester
>>independently choosing what
>>actions should be taken or how far the information
>>about the breech can be
>>disseminated.  In the end it's the customers
>>decision isn't it?

It will be too late for the client if and when someone links them to incident which may or may not ever get reported. The poster gave away more information that they needed to ask their question, but they have tried to maintain some level of anonymity for everyone involved (no company names, etc. have been mentioned). I once again think my last line is fairly clear in stating that I think "In the end it's the customers decision..."

top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 Received on Thu Mar 27 12:10:32 2003