Pentesting Ethics (When is enough, enough?)

[wyze]

Quote:

Originally Posted by sociopathichaze

So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
Should I post all the info I obtained?
Should I email the Dean and explain why he should fire these idiots?
Should I email everyone in the student/faculty directory telling them their data isn't safe?
Should I do nothing and let their current security through obscurity model stand?
Should I post this in a different forum where someone might care?

You sound like some kind of vigilante. Since you crossed the line and can see network insecurities, your only option is to quit going to the school if you feel they aren't protecting your data.

[wyze]

Quote:

Originally Posted by sociopathichaze

Just to be clear on what some of you are defending, by sticking up for these misunderstood admins.
-Firewall password is "password"
-IDS on firewall is off.
-ACL's are non-existant.
-IP security camera system switch doesn't have a password.
-Policies allow guest access to administrative shares.
-Wifi is WEP and just uses mac filtering.
-5+ Network printers have no password and have public ip's. You can type in the ip from anywhere and have full access to the hp web gui.
-Because they're a college they have a class b ip range but have less than 2,000 users. Which all get assigned a public ip.
-They have a staff of 20+ who mainly sit around waiting to fix paper jams.
-As far as their IT Policy, they don't have one, or at least I didn't have to sign one.

These are all things both easy and free to fix.

And right here, I'm fairly certain you are committing a felony by sharing this.

[Isohump]

Quote:

Originally Posted by Gitsnik

Do the right thing, keep your mouth shut and move on. It's not your network, it's not your problem, and you're not a student there.

It takes a real man to say and do what Gitsnik said.

[_DoS_]

Quote:

Originally Posted by sociopathichaze

So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
Should I post all the info I obtained?
Should I email the Dean and explain why he should fire these idiots?
Should I email everyone in the student/faculty directory telling them their data isn't safe?
Should I do nothing and let their current security through obscurity model stand?
Should I post this in a different forum where someone might care?

Just by starting this post and sharing this i think you are just trying to show off your skills and that you have knowlege which is fine and very good for you but try not to force it to much..If they heve flaws so what, you are not the admin, and your best hint is not to check you email when you are at school, or do anything that you are awear that will harm you in ether way. Pocking there (including posting here about this) will only get you in trouble nothing more.

Just remember the BT starting logo and the litle text that is writen there.

Regards

[Thorn]

Quote:

Originally Posted by sociopathichaze

So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
Should I post all the info I obtained?
Should I email the Dean and explain why he should fire these idiots?
Should I email everyone in the student/faculty directory telling them their data isn't safe?
Should I do nothing and let their current security through obscurity model stand?
Should I post this in a different forum where someone might care?

Quote:

Originally Posted by sociopathichaze

Just to be clear on what some of you are defending, by sticking up for these misunderstood admins.
-Firewall password is "password"
-IDS on firewall is off.
-ACL's are non-existant.
-IP security camera system switch doesn't have a password.
-Policies allow guest access to administrative shares.
-Wifi is WEP and just uses mac filtering.
-5+ Network printers have no password and have public ip's. You can type in the ip from anywhere and have full access to the hp web gui.
-Because they're a college they have a class b ip range but have less than 2,000 users. Which all get assigned a public ip.
-They have a staff of 20+ who mainly sit around waiting to fix paper jams.
-As far as their IT Policy, they don't have one, or at least I didn't have to sign one.

These are all things both easy and free to fix.

Quote:

Originally Posted by archangel.amael

EDIT: As an after thought I would also wait to see what our member Thorn has to say about this thread. Being a former LEO I am sure he can offer some good advice to help encourage you to look the other way.

OK, I'll pipe in here.

sociopathichaze, You may be "right" in that, technically, some or all of these things should be corrected. However, you were dead wrong in even attempting to find these issues in the first place.

You did NOT do a "security audit" no matter how you rationalize it in your own mind. A security audit is done by professionals, under contract, using standardized procedures, within a specified scope. On top of that, those professionals adhere to ethical standards. So far, what you've done is at best, unauthorized poking around in areas you had no right or authority to be near, and what are by my count, at least three felonies, and something on the order of 5-20 counts of each felony, depending on the jurisdiction and how the police and prosecutor see each felony. Also, you've broken just about every ethical standard adhered to by professional pen testers.

Quote:

Originally Posted by Gitsnik

Do the right thing, keep your mouth shut and move on. It's not your network, it's not your problem, and you're not a student there.

This is the best advice. The school admins may be wrong in the area of best practices, but you, sociopathichaze, are the one who has committed crimes, and you're pointed it out to the victim. So far you've been lucky that they ARE complacent. If they weren't complacent, they would have had you arrested and charged with a crime. They still could.

If you insist that you "post all the info [you] have obtained, email the Dean and explain why he should fire these idiots, email everyone in the student/faculty directory telling them their data isn't safe", or continue with any other action along those same lines, you're going to force their hand. What will happen is that you won't be the good guy, you will be the "Temp Worker Charged with Hacking Local College. Details on the 6 O'clock Report."

If you don't let this die, then your next step should be to get a competent defense attorney. You'll need one.

[streaker69]

Quote:

Originally Posted by wyze

And right here, I'm fairly certain you are committing a felony by sharing this.

He didn't really commit a felony by sharing it, but he did indeed commit a felony in finding it.

My guess, he's thinking that he'll get hired as an admin and be able to leave helldesk by submitting this information to management.