An ethical dilema?

[alltheprettyhorses]

I have decided to share this particular dilema in these forums as it is the most likely place to get solid advice from someone who has been in the same situation as I am.

Here is a short synopsis of the issue. I work for a reasonably small computer buisness and one of the services we offer is website security checks. Long story short a local "charitable" buisness manager came in and asked for a website check as soon as possible as their website was just up and running etc. As I was the only person available at the time (I am fairly new to the job and usually someone more senior does the security checks in case of sensitive information leak) I was set to the task of ensuring their website wasn't a total shambles.

This is where we reach the ethical dilema, unfortunately (for them) their website was incredibly vulnerable meaning I was able to get easy access to their admin account. Within this account I found several financial documents which HEAVILY suggested funds they were receiving were NOT being used for charitable purposes.

The question is, do I disclose my findings to the appropriate governing bodies bearing in mind the buisness I work for guarantees confidentiality?

Of course the simple answer is just to report my findings to my senior and walk away from it all, however, if I do this I am 99% certain nothing will be done about this and lets face it, they are scamming ordinary people out of hundreds (and even thousands I noted) of charitable donations.

So, thanks if you read it all, anybody care to offer some advice?

[GuardianGl]

well I take it you are under contract and bound not to break confidentiality so being a law abiding citizen you would just report it however you have 2 other options:
report it (breaking contract which would be an illegal activity)
and the 2nd (I do not know what exactly your contract states) would be making not your findings but only the url of sed company (not in the context of this topic) public and have someone who isn't under contract to keep this a secret however, I presume this would also be breaking your contract so option one, just reporting it to someone within your company should be sufficient (and hope that they will do the right thing)
you could also confront the client with this fact and hope you scare them into bettering themselves...

anyway don't think I'm of much help so I hope someone else will be able to give you some advice that's wort something xD

[cilpolir]

ever thought of just printing the documents and just send it to the goverment(maybe with an explaining letter, about what kind of company it is)? nobody knows who send it and something would be done about it.
You could also send it to a news station if you want it to get a lot of attention(wouldn't recommend that)

[Goatboy]

I am fairly certain the confidentiality is relating to the vulnerabilities discovered, but I digress.

If I were in your situation, I would do this: Send your boss a copy of your report just like you might a "normal" job. Include the findings in your report, and ask his opinion. If he takes care of it, great. If not, and you still feel like justice needs to be served, send an anonymous email to whatever governing body you want with a copy of the report (obviously scrub out your name, company, etc). I have found in the past that an anonymous email is the best way to ensure that you don't get into any trouble, while still reporting the issue.

[msbachman]

You were paid to do a contract, systems' security testing, and you're here contemplating stabbing them in the back?

I'd say its a good thing you don't post under your real name, narc.

Update: My advice is simple. Do your job. Save that goodie-two-shoes shit for your off hours. If you insist on ratting them out, you have absolutely no place in your current position.

[Spectre557]

If you insist on ratting them out, you have absolutely no place in your current position.

If it were simply a case of respecting others' privacy (and others were not consequently suffering), I'd agree, but I think if the OP feels a moral obligation to do something then that is their prerogative, as long as they recognise the risk involved.

I do have to ask, though...

Within this account I found several financial documents which HEAVILY suggested funds they were receiving were NOT being used for charitable purposes.

You got your admin access. So why go opening (and obviously reading) private financial documents after you've already identified the vulnerability?

[mRmasteRful]

If the Op is right and people are being cheated out of money I don't see how the moral high ground is ignoring it. That being said goatboy's option sounds appropriate but if the company cant disclose anything it finds because of a contract then maybe you should skip your boss. The system was vulnerable as you said so that can be your defense. Anybody could've done what you did. Just cover your tracks and you should be fine. Bring down the bastards!

[msbachman]

You got your admin access. So why go opening (and obviously reading) private financial documents after you've already identified the vulnerability?

Great point that I thought to come back and mention. You beat me to it.

This assumes, of course, that the OP even hacked it legitimately via penetration testing (I'd like to know the steps involved; specifics aren't necessary if they become unique or potentially give up the client's identity somehow).

If the Op is right and people are being cheated out of money I don't see how the moral high ground is ignoring it.

I didn't claim the moral high-ground; I very rarely do. What you're talking about though is backstabbing a naive individual who was ignorant enough to entrust valuable assets to this slimy little toad who's now basically trying to flip them.

A few more questions for the OP: what was the fraudulently-allocated money spent on? A yacht? A disease-stricken child's medical expenses? And on what authority were you to determine what expenses are and are not acceptable for an organization you don't intimately know?

What's the annual income of said charity? What percentage of such was misappropriated?

Is said charity BBB accredited?

Per Spectre's comment, after exploiting vulnerabilities which resulted in administrator-level access, why did you take the extra step of combing through specific documents?

What were the terms of the penetration testing agreement? Did you sign a NDA?

-- Mon Sep 06, 2010 2:34 am --

And just so we're clear, this forum isn't even clear on whether or not money was misappropriated. What we do have for sure is someone who of his own admission is in violation of any even semi-coherent penetration testing agreement, most often replete with a NDA.

Noone can say for sure what expenses aren't legitimate, because the OP didn't volunteer that information. We don't know on what basis he concluded they were illegitimate!

Some people who commented shouldn't be so brazen to say at this point that he should disclose anything. It's by no means a sure thing he's even competent to decide what is and isn't acceptable.

Any forensic accountants available for comment?

[mRmasteRful]

@msmachban. I hate to agree but you are right on every point. It seems a bit suspicious you were digging through those documents and took time to go through those financials records. On what grounds are you claiming that they stole from anybody? Some proof might be good right about now

[alltheprettyhorses]

Thanks for the legitimate answers guys, really helped me out.

Now, on to the flamers. I re-read my post and realise that I should have made something much more clear.

I DID NOT, brute force an admin account then proceed to loot all files (more than my jobs worth, it would be treated as black hat.) Instead (and perhaps what i should have stresssed originally to stop the disingenuous idiocy that followed) I found I was able to extract information (if you will) from their admin account area without being IN the actual account (yes, it really was that much of a shambles). Naturally I had to read this information to ensure it WAS in fact sensitive material and not some page of gibberish or unrelated nonsense.

"Noone can say for sure what expenses aren't legitimate, because the OP didn't volunteer that information. We don't know on what basis he concluded they were illegitimate!"

And I won't be offering ANY information I'm sorry, this wasn't a post that was meant to turn into a social engineering practice session for people to see if they could find the website/check it for themselves. Needless to say I felt discomforted enough reading them.

I do however have a question for you msbachman, do you support charity based financial fraud? Just wondering.

Also, Goatboy, you bring up a VERY interesting point that rings a few bells, after reading that I'm 90% certain that it is indeed vulnerability confidentiality. So thanks for that little digression.