Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

penetration

Options
  • 01-10-2011 12:50pm
    #1
    manox
    Closed Accounts Posts: 8


    Hi I work for company which has security holes in their network and I have found one which I have reported to my manager but no one has come back to me and solve these.
    So After a year of waiting I have decided to show them this hole again and after I year I was testing this hole again and is still there but I'm not sure if is it legal to test that network without permission and what could be consequence of doing so


Comments

  • Options
    #2
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Gray area to be honest.


  • Options
    #3
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    manox wrote: »
    Hi I work for company which has security holes in their network and I have found one which I have reported to my manager but no one has come back to me and solve these.
    So After a year of waiting I have decided to show them this hole again and after I year I was testing this hole again and is still there but I'm not sure if is it legal to test that network without permission and what could be consequence of doing so

    You need to be really careful. Compromising or attempting to compromise a system with out the owners written permission is considered hacking, and legally speaking you could do time.

    The reality is rather different. While Ireland has quite stringent laws on computer misuse, I don't think there have ever been any convictions. However, for you personally, you could lose your job or at best have disciplinary proceedings brought against you. This will be due in part to knee jerk reactions by Sys Admins and general ignorance by management.

    Do you work on the Security team, or are you just a 'regular' employee(No offence meant)?

    If you are just a regular employee inform your manager of the hole and leave it at that. Dont risk suicide by email by CC'ing a load of different managers about it, you will only hurt yourself.

    If you do work on the Security team, again inform your manager, maybe mention it to an admin, many do genuinely care about the integrity of the network, but be sensitive about it. Dont go running into the NOC saying "Theres a problem with the network ZOMG!!11!". Buy an admin a coffee and go over your concerns calmly and succinctly.

    If after all that is done, and nothing has changed, leave it alone. But if you have stock in the company consider selling it before they get hacked, and it is made public.


  • Options
    #4
    LoLth
    Moderators, Technology & Internet Moderators Posts: 10,339 Mod ✭✭✭✭LoLth


    what syklops said. Some IT guys may see any "official" report as a criticism of their abilities. best bet is to mention it in a friendly/curiosity way.


  • Options
    #5
    MonsterCookie
    Registered Users Posts: 957 ✭✭✭MonsterCookie


    I agree you should tread carefully.

    Many vulnerabilities are difficult to fix. In reality, I've encountered several issues over the years that have taken years to fix. It depends on cost, organisational culture, politics etc.

    On a level, if you have reported it and nothing comes of it, the monkey is not on your back...however, for the good of your organisation, you should probably escalate again if you feel itnis being ignored.

    For your own sake, only test if you have express authority to do so...


Advertisement