Ayoi's

It’s quite unusual for me to post anything on Monday nowadays. Perhaps because most of the time I’ve to attend meetings/discussions etc (update: Just finished one meeting ). Btw Monday also is the day when I spent most of my working time on reading news/articles/whitepapers and other stuff as well in order to get into the working mood. But then during my usual tour of blog/security websites, I came across some interesting postings (it’s one of the comments actually) at security.org.my which is managed by my friends, geek00l (he is getting busier these days and I do love to hear on the outcome of Honeynet meetings that he attended) and Mr.Mel

It seems that the commentor also managed one website or blog similar with the one that managed by my friends. Yes, that blog/website provide information on the result of exploitation on applications that being used by local companies or government agencies.

Just like security.org.my, I do support any means of information sharing and any security awareness initiative. However we need to remember that we need to be responsible in every of our actions. We need to be aware on the legal issues that may arise from our actions. My friends geek00l and mel take the trouble to explain to the related parties on their intentions, objectives and methods on publishing any information on security.org.my. If I’m not mistaken most of their findings on the Data Leakages are from performing enhanced google search anyway which is different with performing the interactive assessment with the application itself. Finding a document which is not properly hide from the bot is not the same as performing SQL Injection onto the database.

I believe it doesn’t matter how vulnerable is that particular application, it is important to obtain the consent and authorization from the owner. Why?

First of all, they need the assurance that any information regarding their assets will not be published or shared with non privy parties. Hence the NDA (Non Disclosure Agreement), pen-tester vetting via background checking, qualification on performing the assessment etc

The findings also need to be presented in order for them to understand on the impact, risks or perhaps any solutions for them to take in order to mitigate the risk. These information usually presented in report (document) and presentation (slides).

In order to absolve any consequence of your actions, the Get Out Of The Jail consent must be signed between each parties. Just imagine that during your penetration testing exercise, one machine crashed because of whatever reason. What will be the consequence? At least if you have this GOOTJ consent signed, your ass is safe. Btw better for the owner to know this during the scheduled pen-test exercise (that’s why some pen-test activities will be performed either after office hours or when the server activities at its lower point).

Just imagine this:

“Hey, your application didn’t filter properly the special characters for user input. I managed to retrieve your database using injection method. But don’t worry, I didn’t share this information with others.”

“What? Really? Who are you again?”

“I’m a security evangelist. I do it for the sake of improving our local security posture.”

“Cool but then we need to charge you for the breach of Section 3 (Unauthorized Access to Computer Material) and Section 4 (Unauthorized Access  with Intent to  commit or Facilitate Commission of Further Offence) of Computer Crime Act 1997 under the Malaysian Cyber Law.” – OK no administrator will utter those Act and sections but that’s the sections that you’ll breach at least-

“But I do it for the sake of our security awareness and I didn’t share this information with others.”

“How do I know that you didn’t and still it’s UNAUTHORIZED. Thank you.”

I agree that we need to raise the level of security awareness to our community but then do it properly. Definitely we do not want to have those kind of conversations rite?

p/s: Randal L. Schwartz learned it through the hard way and only after 12 years his record officially expunged.

Comments RSS