I have a question regarding reporting ethics. I’m employed as a penetration tester so I’m familiar with the process of breaking into computer systems. Through volunteer activities I was given limited access to a computer system that contains very sensitive information regarding all volunteers. All volunteers are given unsupervised physical access to a Windows 2000/XP laptop to enter information into a custom MS Access form that communicates back to a MS SQL Server. Access is limited to about 5 minutes every 2 months. The computers have “no” Internet access and are generally unpatched. It’s my conjecture that one could easily bring in an Ipod or USB stick to exploit the SQL server (with a public exploit) and exfiltrate the data or to put an implant on the workstation to key logĀ to gain credentials for next time.
The exploitation is all conjecture, but I’ve seen many similar setups and generally things are fairly wide open when computers have no Internet access. For about the last 6 months I’ve complained to the organization, offered my (free) assistance, and offered to set them up with a company that could help them refine their policies. Unfortunately, they have been very uncooperative. Anyone I speak with says it’s someone else’s problem and forwards me elsewhere.
If I came across these (perceived) problems in the course of my professional duties there’s no doubt this would be privileged information. If they didn’t want to fix problems, that would be their own business and not for me to disclose. However as I’m not working for the organization and the information at risk includes my own I think it’s against my own interest to leave the situation unresolved. Therefore, would it be wrong or unethical to disclose the organization and proposed attack in an effort to get them to act?
Thanks for any input