Hired by Company! Look what I found!

Printable View

October 17th, 2002, 09:16 PM
Internet Hacker

Hired by Company! Look what I found!

This Company hired me get into there system to test its security, the main idea is to see how secure it is, and see if outsiders can gain access and the techniques they use to obatin total access. I was never hired by a company before doing this so I am wondering could any of this be used against me? Is there anything I should know about? Besides in the contract. This is my first real job as a (sneaker). Heres the orginal message:

Quote:

Hello, I'm Steve Grazer', one of the administrators for INC. We want you to go ahead and test things, but please tell us what you did (and didn't) find. We're always interested in hearing about the security here.

INC is a fairly hardened system. We get hit on every day, with every
possible exploit for every operating system and hardware platform
you could think of. Obviously only the SunOS exploits for the Sparc
make much sense to try.

Given that we get hit on constantly with all the usual script kiddie
tools, thinking "outside the box" is likely your best chance of being
able to find something interesting. If you are observant you will
discover something that looks like a real security flaw. All I'll say
for now is that if you think you've found something, look very closely
at what you think you have.

What account are you going to use for this?

--STeve Grazer' (INC staff)

I found the password file it has over 5,000(+) user names and passwords: The accounts I found were root, sysdiag,sundiag, and all the users. I found many different ways to gain total access to this system.

root:7iCHANGEDTHISSO:0:1:Operator:/:/bin/csh (I changed all the passwords for obvious reasons)

sysdiag:changethisto:12:1:Old SysDiagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag

sundiag:Onemoretime:12:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag

Plus All 5,000 users(+) usernames, and passswords, including root,sysdiag,sundiag,

INC has no real security from my point of view. Im currently writing a e-mail to the System administrators explaining everything I found. I'll keep everyone updated.
October 17th, 2002, 09:27 PM
nebulus200

Well first off, I don't think the company would appreciate you making your findings public (which to some extent you have just done).

Second of all, you should make sure you have a document that formally defines what you are allowed to do, what you are to do with your findings, and over what time frame. That document should be signed by the persons in charge of the company's network (perhaps even their CEO), I would highly recommend having a lawyer draft something together. This is for your protection as well as theirs. If you are using an account external to that companies network, you should also have permission (in the same fashion) from whatever ISP you are using.

Lastly, when you have the lawyer draft this up, you might want to talk to him about any other possible liabilities that are associated with this (for example, what if a company gets hacked a week after you do this, maybe you get blamed).

Failure to be dilligent could result in severe penalties, maybe even including fines and/or jailtime. You might want to consider editing the post to obscure what company is involved, and definitely remove names.

/nebulus
October 17th, 2002, 09:31 PM
roswell1329

Um. Okay. If a staff member is requesting this service, then I would make sure that you get an agreement in writing before you release any information about security flaws. Make sure that the entire department knows what who you are, and what you're there for.

Since you read the password file, you've obviously already penetrated the system. That you had to change the encrypted passwords tells me their not running shadow passwords. You say that you have found many different ways to root the system, perhaps they want a different kind of penetration testing from you. For example, is this system behind a firewall? Could they be asking you to test their firewall for vulnerabilities, and not their internal systems? Many companies have firewall security like Fort Knox, but their internal systems are relatively open.

I guess that's all my advice.
October 17th, 2002, 09:32 PM
nabylbt

Well have you tracked the email to ensure that you weren't social engineered to get that data, and also before sending them any results ask your contact at waht time you could call him (collect) to ensure his identity, then call the standard of the company and check if the numbers are the same....
I find it strange that they would hire someone with no official experience or belonging to a other company ....
give more details please.

If on the other hand it is a legitimate bussiness deal then defintivly contact the sysadm and let him know what you have found out ...
October 17th, 2002, 10:57 PM
alanj23

totally agree with nebulus200 - get a lawyer! and be very careful how you handle the information you`ve aquired. Also in the future prob. a good Idea not to post your findings on the web ;c)
October 18th, 2002, 03:04 AM
Euclid

Did you make the initial contact with "Steve Grazer', one of the administrators for INC" or did he email you. I would be skeptical and would get a lawyer and I defenatly would not have posted it here. As a consultant your job would be to notify the company first. What you did even though you didnt tell anyone how is open up the system to anyone who thinks they know what to do . For example roswell1329 post. I can see his thought bubble from here. Not saying that he or she is going to go access the system but hes thinking about it. Again I am not saying that he/she will do it, what i am saying even though you didnt give much info it was enough to figure out some things.

Anyways, I would suggest that if you do this more in the future , report to the company first before you report here and better yet dont even report here , not good security practices ( no offence to the site but there are mixed types of people here)