Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Learning from Leaked Insider Threat Pentest Report for Major US Oil Company
From: John Strand <strandjs () gmail com>
Date: Sat, 7 Aug 2010 07:31:53 -0400

OK... I have to ask...

Who was the company?



On Thu, Aug 5, 2010 at 4:24 PM, David Sharpe <david () sharpesecurity com>wrote:


At the recent Black Hat USA 2010 security conference, a well known
Washington DC area security service provider accidentally leaked a
sensitive penetration test report for a major US-based oil company
containing enough sensitive information to gain Windows domain
administrator access rights as well as the username and password for
everyone in the target company's domain. According to the detailed report,
these access rights included the ability to access servers containing
SCADA system information. The report was not encrypted or
password-protected in any way. Anyone with access to the leaked document
and a copy of Microsoft Word could read the report in full.

The file was inadvertently distributed on USB keys provided to some
attendees.

I guess the lesson here is that, as a service provider, you must take
every absolutely every precaution to safeguard customer data.

As a purchaser of pentest services, you should make sure that you
contractually require your pentest vendor to take any necessary
precautions to safeguard whatever reports and data they might retain. If
you need boilerplate terms and services contract language, please contact
me via email or at @sharpesecurity on Twitter. If there is enough demand,
I may post the sample contract language online.

A sanitized version of the steps used to compromise the target are
available at

http://sharpesecurity.blogspot.com/2010/07/major-oil-company-data-leaked-by.html
.


-- David


blog: sharpesecurity.blogspot.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault