Results 1 to 5 of 5

Thread: Ethical and legal hacking question

  1. #1
    Member
    Join Date
    May 2006
    Posts
    119

    Default Ethical and legal hacking question

    The following scenario has always intrigued me and I welcome some feedback on how best to handle it.

    A pentester is hired to gain as much information about a company's assets as possible. One of the social engineering tools he uses is a email message sent to employees that once clicked on, downloads a malicious file that then gives the hacker access to the internal network. Now all that is well and good if the employee downloads the email while at work and at their work computer.

    But many people work from home these days and use a mixture of company and home computers. And many people check their company email from web hosting accounts like Yahoo or Hotmail or Gmail.

    So what's the legal challenge when an employee now downloads that malicious company email onto their home computer and now the pentester has access to that person's personal (and not company) computer. The employee discovers this and brings charges against the pentester.

    What's to do now?

  2. #2
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    If those kind of tools are being used, this should be anticipated, and should be within the scope of the contract. As such. this shouldn't an issue for the pentester.

    It may be an issue for the employer, although most of the things I've seen governing employee email say that if an employee accesses email at home for their convenience, anything that happens is their tough luck.
    Thorn
    Stop the TSA now! Boycott the airlines.

  3. #3

    Default

    1. the usual organization security policy should be very clear for any employee, that you can NOT foward business email to your private account, nor you should be allowed to add the business POP3/IMAP/Exchange account onto your private computer (simple organizational data protection rule)

    Therefore as a (certified) Pentester you should mention that to your client and ask explicit for permission to test this kind of policy violation.

    2.you always need a very clear service agreement for your pentest activities (it's shocking, how many pentest services companies still not having basic coverage within their service agreement - like in Germany there is this stupidity of 'Hacker Law' and even if there was never any serious case for a security tester, I always incorporate that very clearly in our agreement and ask for explicit permission of using 'known hacker tools', within the agreed scope). Besides that, this agreement should also include that it's the responsibility of your 'client' to inform all necessary departments about your security assessment activities. Therefore it fully relies on your 'client' eq. security officer/working council, if they inform their employees about this Pentest, means if you got permission for 'social engineering testing', the legal impact stays with the client, BUT make it clear in your agreement!

    Even if many of Pentesters don't wanna hear it, but it's essential to go through the known security industry certification, like CISA/CISSP or ISECOM OPST to learn how you handle these kind of issues AND most important, it's not anymore just technology you have to cover in your Pentest activities - that's why more and more people call it (finally) 'Security Assessment' ;-)

    /brtw2003

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by bulgin View Post
    The following scenario has always intrigued me and I welcome some feedback on how best to handle it.

    A pentester is hired to gain as much information about a company's assets as possible. One of the social engineering tools he uses is a email message sent to employees that once clicked on, downloads a malicious file that then gives the hacker access to the internal network. Now all that is well and good if the employee downloads the email while at work and at their work computer.
    1) If they're using VPN then no problem.
    2) If they're using WebMail, then the pentester might end up testing someone's home network. This would likely be outside the scope of their contract. But it's a grey area since the employee is accessing a work resource and the pentester has a contact with said resource.
    3) If they're using a 3rd party mail system then there are two issues.
    a) Why? Business email should not be sent to or stored on third party mail infrastructure.
    b) The pentester might end up testing 3rd party resources, which are definitely outside the scope of their contract. This could be a problem.

    There are a few ways to mitigate this:
    - The pentester would choose to only scan or test systems within a particular domain or IP space.
    - They could ensure the file or active content only triggers for people using fat mail clients (not webmail).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Member webtrol's Avatar
    Join Date
    Jan 2010
    Posts
    113

    Default

    Possible repercussions would be most likely VERY varied depending on locality.

    I'm not quiet sure that accidental hacking of employee would be as easy to cover with disclaimers. I don't think a business can give you a cover for something an overzealous prosecutor might call felony.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •