At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company's domain. According to the detailed report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft Word could read the report in full.
The file was inadvertently distributed on USB keys provided to some attendees. I guess the lesson here is that, as a service provider, you must take every absolutely every precaution to safeguard customer data. As a purchaser of pentest services, you should make sure that you contractually require your pentest vendor to take any necessary precautions to safeguard whatever reports and data they might retain. If you need boilerplate terms and services contract language, please contact me via email or at @sharpesecurity on Twitter. If there is enough demand, I may post the sample contract language online. A sanitized version of the steps used to compromise the target are available at http://sharpesecurity.blogspot.com/2010/07/major-oil-company-data-leaked-by.html. -- David blog: sharpesecurity.blogspot.com website: www.sharpesecurity.com Twitter: twitter.com/sharpesecurity _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
