Re: Advisory: E*TRADE security problems in full

[reb () OPENRECORDS ORG]

Gunther,


On Tue, 26 Sep 2000, Gunther Birznieks wrote:

> I think this brings up an interesting point about disclosure which is close
> to home.
>
> That is, what is the best way to notify users?

<snip>

        I believe that it is the vendors duty to make the effort of
notifying their users to the best of the vendors ability.  This can be
done by sending mail to registered users, popups in a browser if
available, etc. The question is why would a financial institution want to
scream to the entire world: YES WE'RE INSECURE, knowing that a news person
would pick the story up and run with it?

        Vendors are going to try and save face as much as possible,
especially the major players.  A business such as E*Trade obtaining any
publicity as being insecure would drive the non-technical majority away by
the masses, if not current customers, potential customers would be
affected.

> I don't know what to suggest. Although perhaps it would be useful if
> vendors would voluntarily have their users subscribe to a special filtered
> version of BUGTRAQ based on the vendor name. So, for example, Schwab would
> link to a special Bugtraq security mailing list that they encourage their
> users to subscribe to incase Schwab ever had a security hole. If there are
> no security holes, the user would get no emails. ever. But if one ever did
> pop up, it wouldn't be Scwab telling the user's it would be BUGTRAQ.
>
> Vendors of security sensitive web services could use this as a selling
> point of their service. That they give a highly trusted 3rd party the
> capability of letting them know about any problems so they cannot ever hide
> a problem. I know if BUGTRAQ offered such a service, I would link to them
> and encourage our users to use them. As it is, the traffic on a real
> BUGTRAQ mailing list is too much to expect the common user who has minimal
> computer skills to read and filter BUGTRAQ on their own.


        What you are proposing here isn't very viable due to several
factors. Who would be responsible for such announcements?  Who could post
to the mailing list?  Are you suggesting a vuln-dev area for the techies
and then if the security flaw is verified and widespread, then forward the
flaw in question to the list?  How would that be different than what
we have now?
        Most companies use 'updates' to cover fixes/security concerns,
your normal everyday user would probably not know that their account
before the update could be trivially compromised.

        In conclusion, the security community needs to keep
full-disclosure putting the pressure on vendors to notify users and have
their products as secure as possible.  When vendors cut corners in the
security arena, they hurt everyone.

Reb


<snip rest of message>