Does this make you angry?

[th3l4st]

So there I was again, confronting with blindness and selfishness of those supposed to be my superiors.

The place where I work has a strong sense of hierarchy. I started working there less than 2 years ago. As always when I get into a new place the first thing I do is watch for its security measures and test them (I know, awful practice, but I just can't help it). So as soon as I had the chance I fired up my laptop, went for Kali and started looking at the traffic of the WiFi with Wireshark to see if I could find interesting things.

It's always a nice activity, looking at the traffic of a WiFi, you see a lot of things and you can make a pretty accurate idea of the habits and interests of its users. This was the first thing that made me think: "WTF? Open network? No WPA?" but, but, but, wait. Captive Portal. Fine, a Captive Portal after all is a nice sol- WTF? No HTTPS? That means I can see credentials flying over the air?
It was just as I thought, all of the people credentials where sent with a POST request to the auth server without any sort of encryption.

So, no WPA2, no HTTPS, I bet there is more. The Captive Portal source had a fair amount of Javascript code so I thought "I bet I can find some XSS there!"
I wrote the classic:

Code: [Select]

"><script>alert('XSS!!!')</script>  

not hoping it would work as I was sure there would have been at least some sort of filt-BAM, the popup with "XSS!!!" came out. I did not know what was more appropriate, if crying or laughing

In the end the network had no AP protection, no data encryption and the portal was vulnerable to a very basic attack (I am not even remotely close to successfully exploit XSS to make real damages), so I thought I had enough data to write down some sort of report for the guys of the IT department with the risks we were going to take if the things I had noticed weren't to be fixed soon. I want to specify I was not going after glory or anything, I just cared (and still care) for the security of the place I work in and of my colleagues.

I had my direct superior send the report to the IT guys and, specifically, to the guy who is the head of the IT security office. Days passed, weeks went on, months started to pile one on the other, yet nothing happened. Not happy with the path things were taking I decided to go deeper and found something more to send to the IT guys. Most of them are nice and helpful truth be told. Though nothing happened again, worst of all my superior called me to his office and told me someone from there was playing against me.
Long story short, the head of the IT Sec office was willingly ignoring my warnings, telling my superiors I was pissing him off and I had no idea what I was saying.

What happened then? I took all the data I collected and stored it safely on an hard disk, encrypted. I'll be transferred in less than six months (for other reasons not related to this), but I'm preparing a complete report of more than 30 pages that I'll drop on the desk of the boss, underlining the negligence of this guy. Sometimes you just have to accept that you can't win fights going through all the procedure and sticking to the rules.
What makes me really angry is how people are ready to drop security and duty for their own selfishness. Did you ever find yourself in this kind of situation? Did you ever have to deal with this kind of people? I wanted to know your point of view, if someone thinks I'm wrong please say so, views different from mine are gladly accepted!

[white-knight]

Well it doesn't make me angry 

I would't push it to far, If you didn't have permission in the first place they could press charges against you.

[r4kk00n]

You tried to warn them, several times in fact.
Why not exploit the weaknesses you found for your own advantage? If they don't respect you enough to at lest investigate your claims, then why respect them or their data?

[th3l4st]

Well it doesn't make me angry 

I would't push it to far, If you didn't have permission in the first place they could press charges against you.

I totally agree on this, you are right. But, assume you find a hole in your house's wall, what would you do? I did not mention the fact that, to avoid the risk of my data being intercepted and scrutinized, I use Tor a lot. They started forbidding it, as if they want to see your data and they don't care about it being insecure.

[white-knight]

assume you find a hole in your house's wall, what would you do?

Totally different scenario tho , its my house i can do whatever i want, I don't have anyone else to answer to. 

[th3l4st]

Yeah, aside from the fact that my data flies unprotected through this network (and I just can't use another one since it's the office network) and I can't even defend myself as they forbid the use of Tor or VPNs. I repeat, you are totally right but to me knowing a network is heavily flawed and not doing anything is something crazy!

[r4kk00n]

I really don't understand the ethical concern about their network or their data. Just because you work there and they are your employers that doesn't mean that your concerns aren't important and worthy of respect. Plus, as you mentioned, by failing to provide security they also put you and your data at risk,. Respect should be mutual, and everyone should be treated with respect (until  they give you a reason not  to) having a title doesn't make a person more valid or important.

[th3l4st]

I really don't understand the ethical concern about their network or their data. Just because you work there and they are your employers that doesn't mean that your concerns aren't important and worthy of respect. Plus, as you mentioned, by failing to provide security they also put you and your data at risk,. Respect should be mutual, and everyone should be treated with respect (until  they give you a reason not  to) having a title doesn't make a person more valid or important.

Well, indeed some ethical concerns are necessary, one just can't go around hacking other's network. Though you are right about the respect part of your post. He not only disrespected me but also the other guys working there. If it were only about me I would just accept it and change my working routine in order not to send important data unencrypted, but from the moment others are using the same network and almost all of them are not tech savvy enough to recognize the risks I feel it a duty to report what's wrong. Still I can't make damages or steal others' data, it's against my ethic and against the hacker's ethic too.

[Erra]

Well what happened to me isn't really in the same context of h4x0r ; more like stupid people ignoring what's important. The other day I was with my robotics club in my college, and basically we have to do this thing with ROS (Robotics Operating System). So they spend about 3 hours talking about how they're going going to devise different algorithms to be able to program the robots in order to do what they need to do.

This may seem productive, but it wasn't, of all the things that they could talk about they only took about 10 minutes talking about how to work with ROS, given that 1) they have incredibly shitty programming skills, and they think it's easy even though I told them it's not, and 2) they don't even know what virtualbox is. I persisted in trying to get them to talk more about ROS but all of my attempts to do so were ignored and it made me frustrated and angry. Chances are that this project is going to be a bust since I highly doubt, even as a friend, that they will pick up the fucking textbook I gave them or go to the ROS website and learn how to write advanced c++/ python code. It pisses me off and it made me feel like I didn't want to go there anymore.

So with this being said, yes I feel you bro, the best way to  overcome the feeling is to just let the bad things happen. I wont help my friends out with ROS unless they really want me to; do I care anymore about the project itself? Not in the slightest bit. As a pen tester I'm sure you know how to stay anonymous should you try and do anything to your work place's network with Rapid; but other than that, I would say to just let it go, and since it's insecured, don't stay logged into your email, don't go to websites where you have to login and put credentials, and you'll be safe.

[th3l4st]

So with this being said, yes I feel you bro, the best way to  overcome the feeling is to just let the bad things happen. I wont help my friends out with ROS unless they really want me to; do I care anymore about the project itself? Not in the slightest bit. As a pen tester I'm sure you know how to stay anonymous should you try and do anything to your work place's network with Rapid; but other than that, I would say to just let it go, and since it's insecured, don't stay logged into your email, don't go to websites where you have to login and put credentials, and you'll be safe.

Yeah, of course I'm not logging into anything valuable to me with that network unless I'm sure it uses TLS. I understand what you are talking about but I don't think that going there and harming the system would be a good idea, if something is to happen let it be, otherwise just thank God (or whoever you believe in) that this time stupid people did not get burned with their own recklessness. It is wrong to exploit the flaws you have found unless you have a good reason to do it... Just as your friends I think they'll learn by themselves and if they are going to hit a wall then it's their fault.