OK... I have to ask... Who was the company?
On Thu, Aug 5, 2010 at 4:24 PM, David Sharpe <[email protected]>wrote: > > At the recent Black Hat USA 2010 security conference, a well known > Washington DC area security service provider accidentally leaked a > sensitive penetration test report for a major US-based oil company > containing enough sensitive information to gain Windows domain > administrator access rights as well as the username and password for > everyone in the target company's domain. According to the detailed report, > these access rights included the ability to access servers containing > SCADA system information. The report was not encrypted or > password-protected in any way. Anyone with access to the leaked document > and a copy of Microsoft Word could read the report in full. > > The file was inadvertently distributed on USB keys provided to some > attendees. > > I guess the lesson here is that, as a service provider, you must take > every absolutely every precaution to safeguard customer data. > > As a purchaser of pentest services, you should make sure that you > contractually require your pentest vendor to take any necessary > precautions to safeguard whatever reports and data they might retain. If > you need boilerplate terms and services contract language, please contact > me via email or at @sharpesecurity on Twitter. If there is enough demand, > I may post the sample contract language online. > > A sanitized version of the steps used to compromise the target are > available at > > http://sharpesecurity.blogspot.com/2010/07/major-oil-company-data-leaked-by.html > . > > > -- David > > > blog: sharpesecurity.blogspot.com > website: www.sharpesecurity.com > Twitter: twitter.com/sharpesecurity > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
