- This topic has 15 replies, 7 voices, and was last updated 11 years, 7 months ago by
Dav_Id.
-
AuthorPosts
-
-
July 18, 2009 at 10:30 am #4036
Dav_Id
ParticipantHi All,
I have lurked for a while hoping to find the answer.
Here’s the thing. I have stumbled onto an open wifi access point via my phone 😉 and it gave me an IP address!
The question is how to tell the corporation, which is actually a retail store, they have an open wireless network with out:-
a. Getting some one knows what I’m talking about.
b. Getting someone that will not get me arrested- I visit the store a lot, hey you gotta eat right!
c. Do I advise the PCI DSS that they have an open point, maybe they could be the first on to actually be fined 😛
I have tracked down the IT Directors email address and he is not responing to my emails – well why would he!
Thanks Guys!
Dav
-
July 20, 2009 at 2:16 am #25695
elcapitan
Participant“Open” like you can access their internal protected network after receiving an IP address?
Unless you have performed some recon to determine what you can actually touch, this might be a non-issue to them.
At the same time, depending on your local laws, this recon activity may get you in trouble.
-
July 20, 2009 at 5:51 am #25696
Dav_Id
ParticipantHi,
Thanks for the reply.
It gives an IP address to there internal network.
A laptop gets given an IP address and ‘network places’ is full of computers some with names ending PDC – I wonder what they might be ;).
I have not gone any further as if Microsoft is ‘given’ these details I have not actively searched for them. (Grey area in the eyes of the law maybe?)
I understand the legal implications but want to let them know that a more ‘inquisitive’ person may go further.
Do you see my predicament?
Any ideas anyone??
Dav
-
July 20, 2009 at 8:25 am #25697
KamiCrazy
ParticipantWhat sort of retail store is it?
If it is a coffee shop for instance, it might be open on purpose for customer use… It’s a bit too vague for me to make a judgement call.
-
July 20, 2009 at 11:03 am #25698
UNIX
ParticipantThe easiest way would be by notifying them anonymously. This would pose yourself minimal risk but at the same time it would also limit your actions (e.g. discussing about the found problems).
Another possibility would be to drop a mail for the responsible persons, telling that you have found by accident a vulnerability. The responsible persons should contact you and then you give them further details about the problem. If you tell them right away everything they may feel “overrunned”. It is important to speak with the responible persons and not with the amanuensis or other third-persons. As you wrote that they are ignoring your mails you could try to write it in a letter.
If you get asked for further details you should be cooperative. If they ask for a PoC you should only do it after you got written permission by them. Maybe it would also be a good idea to stress that you have found this by accident and that you were not trying to get access by purpose and that you are now concerned about this.
I know of some similar “problems” where people also were in the same situation as you. The results could range from some kind of nice “thank yous” up to get sued by the company.
What you will do have to be decided by yourself – is it too risky for you, just do it anonymously. -
July 20, 2009 at 12:05 pm #25699
Dav_Id
Participant@KamiCrazy wrote:
What sort of retail store is it?
If it is a coffee shop for instance, it might be open on purpose for customer use… It’s a bit too vague for me to make a judgement call.
Hi,
It is LARGE . Google says it has a turn over of 12.5 Billion pounds and has over 350 store, somewhat a bit on the big side I would say!
By the way no internet access once you join the network. So I would guess not for public consumption.
Dav
-
July 20, 2009 at 1:14 pm #25700
Dav_Id
Participant@awesec wrote:
The easiest way would be by notifying them anonymously. This would pose yourself minimal risk but at the same time it would also limit your actions (e.g. discussing about the found problems).
Another possibility would be to drop a mail for the responsible persons, telling that you have found by accident a vulnerability. The responsible persons should contact you and then you give them further details about the problem. If you tell them right away everything they may feel “overrunned”. It is important to speak with the responible persons and not with the amanuensis or other third-persons. As you wrote that they are ignoring your mails you could try to write it in a letter.
If you get asked for further details you should be cooperative. If they ask for a PoC you should only do it after you got written permission by them. Maybe it would also be a good idea to stress that you have found this by accident and that you were not trying to get access by purpose and that you are now concerned about this.
I know of some similar “problems” where people also were in the same situation as you. The results could range from some kind of nice “thank yous” up to get sued by the company.
What you will do have to be decided by yourself – is it too risky for you, just do it anonymously.Hi Awesec,
I value your feedback.
I have tried the following to email anonymously, I think messagelabs eat it!
I have also tried adding the IT director as a friend in linkedin, under my pseudonym of course.- No luck.
I tries asking for his Direct dial number so that I could leave a message out of hours to be anonymous (no chance of caller id slip up – also though of my imac reading it out via speech but that is just too Hollywood cheesy ;D . ) -not giving out direct dial numbers!
It looks as if it would have to be snail mail with a link to an email address for more info.
Very frustrating as all I am being very Ethical and just trying to help!
Life of Brian: There’s no pleasing some people.
I will keep you posted.
Dav
-
July 20, 2009 at 3:05 pm #25701
unsupported
ParticipantIgnore it and move on. It is not your responsibility. While you are being a nice guy in trying tell management, it is beyond your responsibility.
