funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Speaking of ethics ...

From: <michael.blanchard () emc com>
Date: Fri, 5 Aug 2011 14:13:52 -0400
Interesting.... 
\@virusbtn: Does the security industry need a voluntary code of ethics? 
http://bit.ly/rs6KzO

 So let me paint a scenario:

  Company ABC has machines that are compromised with malware that is being controlled by and is sending confidential 
information up to the C&C boxes that Mcafee refers to in Shady RAT.  Lets say that ABC company got compromised in 
December last year.  They are also a customer of Mcafee.  So, McAfee's been following this C&C network since 2009 and 
never told anyone until recently.  This March McAfee blocks their clients from being able to connect to this C&C 
network and I assume this is when they tell the 72 companies that they're Pwned as well.
    So, Company ABC has been leaking confidential information up to the C&C for 3 months, potentially hundreds of 
millions of dollars worth of intellectual property has been leaked until McAfee says something in to them in March.

  Who is liable?  Is this a lawsuit waiting to happen with McAfee being the defendant?  If a Security research firm 
knows of a compromise, and doesn't immediately notify, wouldn't that make them liable for any damages?  I'd say yes, if 
they don't' notify the company within a reasonable amount of time, they should be held liable for any losses.  This has 
been going on for over 2 years if not longer....  Why weren't these 72 companies notified right away about what they 
found?

Just my 2 cents worth for now :-)

Michael P. Blanchard
Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Office of Information Security & Risk Management
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, 
Devon & Hannah
Sent: Friday, August 05, 2011 2:48 PM
To: funsec () linuxbox org
Subject: [funsec] Speaking of ethics ...

@virusbtn: Does the security industry need a voluntary code of ethics? 
http://bit.ly/rs6KzO

@SecurityHumor: First: Do no Pwn (or FUD). 

http://twitter.com/#!/SecurityHumor/status/99454302174720000

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
There are no *printed* instructions, but I found a CD-ROM called
`How to Set Up Your Computer.'                         - Dan Piraro
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: