Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Ethics Question

From: "Mike Taylor" <mtaylor () ablenology com>
Date: Wed, 20 Aug 2003 22:54:19 -0400
Hello all

Question I have is do I tell a company that I did work for that a system
they have is not secure. Background I worked for Company X(left them because
I could not get paid regularly) they have a contract to support and keep
secure Company Y. I noticed on an audit that the machine that is used for
finances is VERY insecure. It is a terminal server machine that is set up so
that 2 people can get to it from the outside. When you remote to this
machine it bypass's login and gives you a blank desktop with the finance
package login. To bypass all you have to do is send a ctrl-shit-esc get the
task manager and file run -explorer and you have a machine that can browse
the whole network. 

I had brought this to my then boss's attention he said don't mention it we
will fix it later. The hole is still there. 

What would you do ? 

Thanks,

Mike



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: