Pentesting Ethics: Should I do it/ Is it legal?

[Archangel-Amael]

This thread is a collection of posts from our old forum. There are always people who come by and have what they believe to be a vulnerable network, and feel the need to save the day. There are probably just as many different cases as there are answers for those cases. A Doctor's office that uses wep. An elderly woman who's network is open and broadcasting for the world to see.
In this thread I will present one of those typical cases and the answers that were given. Ethics generally has different meanings to different people. As such this thread should not take the place of valid legal or professional advice.
Feel free to add to this or use as a reference.

QUOTE=sociopathichaze So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
Should I post all the info I obtained?
Should I email the Dean and explain why he should fire these idiots?
Should I email everyone in the student/faculty directory telling them their data isn't safe?
Should I do nothing and let their current security through obscurity model stand?
Should I post this in a different forum where someone might care?

[Archangel-Amael]

QUOTE=Gitsnik *No
*No
*No
*Yes
*No
I suppose I should be a little more articulate than that!
Posting the info will probably be construed as illegal, and you will probably be called to task for it. Check any documents you signed when you first hooked in.
Explaining to the dean is useless, to use your terms those "idiots" may well have budgeting issues, or reasons for using the printers without passwords (for example, there is some unnamed management software that you can not control certain printers with if they do have passwords on them). Frankly, you were an intern, you have no goddamned idea about what is going on there and it is not your place to say.
The idea of spreading FUD is a "l33t h@ck3r" one, not a professional idea. You do it, you are more likely to cause mass rioting than fixing the problem. Besides which it is irresponsible.
You *should* do nothing. You have done all you legitimately can. For example, I did a pentest 5 years ago for a company, and every hole is still there. Should I go wipe all their systems now to teach them a lesson? That's just idiocy at its finest.
And finally, I frequent those other forums (though not under this name), and you will either find someone willing to be bored and break out what they can, or noone will care and you will be mocked.
Do the right thing, keep your mouth shut and move on. It's not your network, it's not your problem, and you're not a student there.

QUOTE=lupin My advice is do nothing, there is a very good chance you will end up in the manure yourself for what you have already done, and if you actually start advertising the fact that you have been doing an unauthorised audit and you start spreading around the flaws you have found the chances increase that it will all come back on you. Especially if you post the flaws somewhere you shouldnt.

Once you work as a systems administrator or security professional for a while you will realise that the situation you describe of a dreadfully insecure network is the rule and not the exception. You should also be aware that no one asked you to do what you have done, and odds are you will not be greeted with praise and adulation if you start telling them they are doing things wrong. Yes that seems ridiculous, but yes it does happen a lot of the time. The messenger gets shot.

As for the lazy/incompetent admins thing. Well maybe they are, but there are other equally likely possibilities.

Its possible that those admins do know the right thing to do but don't have the time to do it - they have to move onto a new project right after an installation is done - this is very common. If an administrator works in an environment where security isn't required or rewarded, and they are not given adequate time or resources to secure systems, it's inevitable that security will suffer. Given a choice between the following, what do you think the average person would do?

• Letting security suffer and focusing on the things you will get rewarded for
• Adding security at the expense of not doing other tasks which your performance was being measured against, or
• Staying late for several hours on a regular basis to add security on your own time for no reward

As an Administrator, unless security really interested you, or you believed you had an ethical obligation to give security greater consideration than your bosses do, the rational choice is not to add security.

These same admins could also have been deliberately told to disable security functionality because it makes things take longer to setup or it breaks some piece of wizbangery that is required for "business reasons".

Another possibiliy (although probably less likely than the others) is that the college is aware of the problems and has other mitigating strategies in place, or has decided to accept the risk. This is actually a perfectly valid approach to security if done properly. Appropriate security is after all a balancing act between allowing people to do whatever they want or preventing people from doing anything, and the appropriate balance will be different for each organisation depending on the risks they face. Security also costs money, in terms of resources to implement, inconvenience and direct capital expenditure. The costs of bad computer security are also often borne by entities other than the organisation who gets breached, even taking breach notification, privacy laws and the potential cost of lawsuits into account, which also doesnt really provide an incentive to dedicate resources to improve security. While obviously I cant make any definitive statements abut this college based on the information I have, its possible that their security is actually appropriate, when all the factors are taken into account.

So my advice again - stay away from this, I dont think theres any upside from your perspective to pursue this further, unless the thought of being a whistleblower appeals. Theres lots of ways this could go bad for you, especially considering that the security posture of this college could have come about via deliberate choice, in which case nothing will change and you will get the blame for poking around in the network where you shouldnt have.

