Security Basics mailing list archives
Re: Bank Exploit
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Fri, 27 Jul 2007 11:15:32 -0500
Uh...OK. So, maybe the doctor analogy wasn't such a good idea. ;) And 'yes', the security, homeland security and critical infrastructure protection industries are NOT regulated (and even if they are, it isn't as much as, say, the medical or financial industries). So, 'yes', we do have a bit of a dilemma. BTW, there is a growing movement to regulate security professionals throughout the U.S. (and perhaps, the entire world). If that happens, you, as a security professional, will be required to be certified in your area of expertise, registered with your local state or province, and licensed with your federal or national government. It's only a matter of time... :(( -rad ----- Original Message ----- From: Jason Thompson [mailto:securitux () gmail com] To: Jax Lion [mailto:jv4l1n4 () gmail com] Cc: Bob Radvanovsky [mailto:rsradvan () unixworks net], Scott Race [mailto:srace () jdaarch com], Warren V Camp [mailto:wcamp () cox net], securityz () delahunty com, security-basics () securityfocus com Subject: Re: Bank Exploit
Not sure.. It would be good if there was such a thing, and the community were able to offer assistance to businesses and institutions which is in everyone's best interest. Unfortunately in our case the doctor is usually accused of creating the disease just because he found it. -J On 7/27/07, Jax Lion <jv4l1n4 () gmail com> wrote:In the case of doctors, if the disease is the deadly and communicable one - they should follow up with the CDC who would then follow up and find all who are infected or at least interacted with that individual and possibly quarantine and contain. Remember the TB patient who was prevented from flying back to the US? In our case - who is our CDC? -------- On 7/26/07, Bob Radvanovsky <rsradvan () unixworks net> wrote:Ahhhh....but therein lies one of the biggest and most debatedissues/problems -- when (as a security professional) should I 'do the right thing'?Some might argue, "OK, you're receiving a paycheck from your client. Dothey want the world to know that they have a vulnerability?" If ABC is your client, and you've signed an NDA, legally, you can't approach EFG, perhaps even if you wanted to. Ethically, you are 'honor bound' to divulge to EFG; civilally, you may be 'legally bound' to ABC.One (possible) way out of this mess might be to: (1) Have ABC acknowledge that EFG has vulnerabilities. (2) Have ABC acknowledge that you, as a security professional, are NOTlegally bound to divulging into to EFG.(3) That you will not be prosecuted, either civil or criminally. (4) Have an ABC officer sign-off on the document. The problem stems from what happens if ABC *refuses* to oblige insigning said document. If there are criminal ramifications, do you notify the FBI or DOJ? Legally, ABC could come after *YOU* afterwards. So could the federal government. In some circumstances, if you were simply hired to perform "X" function for ABC and found "X" for ABC and "Y" for EFG, reveal only what you were requested to perform. If you have significant amounts of data on EFG's vulnerabilities, it may be simply be better to destroy the findings. Again, you were requested ONLY to perform "X" for ABC. You weren't requested to perform "Y" for EFG. ;)As a professional, you need to abide by what other professionals do.Would your doctor do the same if he conducted a test and found out that you and your wife (or girlfriend) had the same (or similar) disease (if communicable)? The fact is, the doctor is honor-bound up to a point; same goes with legal notification. A doctor, depending on the circumstances may -- or may not -- notify your spouse or girlfriend of the disease. Legally, they may or may not have to -- again, depending on the circumstances. The same may hold true here.-rad ----- Original Message ----- From: Jax Lion [mailto:jv4l1n4 () gmail com] To: Scott Race [mailto:srace () jdaarch com] Cc: Warren V Camp [mailto:wcamp () cox net], Jason Thompson[mailto:securitux () gmail com], securityz () delahunty com, security-basics () securityfocus comSubject: Re: Bank ExploitIn a scenario where you have been hired to test company ABC, in the process you discovered that there is vulnerability in company EFG. You inform company ABC of your findings, but should you inform company EFG what you have discovered? If company EFG is a client of company ABC, company ABC might* choose not to divulge the finding to company EFG due to reasons of their own. As a security professional, do you have an obligation to inform company EFG of the finding, even though you were not hired to test? ---- On 7/26/07, Scott Race <srace () jdaarch com> wrote:Obviously