Home page logo

pauldotcom logo PaulDotCom mailing list archives

Learning from Leaked Insider Threat Pentest Report for Major US Oil Company
From: "David Sharpe" <david () sharpesecurity com>
Date: Thu, 5 Aug 2010 16:24:55 -0400

At the recent Black Hat USA 2010 security conference, a well known
Washington DC area security service provider accidentally leaked a
sensitive penetration test report for a major US-based oil company
containing enough sensitive information to gain Windows domain
administrator access rights as well as the username and password for
everyone in the target company's domain. According to the detailed report,
these access rights included the ability to access servers containing
SCADA system information. The report was not encrypted or
password-protected in any way. Anyone with access to the leaked document
and a copy of Microsoft Word could read the report in full.

The file was inadvertently distributed on USB keys provided to some

I guess the lesson here is that, as a service provider, you must take
every absolutely every precaution to safeguard customer data.

As a purchaser of pentest services, you should make sure that you
contractually require your pentest vendor to take any necessary
precautions to safeguard whatever reports and data they might retain. If
you need boilerplate terms and services contract language, please contact
me via email or at @sharpesecurity on Twitter. If there is enough demand,
I may post the sample contract language online.

A sanitized version of the steps used to compromise the target are
available at

-- David

blog: sharpesecurity.blogspot.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]