Results 1 to 10 of 18

Thread: Moral security Question

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    7

    Default Moral security Question

    Hi
    I have a question and would like some opinions, I went to Drs with my girlfriend in a local surgery and I noticed one of the desks they had a Wireless modem / router. I did a quick scan for WLAN on my mobile to find 2 WEP networks in the surgery. One the Drs and the other was the Chemist next door. I did notice that it looked like a WLAN and LAN light was flashing in use.
    I am pretty much self taught Linux, few Microsoft Certs. Morally I want to tell them that there modem / pcs may not be secure - I personally worry especially medical records.
    I have got no intentions to 'hack' anything to prove a point.
    I know there are so many WEP protected company's but has anyone approached a company about that and if so how ?

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by alias1 View Post
    Hi
    I have a question and would like some opinions, I went to Drs with my girlfriend in a local surgery and I noticed one of the desks they had a Wireless modem / router. I did a quick scan for WLAN on my mobile to find 2 WEP networks in the surgery. One the Drs and the other was the Chemist next door. I did notice that it looked like a WLAN and LAN light was flashing in use.
    I am pretty much self taught Linux, few Microsoft Certs. Morally I want to tell them that there modem / pcs may not be secure - I personally worry especially medical records.
    I have got no intentions to 'hack' anything to prove a point.
    I know there are so many WEP protected company's but has anyone approached a company about that and if so how ?
    It is best if you're going to do it, to just tell them that they have a potential problem, but do not offer to secure it for them. Do not use any scare type tactics, just present the facts that WEP is insecure and should not be used. Allow them to make the decision to contact their own people to have the problem resolved.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Personally I'd be very wary about telling anyone their network was insecure unless they had asked for my opinion on the matter. At the very least you may end up needing to explain why you were poking around in the first place, and if the network ever does get broken into you can bet that they will remember what you said and consider you the first suspect.

    I don't think you have a moral duty to say anything under these circumstances, seeing as you don't manage and didn't setup the network, and if you are worried about the security of your own information, which is reasonable, I'd start seeing another Doctor.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    7

    Default

    Thanks for your feedback Streaker69 and Lupin. In all honestly I think I wont be doing anything but it does make you wonder I would have thought drs surgerys would have a best policy in a perfect world.
    Has anyone actually aproached a company before ? eg WEP and what happened I am curious. I can understand why people would be hesitant to help somehow it will come back and bite them as Lupin said.

  5. #5
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Do you feel morally obligated to inform them? Or do you see a potential client who you can $uggest your opinions to?

    To answer your question, no. If they are not a client or friend, then I have no business in trying to make myself look good, or earn their business through scare tactics as mentioned.

    While it would be nice to help out people who may simply be unaware of the security risk, the effort doesn't outweigh the potential consequences for me.

  6. #6
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    7

    Default

    I dont see $$$ as I dont have proper certificates and dont like scaring people although am going to start my CCNA soon. I have no connections to the surgery or any employees it was more a moral question with it being a medical business if it was a corner fruit & Veg store I wouldnt think twice. (Sorry if any one owns / works Fruit and Veg store )

  7. #7
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    It was more of a "why do you even care?" that I was trying to get at (moral or personal gain).

    My opinion is hit the books and worry about more important things. It's good to be aware of these things, it's another to act on them. Maybe someone else will add something. Good luck on your CCNA.

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    A simple "Hey I notice you're using WEP on your wireless network. I'm kind of concerned and was wondering; are my medical records available via that network? Did you know that WEP has known weaknesses and is VERY simple for people to break?" should do the trick.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    I had a situation kind of like this once where I noticed my vet where I take my animals had wep encryption and various other security problems. All I did was find some articles from reliable sources that the "average" person would trust and made them up into a little packet and offered them to the VET. A few weeks later I assume she enlisted her IT guy to fix the problems because they got fixed. I avoided sounding like I could break into her system and I also did not offer to fix it which is why she trusted me. Just my 2 cents. I do believe every situation is probably different though so no one answer will apply to every situation.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •