Home > FAIL > A job well done

A job well done

June 26th, 2009

I have to use aliases and vague terms in this story.

I work at Organization Alpha.  It uses a system manufactured by Vendor Bravo.  As a fun little side project, I propose a free security assessment of the Bravo system in use at Alpha.  The people in charge at Alpha give me the green-light.  With me so far?

Turns out the Bravo system is relatively old and on par with Windows 98 for security.  That’s not to say Bravo isn’t still developing it; to the contrary, they’re selling these systems like crazy to lots and lots of happy organizations.

The Bravo system has many components, and I focus on just one small component to begin with.  After a bit of work, I find a way to take control of it.  I turn around and use it to leverage myself into the rest of the system.  I find that I have pretty much all the control I want over the entire system, using just this one small component.

This is bad.  It wasn’t particularly difficult to achieve this.  Did I mention this system sees widespread use?  Also, it handles money.

Though I stay within my pen-test boundaries, the folks in charge at Alpha don’t quite understand what’s happening, and call Bravo for support.  Bravo says “Um…” and has a pants-crapping moment.  Panic ensues.  When the dust settles, well, it turns out the Alpha guys didn’t check with the Bravo guys before giving me permission for the project.  Bravo is pretty displeased with my success, and makes vague legal threats to Alpha over it.

The Alpha folks have a pants-crapping moment and hastily call a meeting with me and the others on the project.  They ask a series of questions like this:

  • Have you told anyone about this?
  • Where is this exploit information stored?
  • Will you please delete it?
  • You’re sure you haven’t told anyone about this?
  • Has this information been printed, emailed, or reproduced anywhere else?
  • Can you make sure it gets erased?
  • Totally sure nobody else knows about this?

A non-disclosure agreement is presented to us.  We take it under consideration and go on our way.  The project is halted indefinitely.

I’d love to get into more details about it, but it looks like we’ve reached the end of the line for this project.  Notice the questions that weren’t asked:

  • What exactly did you do?
  • How can we fix it?
  • Where else in our system might vulnerabilities like this exist?

The only concern of Bravo and Alpha is that it gets buried.  The vulnerability is still there, and I’d bet the farm there are tons of others.  I’d love to talk to Bravo about it myself, but I’m afraid of getting sued.  I’d love for them to fix it, start assessing the rest of their system security, etc., but… their way works too.  If only I’d been a little more anonymous during this whole thing, I could do the ol’ try-to-disclose-to-the-vendor-then-send-it-off-to-milw0rm routine.  Oh well.

I bet this happens a lot to security professionals who do this type of work, but I’m writing about it because this is my very first time.  I guess I can tell future potential employers that I can do my job well enough to warrant hush orders and legal threats.

Lessons learned so far:

  • Make sure everybody really understands what I’m going to do before I begin
  • Don’t trust the local folks to properly notify and inform the vendor(s)
  • Get a written agreement beforehand detailing what will happen when I succeed
  • ???
  • Profit!
Categories: FAIL
Comments are closed.