there are many ways to look at this one. The bottom line is you have discovered a security hole that the bankshouldbe aware of. Your letting the bank know will benefit them, but atcostforyour services. Will they think you are looking out for them, or willtheythink you are just trying to justify a job? It's all about communicating your INTENTION (as with everything inlifeforthat matter). Approaching it like "I have hacked you, now pay me to fix it" islikeransom. If your intention is to help them, you need to clearly communicatethat tothem, with the risk that they don't understand, in which case youneed tobeready to seriously explain in way they understand (we don't knowyourboss,so only you know the way to communicate this). As with all jobs, it comes down to communication. I've always felta goodIT professional needs to cultivate both techincal skills AND peopleskills.So, it's up to you. Can you communicate in a way they can understandandTRUST? If so, go for it. If you are not confident then I would notsuggestyou hold off. ________________________________ From: listbounce () securityfocus com on behalf of Warren V Camp Sent: Wed 7/25/2007 2:32 PM To: Jason Thompson; Jax Lion Cc: securityz () delahunty com; security-basics () securityfocus com Subject: Re: Bank Exploit This does not sound good. On the surface it appears that a "good"hackerwants to tell the bank that he/she has see evidence of "bad" hackersontheir system and that the "good" hacker wants to sell consultingservicestothe bank. The "good" hacker could be in just as much trouble asthe"bad"hackers. ---- Jax Lion <jv4l1n4 () gmail com> wrote:So Jason - what happened to your collegue? IMHO - I don't think option 2 is a good idea. Questions will comeupsuch as - how did you discover the vulnerability in the firstplace.What were you doing... and it all goes downhill from there. I don't agree with keeping quiet either... Is there a medium where we can report the "accidental discoveries" without risk of prosecution? Like a hot tip line with the FBI or something. On 7/25/07, Jason Thompson <securitux () gmail com> wrote:Risky... is this person a security professional? This has happened to one of my colleagues before as well. Therearetwo solutions that are possible: 1) Do not reveal this or tell anyone about it. Leave it be. Asthereis this heightened sense of urgency among banks to thwartpotentialattackers the person could be in trouble with the bank forsimplydiscovering the issue. It really all depends on the person he orshedeals with there. Not saying it would hold up in court, itlikelywouldn't, but anyone who has the ability to find exploits isgenerallyregarded in a dim light by those who are uneducated on thesubject.2) Notify the bank's incident response team / security staff,OFFER anon-disclosure agreement to them saying that you will notdisclosethis to anyone regardless of what actions the bank decides totake ontheir vulnerability, and state that this was discovered byaccidentand that he or she simply wants to notify them about the issueand ISNOT seeking ANY SORT of compensation. If they are notified anditfollows with the statement 'I would be willing to help consultyou onthe solution for a small compensation' it instantly becomesextortionand this person will likely be thrown in jail. I am not a lawyer by any means, I am simply speaking from past experiences and what I have seen happen to those who did thingstheright way and the wrong way. Solution 2 is a lot easier if your friend's client works in information security and holds federal clearances and security designations. Real ones, not Cisco or something :) -J On 25 Jul 2007 13:34:29 -0000, securityz () delahunty com <securityz () delahunty com> wrote:Friend of mine (not me, really) is working with a client ofhis whoclaims to have inadvertently discovered a few web exploits ofseveralfinancial institutions. Does anyone have any insights as to howthis guycould bring these to the attention of the organizations involvedwithoutbeing seen as a hacker? His minimal goal is to help theinstitutions,optimally he would like to consult to help them rectify the issues.thx Steve-- Warren V. Camp, CPA, CISA, CDP
Current thread:
- Re: Bank Exploit, (continued)
- Re: Bank Exploit Jax Lion (Jul 26)
- Re: Bank Exploit gjgowey (Jul 27)
- RE: Bank Exploit Siscar, Emerson E. (Jul 26)
- FW: Bank Exploit izak.integrative (Jul 26)
- Re: Bank Exploit Bob Radvanovsky (Jul 27)
- Re: Bank Exploit Jax Lion (Jul 27)
- RE: Bank Exploit Frary, Brock (Jul 27)
- Re: Bank Exploit Jim Nelson (Jul 27)
- Re: Bank Exploit Jason Thompson (Jul 27)
- Re: Bank Exploit Jax Lion (Jul 27)
- RE: Bank Exploit Bob Radvanovsky (Jul 27)
- Re: Bank Exploit Bob Radvanovsky (Jul 27)
- Re: Bank Exploit krymson (Jul 30)