312-50V9 · Question #212
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder
The correct answer is A. Report immediately to the administrator. Penetration testers are legally and ethically required to immediately report any sensitive personal or financial information discovered during an engagement, and any unauthorized use of that data is a criminal offense.
Question
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do?
Options
- AReport immediately to the administrator
- BDo not report it and continue the penetration test.
- CTransfer money from the administrator's account to another account.
- DDo not transfer the money but steal the bitcoins.
How the community answered
(25 responses)- A92% (23)
- B4% (1)
- C4% (1)
Why each option
Penetration testers are legally and ethically required to immediately report any sensitive personal or financial information discovered during an engagement, and any unauthorized use of that data is a criminal offense.
Professional penetration testers operate under a signed rules of engagement and an ethical code that mandates reporting all sensitive findings - including financial credentials - to the authorized stakeholder immediately upon discovery. Retaining, exploiting, or concealing such information violates the engagement contract and constitutes unauthorized access or fraud under computer crime statutes such as the CFAA.
Failing to report discovered financial credentials violates professional ethics, the rules of engagement, and potentially federal laws governing unauthorized possession of financial account information.
Transferring funds from the administrator's account is wire fraud and computer fraud - serious criminal felonies that no authorization from a penetration test scope can legalize.
Stealing cryptocurrency is theft and a criminal offense regardless of the method or currency type; the absence of a traditional bank transfer does not remove criminal liability.
Concept tested: Penetration tester ethics and rules of engagement compliance
Source: https://www.eccouncil.org/code-of-ethics/
Topics
Community Discussion
No community discussion yet for this question.