Penetration Testing...from the inside...

[embro1001]

This is an excerpt from my online journal... the conclusion to the story:

Well... today was the day. Today was the day I went public.

As many of you know, I'm a bit of a computer-person. Using my knowledge and inside information, I was able to gain partial access to the The Company network. And by partial, I mean... well... it was a lot.

So today I wandered into The Company with the intent of buying a magazine or something. I then walked over the kiosk, and decided to try something. Using methods I like to pretend that only I know, I managed to get access to the command line, and from there, I was on the network.

Now, The Company uses a cool little program that, when installed on a remote computer, allows someone else on the network to connect and use it as though he was right in front of it. Using miscellaneous passwords which I had acquired earlier, I gained access to a random computer, one which happened to belong to a higher-up person on the corporate food-chain (apparently the store's boss's boss). Well, I opened up Notepad and started typing to him.

I talked about the overall security of the network, as well as possible things which could happen if not protected. I was very careful to say what could happen, so that he didn't think I had actually done them, because in 90% of the cases, I didn't.

He asked where I was, and I didn't tell him, but I informed him that the POS (the programmers/system admins) could find me quite easily. He called them up, and informed me that he was doing so. He was actually a very nice guy - we talked about a number of things... it was funny to watch. He was trying to narrow down my location by asking me things about The Company which were only going on in the test markets. I was, for the most part, truthful with him. In every matter regarding the security of the system, I told him the truth the best I could without comprimising my identity. For the other questions (where I was, how I was doin this right now) I threw out random things. I figured he'd find me eventually, so I might as well buy myself some time.

After a good our of conversation, he informed me that POS was on the phone with him, and wished to ask some questions. I answered them the best that I could. Not 5 minutes later, the GSM on duty got a call from POS. Employee_1 informed me, and I promptly left the building.

I went and grabbed some food at Taco Bell. I went back, because I forgot to buy what I went there to get (I remembered it was CD-Rs). When I got there, all of the kiosks were down (shut down remotely) and Employee_1 and Employee_2 (two of the three associates who knew what I was doing) were in the back (presumeably filling out an incident report). I called Employee_1 later, and she informed me that she couldn't talk to me about it. Looks like someone is taking legal action.

I talked to Employee_3 later tonight, and gave him a rundown of what just happened. He called Employee_1, and informed me that Employee_1 can't talk to anyone about it, or she might be prosecuted. I tell you, friends, the **** has officially hit the fan.

Soooo... I might not be able to use computers for a while.... I might be going to federal pound-me-in-the-ass prison... or they may offer me a job. I don't really know. I'm guessing it's one of the first two. Or both.

Hopefully they'll wait until morning to get me. I'd rather be arrested at school than at home... more publicity.

So, friends, I'll keep you informed as best I can. I regret that I ever helped them, now.... especially if they're going to go all law-ish on me. I'd rather settle this out of court. IT'S BEEN GREAT KNOWING YOU ALL! I can safely say that if I don't write anything by 11:59 tomorrow night, I'm in jail.

[embro1001]

I thought I'd give everyone an update...

Since my little escapade, a few things have happened.
1) I didn't go to jail.
2) Some guys from corporate flew up and had me re-explain how to fix everything.
3) The FBI pulled me from class and had me re-re-explain everything.
4) The Feds said I'd have a record, but it would be recorded as a "white-hat", since no damage was done, and I was extremely cooperative.
5) I got a job as a programmer for a web-dev company. Fun stuff.
6) I'm looking for a job as a real programmer (not web-based)... anyone with any info should give me a shoutout.

Cheers,
Mase

[tenzenryu]

Hi

I won't call you an idiot! I don't think I have to!

If you had

1. Written to your manager along the lines of, I think there might be some security flaws on the system, can I investigate over the next two weeks?

and

2. YOur manager wrote back saying 'Yes'

then

3. YOur rear end would have been covered and

4. You would submit a formal report to your manager and having written it up as a blog as well

5. You could have leveraged your experience into getting a job a security firm regardless of whether your company took your advice or not and

6. You wouldn't have a record!

[embro1001]

Perhaps you should practice your reading skills. If you'd actually looked over the posts, you'd see that I had written up formal reports (twice). The corporate guru's didn't respond. (Managers have no power over this nation-wide network.)

I have no excuse for my stupidity, and I won't try to say it was anything other than idiotic, but things don't fall into place like this beautiful dream situation of tenzenryu's.

I'm not particularly worried about my rear; I have enough character references and there were enough employees with me during the act that, if anything should happend, I could take half the store down with me.

I'm also not worried about "levereging my experience" to get into a security firm... I'm no pen-tester, just a programmer.

My record's worked to my benefit so far. The two FBI agents that visited my school suggested that I try to work for the FBI or NSA. While the level of my "hack" is nowhere on par with the skill required, they noted my persistence and curiosity (as well as lack of malicious intent), and said my record would in no way effect my getting a job there (at the FBI at least...).

Cheers.

[Tiger Shark]

You did exactly what I would have done......

Respect.....

[tenzenryu]

Hi

I didn't say it would work, I said get permission first before doing anything. If you don't then you are just asking for it. You could even go for permission through ommission e.g

" Dear corporate zeebad,

Please find attached a formal report on some current security weaknesses I have come across by accident in your network. I consider that these represent a serious threat to our company's security. I wish to pursue the matter systematically to ensure that I have covered all the bases. I will take it that unless you reply to me by Friday, that this is Ok with you. My full report on the matter will be ready in 4 weeks time. I personally guarantee that I will not take an exploitative approach to any vulnerabilities I uncover but I will fully explore and document them.


Yours sincerely

etc"

If the guy doesn't pay attention to you, then he also doesn't have a leg to stand on.

[embro1001]

I'll remember that for next time.

[Tiger Shark]

I will take it that unless you reply to me by Friday, that this is Ok with you.

If this still turned into a legal issue this wording would prve to be useless. Taking action on something because of a negative situation, (no response), does not mean you have been permitted.

[|3lack|ce]

Much respect Embro. By being open with both the corporation and FBI, you proved you had no malicious intent - therefore no crime was committed. Sometimes top-end execs need a sound slap in the face to wake them up to underlying problems, most especially involving computer security.

Don't sweat either civil or criminal action against you - without malicious intent that bird won't fly.

[embro1001]

I really wasn't to worried... the two agents that pulled me out of class assured me that the odds of anything happening were very slim (to quote: "Unless someone has a wild hair up their ass, in which case, we'll go in to bat for you"). One of the agents was head of cybercrime in my area, and he seemed to get a rise out of the level of insecurity of the company (he didn't justify my actions, but he was quick to agree that those security issues shouldn't have been there).

So all in all, I'm no worse for wear... I don't think I'd do the same thing twice, however. It was a fun (albeit reckless) learning experience, and from it, I carry away some new knowledge, and an FBI business card (as a keepsake).

[Edit]
Another thing that helped, I think:
During my "questioning" (interview?), they asked if I posted my methods online or shared the information with anyone. I had a chance to tell them about AntiOnline, the Online Security forum, where "experts (and others) from all over the world share their internet security experience" (not an exact quote, but it looks better that way). Having it available online, posted for discussion and debate (while trying to keep the Company anonymous) in a scholarly didn't hurt my situation.