August 15, 2011

Ethical Question: 0x1

Posted in Ethical Questions at 17:01

Ethical Questions for Pen-Testers: 0x1

Topic: Information Disclosure
Goal of this post: Something to ponder, hopefully a recurring series
You’re on a social engineering gig and your goal is to get an employee’s password reset to your client’s mail server. In order to get a password reset you have to provide some personal details about the employee while you’re impersonating them to the help desk: social security number, emergency contact, etc. You’ve decided to focus on one specific employee, Bill, as some of his information has been easy to find. After a few hours of progress you’re unable to find the final piece, his social security number. During your investigation you did find who his emergency contact is, his partner Jeffery. You are also aware that Bill isn’t out to his office 1.

Based on the information you WERE able to find you could get a password reset for his personal gmail account, within you are confident you will find tax returns or other data likely to contain his social security number. The scope of your gig does not specifically cover this type of action but because you’ve worked with this customer so many times in the past you’re sure they won’t be upset.

The client wants a dossier on each employee you decided to impersonate. Bill is not evil or a danger to anyone in any way.

1) Do you specify the relationship Bill has with his emergency contact in the dossier?
2a) Do you break into Bill’s personal email?
2b) What if you could MITM his login credentials and he’d never know?
3) Assume you were able to get the SSN in another way, do you include the full number in the report? Your client has no reason to know this number as they are not the HR department.
4) Do any of your answers change if you are working for your government?
5) What is the lowest amount of money required for you to answer yes to questions 1 and 2; assuming you do not have Bill’s consent.

I’d prefer if you kept them to yourself or at any rate not post them as comments. Clarifying questions are welcome.

[1] If the gay part influences your decision, just substitute Jeffery with Jennifer. She and Bill are coworkers and are having a relationship. Romantic relationships between coworkers are frowned upon by management.