[Archangel-Amael]

QUOTE=Gitsnik Not to mention the blame for anything untoward that happened during the testing time.
The amount of times I (or others) have been blamed for things is phenomenal. Thankfully we all keep extensive logs and automations to ensure that we have proof, which I doubt the OP has done (though, to be fair, it is possible - but the mention of starting idly gives it away for me).

QUOTE=lupin Yes another good point. And to expand on the point I made which Gitsnik responded to, I will say that I am a Security Officer where I work, and if I found out that an intern had done what you have done (performing a security audit without permission) I would come down on them like a tonne of bricks. Of course at my place of work Id feel justified in doing this because the described behaviour is expressly and specifically prohibited in our IT Security Policy, and it may not be prohibited in the security policy of the college. Id check this if I were you OP.

Its also possible that if you had audited my organisations network, you would find flaws, but for many of these I am already aware of them and am either a) not concerned because of other mitigating strategies or lack of business risk or b) concerned but unable to do anything because of operational requirements, limited resources or lack of managerial support/understanding. Pointing these same flaws out again and calling myself and my colleagues idiots because of them without knowing the background to the problems would not be at all helpful.

QUOTE=Oktet and even when implemented, there is always a budget that makes life really difficult when trying to secure your network or whatever you are trying to secure. Like in real life, most people get by, by making compromises (whatever works), in a perfect world we would all have the resources that we wanted or needed to secure our networks or servers or whatever we are protecting. But the truth is that most people regardless of occupation, job, even students, are given the bare minimum to work with, and that bare minimum sometimes results in bare minimum security given bare minimum resources to work with, granted there are some people here that can make miracles happen with bare minimum, but at what cost?

[Archangel-Amael]

QUOTE=sociopathichaze Just to be clear on what some of you are defending, by sticking up for these misunderstood admins.
-Firewall password is "password"
-IDS on firewall is off.
-ACL's are non-existant.
-IP security camera system switch doesn't have a password.
-Policies allow guest access to administrative shares.
-Wifi is WEP and just uses mac filtering.
-5+ Network printers have no password and have public ip's. You can type in the ip from anywhere and have full access to the hp web gui.
-Because they're a college they have a class b ip range but have less than 2,000 users. Which all get assigned a public ip.
-They have a staff of 20+ who mainly sit around waiting to fix paper jams.
-As far as their IT Policy, they don't have one, or at least I didn't have to sign one.
These are all things both easy and free to fix.

QUOTE= Archangel.Amael Let me take your own words a re-order them a bit to help highlight a few things. TO WIT:

Being the ethical guy I am, During the lulls in calls, I began poking around the campus network. Nothing intrusive, at first.

First of all you might be a "good guy" in real life but all we have to go off of is what you write here for us to read. But the above statement (which is your own words, I merely left a bit of "IT speak" out) is a no go!

An "ethical guy" would have never done anything out side of the scope of normal network usage( meaning checking email, surfing etc.) Furthermore as you mentioned it was your job to work the help desk not look for security issues in the network.
If you had done the same thing were I work then you would be done. Not only out of a job but maybe with a lawsuit as well. Granted your chances of doing what you did on our networks without notice is not likely to have happened. It's not the point. For me ethics are a big part of daily life. I probably have to hear something about this every 3-4 days. (Actually it gets old.)

Just to be clear on what some of you are defending, by sticking up for these misunderstood admins.

While it might be great in and of it's self that you found these "things", no one is really defending the staff per se but rather pointing out to you what should be obvious. The amount of blame/trouble that you could possibly get into by trying or doing what you have listed above. Those professionals in the above posts are only telling you based on their own experience and knowledge. I would take it for what it is worth and leave it (the school network) alone.

-They have a staff of 20+ who mainly sit around waiting to fix paper jams.

While this may be true in some light, it is what they are paid to do and while it may seem like a waste of money/resources neither of which are yours. So let them fix paper jams. You don't pay them.

-As far as their IT Policy, they don't have one, or at least I didn't have to sign one.

You might not have signed a specific IT Policy, but you may have signed something that could be used by a court of law as a substitute document stating your willingness to comply with said IT Policies.
Especially if you signed some policy with ethics somewhere in it.
I am quite sure the students are bound by some policy, much like the workers. This could be enough, for a good lawyer.
Furthermore mentioning the above to the above to the dean (who spent his whole life studying underwater basket weaving) who doesn't know the difference between wep and acl is probably not going to get you anywhere positive. The guy or gal may think "my god this guy(you) is one of those "hackers" they talk about on the news."

