Am I still a 'whitehat'?

[DukArchon]

OK, if I tested a system for vulnerabilites, without delving deep into the breaches of secuirty, and never actually accessed the system illegally, but I actually know that If I try without too much effort could get in; and I intend on reporting the problems to the right person, without disclosing any of the vulnerabilites in the system to anyone, am I doing the right thing, or should I just walk away from the situation?

And if I should proceed to inform the admin, how should I put together my findings? I simple email wouldn't be effective, I think....

[powertoad5000]

If you look at it from the point of view of the admin, you are definitely doing the right thing. The majority of admins I'm sure want to know about vulnerabilities in their system. Only an idiot would get angry with you for highlighting flaws like this. If you didn't want to email them, maybe you could try a whois on the server and ring the phone number it provides. If your research is quite extensive, maybe you could post it off to their address (from whois again), if you could be bothered. Although, if you are investigating serious flaws, I am sure you have already thought of this

[Nitro]

some of the admins I know do not like outside people coming in and telling them about their security flaws. Would you like it if you set up this so-called "secure" system/network, and someone penetrated it and basically tells you what a shitty job of securing the system/network you did? My suggestion is to come of to this admin as a respectable person. Do not include words like "owned" or "hacked", as it will disturb the admin. Make sure you act fairly formal in how you approach the admin and how you put together your report. He/she may also want to know why you accessed or even thought of accessing his/her system/network, so make sure you have a legitimate reason.

Remember: the admin will most likely be suspicious of your activities (you did hack him/her after all), and DO NOT make the admin feel stupid (even if the admin is) or you will be toast.

-Nitro-

[pwaring]

I'd see if I could email the admin first, I can't see why that wouldn't be effective - I've done so before on numerous occassions and they're usually pleased that I'm pointing out the flaw rather than exploiting it. However, I accept Nitro's point that some admins will get very suspicious, so be polite and don't make the admin think that you believe them to be an idiot, as they generally know a lot more about computers & security than you do.

You could try powertoad's suggestion of phoning the admins, although whois doesn't always give phone numbers or addresses, and the switch board may not put you through to the IT department and you'll often have to deal with mindless idiots for half and hour before you actually speak to whoever's in charge of security. It's worth a try, but only if you think you'll get through and live in the same country as the admins, otherwise you might get a hefty phone bill!

Whatever you do, you should definitely inform the admin team, by anonymous email if necessary.

[TechieChick]

Testing a system that is not only not yours, but where you have not been asked to do such testing is only asking for problems. People are hyper sensitive to this right now and don't like any flaws in their systems being pointed out to them.

It's a very fine line between doing that and accidentally tripping across something, case in point I went to check out a router manufacturers ftp site and saw the .txt file with the YoU arE OwNeD title. I just closed my browser and emailed customer support and left a phone message for them as well alerting them to the issue with my name, company name, time, date and why I was accessing the ftp site. No one ever called me back (didn't expect it) but I still worried (since I'm a bit paranoid ) but as I said above, companies are a bit quick to pull the trigger these days and the penalties are getting larger for "accidentally" uncovering problems.

*edit* Yes, I did open the .txt and it was obviously not supposed to be there

[droby10]

i agree with most of what has been said. i have found that most unsolicited audits are either ignored or are answered with hostile responses, regardless of professionalism and approach.

if that is the case, then in the end you have to decide how important it is for you that they fix it. ie. does it affect you in any way? is your information at risk? if not, then it might be better to not push the issue. on the flip side if you don't push it, and they don't fix it and someone else comes along and exploits it - they will immediately turn their eyes towards you for blame.

some things that will help establish rapport _AND_ cya. document everything you do. the source address, the time, commands issued, accounts accessed (successfully or failed), etc. these will need to be verifyable facts (target host and network logs)

at most it will validate that during that time you were not acting "maliciously" - it will NOT prove that you haven't acted in poor taste at any other time or through any other host (past, present, or future); but overall it will provide them with some form of self-evidence without relying on the words/claims of an unknown.

it might also be beneficial to seek the help of a 3rd party acting as moderator/mediator: for your own anonymity, if need be, and/or to allow the disclosure(s) to come from a trusted party.

the general security public will more than likely see this as grayhat activity. i'm not going to say it's a good or bad idea to contact the company. depending on the severity, i'm sure that there are those who have served time for much less...on the flip side there are those who get articles and what-not written up about how much the helped out xyz company (controversially). you might do some research on the general attitude of the company - previous incidents, etc.

[DukArchon]

So, I should probably just walk away from it... My info is at risk, yes, but so are a lot of people's info(We're talking in the 10,000+ range), but I think it would just be better for me to walk away from it, throw away my research, and forget about it.

Thanks for the help and suggestions everyone....

[Viper]

In some cases, people run into situations where they see a possibility of a vulnerability. From that, a test is done and if the theory proves itself, a proper notification to the administrator is done, whether through email or telephone. Now, some people choose to actualy prowl around looking for holes and exploits and that's fine so long as you do the right thing afterwards, which is telling the administrator the situation and suggestions on how to fix/solve the problem.

A little suggestion on how to present your findings:

Send a professional looking email to the systems administrator:
example:

To: admin@moo.net
Subject: Vulnerability Found in Webpage (or whereever you found it)

Dear Systems Administrator,(or find the name of the person and put it in instead of sys. admin)

{Presend Yourself} My name is John Doe, {present situation} I would like to inform you about a vulnerability (or hole, or whatever terminology you want to use) in your system/webpage/whatever. {explain where} It is located in the <blah blah blah>. {Explain how} It is a {Type of vulnerability, i.e. stack/buffer overflow, spoofs, etc.} and it can be breached/bypassed/broken into/etc. by {explain your process. Give specific details. } My recomendation to fixing this hole is to {Give a description on how you would go about to fix the finding. They love that. } { If here's more than one hole then go on with listing the locations and possible ways to solve}

{Conclude your email} I thank you for taking the time to read this email.
{Give contact info} If you have any questions of comments you can reach me at {give email or any other type of contact info. }

Sincerely,
{your name}


** Or you can do it by phone **
Call them up and ask to speak with the administrator. You basically follow the format of the email except you're open to questions right then and there. Just be ready to answer them, which you will more than likely be ready for.

[The Old Man]

Originally posted here by TechieChick
[B]Testing a system that is not only not yours, but where you have not been asked to do such testing is only asking for problems. People are hyper sensitive to this right now and don't like any flaws in their systems being pointed out to them.

It's a very fine line between doing that and accidentally tripping across something

**********
Just my 2cents here, you have to do what you have to do...
Unless you are on a personal (or at least codial) basis with the SysOp is to print T.C.'s opening comment, post it somewhere easy to see, and consider the finer points of "problem ownership". If your online or desktop stuff is at risk, change servers, there's a jillion of them around and except for a very few most have holes somewhere. It would be very small satisfaction that a judge/jury found you innocent of all charges, after you paid some attorney a small fortune to defend you. "Problem Ownership", is a rather difficult concept for most of us to grasp who just like to help other people. T.C. is very correct, with the present atmosphere and the present laws, it would not be difficult for some SysOp with a hangover and a boss all over his a$$ on a monday morning to blame a "gooder" for all the problems that he had over the weekend. Just my 2cents worth, One of the AO'ers here has it for a signature and it's about as accurate as it is comical... "Paranoia isn't paranoia when you know they're actually after you!"