Hey all, I'm on holiday at the moment, i was bored today so i booted up my penetration test stuff just to have a peak around, i use them at home to test my own security and at friends for the same reason.
Anywho, within 10 minutes, very distracted so it couldve been less (and I'm not even remotely good at this stuff) I found a lot of various personal information(which i didn't open, i could tell by the file names) and also payment details, (which i didn't take note of)
How do i alert these people that their customers info and CC details are childsplay to get a hold of?
I'm not a fan of going to prison, I'm also not a fan of having this stuff potentially being stolen being on my conscience.
Should I contact them anonymously a while after I leave?
Also I'm not sure if this is the appropriate forum, or if this kind of stuff is allowed here.
I can only tell you I didn't do anything malicious, hopefully you lot believe me, else there's no way management will.
I believe you. I would talk to their IT people, via email, or otherwise. not sure how to present it though....
That's what I was thinking, i don't know that they have dedicated IT people though, it's a small hotel ( like 40 units) and relatively low cost.
What tools are you using? I've been looking for something better than the manual way that I do things when doing penetration testing.
When I do a random penetration testing I'll just tell the manager, typically they are happy that you did this service for free and advised them of the issues in their network. This could also backfire, though, and they could attempt to have you arrested or something. If you're worried about that then just mail them an anonymous letter stating the process you took, the results you found and ways to resolve the issue.
Thankfully (not really) I live in the south, people typically don't get fired up over things like that.
I was just using a sniffer on my phone interceptor ng I believe it's called (phones not with me at the moment) it's usually my starting point for glaring security flaws, the login and pw popped up for their server (which happens to be connected to the web), I'm unsure what they were using that wasn't putting this stuff in encrypted, but hey it wasn't, anyway, poked around on there for about a minute before I found everything that someone would need to do malicious hings.
I thinkI'll email them after I leave, the manager seems less than technologically inclined, same with the other employees, I think they'd first conclude I'm a scary hacker (not even close) before they'd believe that computers need protection too.
I didn't bother getting anything to crack passwords or intercept anything else since it just popped up (on a free app that's even on the play store mind you)
I doubtI could really get much more information even if I tried though. I'm more of a skiddie than a skilled penetration tester, the nsa could break into my server, buti ccouldn't so that's good enough for me.
Edit: I don't know what's going on with those "I"s but I can't get them to separate from the word next the them on the ipad for whatever reason. Also their PC's have all the files shared to anyone on the network so you can see payslips tax and everything, I'll let them know about that too
Ye, just do it anonymously. Or approach them directly and offer to do a penetration test for a few bucks.