Anyone have even a sanitized version of the report? I'd love to see the design, sections and formatting of it.
On Sat, Aug 7, 2010 at 6:31 AM, John Strand <[email protected]> wrote: > OK... I have to ask... > > Who was the company? > > > > On Thu, Aug 5, 2010 at 4:24 PM, David Sharpe <[email protected]>wrote: > >> >> At the recent Black Hat USA 2010 security conference, a well known >> Washington DC area security service provider accidentally leaked a >> sensitive penetration test report for a major US-based oil company >> containing enough sensitive information to gain Windows domain >> administrator access rights as well as the username and password for >> everyone in the target company's domain. According to the detailed report, >> these access rights included the ability to access servers containing >> SCADA system information. The report was not encrypted or >> password-protected in any way. Anyone with access to the leaked document >> and a copy of Microsoft Word could read the report in full. >> >> The file was inadvertently distributed on USB keys provided to some >> attendees. >> >> I guess the lesson here is that, as a service provider, you must take >> every absolutely every precaution to safeguard customer data. >> >> As a purchaser of pentest services, you should make sure that you >> contractually require your pentest vendor to take any necessary >> precautions to safeguard whatever reports and data they might retain. If >> you need boilerplate terms and services contract language, please contact >> me via email or at @sharpesecurity on Twitter. If there is enough demand, >> I may post the sample contract language online. >> >> A sanitized version of the steps used to compromise the target are >> available at >> >> http://sharpesecurity.blogspot.com/2010/07/major-oil-company-data-leaked-by.html >> . >> >> >> -- David >> >> >> blog: sharpesecurity.blogspot.com >> website: www.sharpesecurity.com >> Twitter: twitter.com/sharpesecurity >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
