Re: Vulnerabilites in new laws on computer hacking

[Radoslav Dejanović <radoslav.dejanovic () opsus hr>]

On Friday 17 February 2006 14:23, Ansgar -59cobalt- Wiechers wrote:

> is in german, but maybe an online translator will help). The OBSOC
> (Online Business Solution Operation Center) system of the Deutsche
> Telekom AG did not do proper authentication, so by manipulating the URL
> you could access other customers' data. How would you detect such a
> vulnerability without actually hacking the system? Is one supposed to
> not notice these things? Will that really make them go away?

This indeed is a great example. It's got the whole story right - you know 
there's this company with this on-line content, and you have a hunch 
there's something broken. You don't know what is it, so you have to punch 
a hole in their system to see for yourself. There's just no other way to 
do it. 

What would you do?

a) talk to them?
They don't know if they have a security problem or not. But, they'd rather 
not know about it. Company reasoning goes this way: there's someone who 
thinks he has found a security hole in our software, and he's asking us to 
permit him to do security audit; well, we do not know him, and we do not 
know if we have a hole in the first place... so, best solution is to deny 
security audit and pretend there's no hole. That way we can save money and 
avoid risking our brand, and after all, we do have some IT experts of our 
own, and they say everything is Ok.

b) not talk to them?
In that case yes, you might find a flaw. You might go to jail as well, 
because of the same company reasoning: there's this evil hacker who broke 
into our system. Who knows what he has done, it is an evil hacker, and 
evil hackers do many evil things we could not possibly know about, so our 
system is completely compromised, and we have huge losses. Yes, he told us 
about that security hole, but this is probably just to blackmail us later 
with more and more security holes, some of them could even be planted by 
this evil hacker. Our customers will loose confidence in our services, and 
this is bad, very bad for our business. So, let's call police and put this 
evil creature behind the bars for good. 

c) leave it as it is
If you do not touch, you're saving yourself from a lot of trouble. Surely, 
the problem will stay, but it's not you who's going to have pants on fire. 

IMHO, the best approach would be to do (a) in a very polite manner, and if 
they refuse, simply switch to (c). That's reasonable. After all, their 
system is their property, as are all the security holes. And, we shouldn't 
get emotional about other people's security problems. You're never going 
to be a great brain surgeon if you cry over someone's open skull while 
operating a brain tumour. 


-- 
Radoslav Dejanović
Operacijski sustavi d.o.o.
http://www.opsus.hr