Now, I’ll indulge you for a minute. If you decide to send a letter, make sure it is certified so you know if/when they get it.
Blowing the PCI DSS whistle may not be enough, because for PCI DSS you only need to encrypt any traffic which touches credit card data.
And time for the reality check. You are one step above some kid with a new laptop who wants to war drive in his neighborhood to sell their services as a “security professional” by locking down wireless routers.
And last but, not least, you did not obtain permission to access their network. As mentioned, depending on where you are, simply obtaining an IP and browsing the network is an illegal act. You’ve admitted to doing this twice. Once on your phone and once on a laptop. You also have tried to use the networks internet. The internet may have a proxy. Leading me to believe that you are not familiar with the concepts of networking or security beyond “Let’s try to connect to open APs”.
Doing something ethically, means not breaking laws, having permission, and signed contracts limiting your liability. You say you are being ethical, since you like movie quotes, “You keep using that word. I do not think it means what you think it means.” – The Princes Bride.
-
July 20, 2009 at 9:44 pm #25702
KamiCrazy
ParticipantIf it is such a big organisation I would be inclined to agree with just ignoring the problem.
It’s not your issue and you don’t have any real rights to push the issue.
If it was a relatively small or medium sized business then you could approach the stakeholders and speak with them without a huge risk on your part but you since you are dealing with a large corp it isn’t really worth your trouble.
-
July 21, 2009 at 5:16 am #25703
UNIX
ParticipantAlthough I have posted something different, I would also recommend to adhere to unsupported’s advice as it seems more equitable. Haven’t thought of the “it’s none of your business” thing.
-
July 21, 2009 at 5:40 am #25704
Anonymous
ParticipantFrom the sounds of it, you’ve attempted to contact them anonymously a few times with no success. At that point, I would agree with other posters here and just forget about it. You’ve done your part and informed them. If they don’t want to listen, it’s their fault and will likely see the error in their ways sooner or later. Just know that you’ve done the right thing and be happy with that.
-
July 21, 2009 at 8:00 am #25705
Dav_Id
ParticipantI just wanted to say a big thank you to you all for your posts.
I actually wrote the letter yesterday, but did not send it. It is still on my desk.
My ‘Ethics’ are based on honesty and integrity.
You are correct in saying if they do not want to listen – it is their problem.
I just feel that if some took the time to sit down and hack it they may be able to sniff the data between the petrol station and the main store and capture customer data. ( I have now spotted the 2 Cicso wifi antenna bridging the to sites) Or Nessus scan the network break in etc and walk the network from there.
Ok. The Letter is now trashed. I gave it to the dog he is best shredder I ever bought, organic too 😉
In the words of Paul Mcgee I will S.U.M.O ( Shut Up and Move On)
Cheers!
Dav
-
July 21, 2009 at 9:00 am #25706
ants
ParticipantHi Dav_Id,
I don’t think what you have done is necessarily unEthical in a philosophic sense, (I don’t think that obeying the law and being ethical are always mutually inclusive) but it is rather against the Code of Ethical Hackers.I think that it would be best to inform them but I think that you would be lucky to be able to find somebody from the company who cares enough. But if their internal network is exposed, I’d refrain from using my credit card there – just to be sure.
This is just my opinion…
Ants
-
July 21, 2009 at 10:36 am #25707
Dav_Id
Participant@Ants wrote:
Hi Dav_Id,
I don’t think what you have done is necessarily unEthical in a philosophic sense, (I don’t think that obeying the law and being ethical are always mutually inclusive) but it is rather against the Code of Ethical Hackers.I think that it would be best to inform them but I think that you would be lucky to be able to find somebody from the company who cares enough. But if their internal network is exposed, I’d refrain from using my credit card there – just to be sure.
This is just my opinion…
Ants
Hi Ants,
I only use cash at that store. Although saying that a skimming ‘device’ was found at the ATM outside the store back in March, so what you gonna do 🙂
Dav
-
July 21, 2009 at 12:41 pm #25708
unsupported
ParticipantOk, now that this is all settled, welcome to EH-Net. Sorry if I was sounding too harsh. I was just trying to prove a few points. It is nice to see the spark of security minded computer people. You are more than welcome to stick around, learn a few things, and ask as many questions as you want.
I know I did not want you going down the wrong path in regards to security. Information security not as much of the wild west as it once was.
-
July 21, 2009 at 1:07 pm #25709
Dav_Id
Participant@unsupported wrote:
Ok, now that this is all settled, welcome to EH-Net. Sorry if I was sounding too harsh. I was just trying to prove a few points. It is nice to see the spark of security minded computer people. You are more than welcome to stick around, learn a few things, and ask as many questions as you want.
I know I did not want you going down the wrong path in regards to security. Information security not as much of the wild west as it once was.
Hi Unsupported,
Not at all.
I just think it is crap that a large company, with responsibilities to share holds etc etc. Has such a lax attitude to security. Anyway SUMO.
Always happy to learn !
Dav
-
-
AuthorPosts
- You must be logged in to reply to this topic.