Take the advice of everyone who has mentioned to leave it alone and do so.
Consider it a lesson on dealing with upper management, idiots, morons and the like that sometimes run things they should have no business being around.
We all know they exist but as long as they are "in charge" there really isn't much you can do about it.

EDIT: As an after thought I would also wait to see what our member Thorn has to say about this thread. Being a former LEO I am sure he can offer some good advice to help encourage you to look the other way.

[Archangel-Amael]

QUOTE=Gitsnik Some notes from the various companies I have worked at, and just in general. Yes there are some mistakes there I would never make, so the point of what I am about to type is merely to point out that there are sometimes reasons to do things (reasons that, like lupin said, go against a security officers better judgement):
Infrastructure systems password change policy extortionate in it's complexity. Also look at that (LA?) admin who wouldn't give up router passwords.

IDS produces too many false positives, admin's getting lazy and ignoring them. Off works just as well and frees up their day.

I can't defend the ACL's, but unless you cracked the routers you can't know this for sure, nor what mitigating tech is between the firewalls and the routers. I wonder if you could have picked up my SOP for defending internet facing networks - Layer 2 bridges with filtering on them... no IP visible to the network on either side.

See note above about password policy. Doesn't countenance it, may explain it.

Policies allow guest access to administrative shares --> You've never had to admin a network have you? The amount of times I've had to pull this particular policy back so that the guest-access DOES work is ridiculous. And very very common for beancounting software.

I've been known to run WEP for my home network (my laptop didn't support more for a while). Just because it is insecure doesn't mean it is a bad thing. Also a lot of hardware doesn't support WPA if it has been around, and there may be budgeting issues.

I already made notes on the printer/password issue, but yes, this is a problem I can not countenance.

annnnd

"-As far as their IT Policy, they don't have one, or at least I didn't have to sign one." means they will just pull you in front of a lawyer if they decide to. Anti-"hacking" laws cover this sort of thing within corporate networks with or without a policy.

I can't stress again how important it is that you just leave it go. Fine. We're all proud of your accomplishments. Now suck it up and move along. Like I already said, it's not your network, it's not your problem. You will encounter idiots like this everywhere, and believe me the urge to teach them a lesson will be a lot stronger than your current one is (I once felt the urge to blow away an entire banks database for the idiot mistakes they were making!) - but you have to just let it go. Doing anything else will land you in more trouble than them, even if you went straight to the Dean, and noone will appreciate it, so that urge you seem to have to be applauded for your skills is not going to be sated - welcome to the real world.

QUOTE=lupin This bears repeating, you wont be thanked for pointing this stuff out. My favorite analogy regarding this tendancy involves the Physicist Richard Feynman who found weaknesses in the safes at the Army base in Los Alamos he was working in during the Manhattan Project (that's the project that developed the first Nuclear bomb during WWII). After he demonstrated these weaknesses to the Army officials in charge, the response was a memo that ordered staff to keep Feynman away from their safes. So Feynman was basically considerd to be a troublemaker after this, and this is at an extremely high security facility (well supposedly). I dont think you could expect any better in a place that didn't consider security to be important.

QUOTE= Thorn OK, I'll pipe in here.

sociopathichaze, You may be "right" in that, technically, some or all of these things should be corrected. However, you were dead wrong in even attempting to find these issues in the first place.

You did NOT do a "security audit" no matter how you rationalize it in your own mind. A security audit is done by professionals, under contract, using standardized procedures, within a specified scope. On top of that, those professionals adhere to ethical standards. So far, what you've done is at best, unauthorized poking around in areas you had no right or authority to be near, and what are by my count, at least three felonies, and something on the order of 5-20 counts of each felony, depending on the jurisdiction and how the police and prosecutor see each felony. Also, you've broken just about every ethical standard adhered to by professional pen testers.

Do the right thing, keep your mouth shut and move on. It's not your network, it's not your problem, and you're not a student there.

This is the best advice. The school admins may be wrong in the area of best practices, but you, sociopathichaze, are the one who has committed crimes, and you're pointed it out to the victim. So far you've been lucky that they ARE complacent. If they weren't complacent, they would have had you arrested and charged with a crime. They still could.

If you insist that you "post all the info [you] have obtained, email the Dean and explain why he should fire these idiots, email everyone in the student/faculty directory telling them their data isn't safe", or continue with any other action along those same lines, you're going to force their hand. What will happen is that you won't be the good guy, you will be the "Temp Worker Charged with Hacking Local College. Details on the 6 O'clock Report."

If you don't let this die, then your next step should be to get a competent defense attorney. You'll need one.