Re: [Full-disclosure] To disclose or not to disclose
- From: "Elazar Broad" <elazar@xxxxxxxxxxxx>
- Date: Sun, 28 Sep 2008 17:54:08 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simon,
If the issue really involves critical infrastructure you can
expect(to an extent) many government and quasi-government
organizations to step in and pressure the vendor to fix the issue
before you go public. A real world example. At a recent conference,
I was talking to a security executive of a rather large utility and
the recently disclosed Citec issue came up. He mentioned that he
was at a certain government organizations lab while they were
assessing the issue based on the information they received from
CORE. If you read CORE's disclosure timeline, the real fire hadn't
been lit until this organization, along with some others, stepped
in and really got under the vendor's skin. He also mentioned how
clueless Citec's initial response was, but thats another story.
Given the general awareness of these organizations of the fact that
critical infrastructure vulnerabilities = potentially major
problems, I think setting a deadline(which will probably be
extended at the behest of these organizations) for the vendor is
not a bad idea, and the chances of the issue getting fixed before
you spill the beans are pretty high. You can't forget the
"somewhat" obvious as well, if you found it, someone else can find
it too. As far as the vendor is concerned, well, we all know what
happened to a certain electronic voting machine vendor...Look, I'm
not expert, this is just my .02...
elazar
On Sun, 28 Sep 2008 03:01:08 +0000 Simon Smith <simon@xxxxxxxxxxx>
wrote:
Elazar,-----BEGIN PGP SIGNATURE-----
I suppose that could be a good action, but doing that would
potentially
put the security companies customer at risk. Granted, in the
argument
they were already notified of the risk. So the question is, is
that the
ethical choice? Is that a good business choice?
Elazar Broad wrote:
I would opt for #1, additionally, contacting CERT and otherquasi-
government security organizations would be a plus, they mighthave
better luck lighting a fire under the theoretical vendors ass...<simon@xxxxxxxxxxx>
elazar
On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith
wrote:actual
Greetings,
I have a theoretical question of ethics for other security
professionals that participate in this list. This is not an
insituation, but it is a potentially realistic situation that I'm
interested in exploring and finding an acceptable solution to.
Supposed a penetration testing company delivers a service to a
customer. That customer uses a technology that was created by a
third
party to host a critical component of their infrastructure. The
penetration testing company identifies several critical flaws
issue.the
technology and notifies the customer, and the vendor.
One year passes and the vendor had done nothing to fix the
changeThe
customer is still vulnerable and they have done nothing to
flattheir
level of risk and exposure. In fact, lets say that the vendor
beenout
refuses to do anything about the issue even though they have
affectsnotified of the problem. Lets also assume that this issue
andthousands of customers in the financial and medical industry
themputs
them at dire risk.
What should the security company do?
1-) Create a formal advisory, contact the vendor and notify
releaseof the
intent to release the advisory in a period of "n" days? If the
vendor
refuses to fix the issue does the security company still
puttingthe
advisory in "n" days? Is that protecting the customer or
theirthe
customer at risk? Or does it even change the risk level as
timerisk
still exists.
2-) Does the security company collect a list of users of the
technology
and notify those users one by one? The process might be very
consuming but by doing that the security company might not
increase the
risk faced by the users of the technology, will they?
3-) Does the security company release a low level advisory that
notifies
users of the technology to contact the vendor in order to gain
access to
the technical details about the issue?
4-) Does the security company do something else? If so, what is
the
appropriate course of action?
5-) Does the security company do nothing?
I'm very interested to hear what people thin the "responsible"
action
would be here. It appears that this is a challenge that will at
some
level create risk for the customer. Is it impossible to do this
without
creating an unacceptable level of risk?
Looking forward to real responses (and troll responses too...
especially
n3td3v).
--
- simon
----------------------
http://www.snosoft.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Self Storage Options - Click Here.
http://tagline.hushmail.com/fc/Ioyw6h4eNgR1BRhFB3CXCR61VEtfAqJ45ZV3
4qDMKcjsXBCGM0kWG5/
--
- simon
----------------------
http://www.snosoft.com
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQECAAYFAkjfxMEACgkQi04xwClgpZjClAP/frm/enc7E52FjvW7QWhEbtZCJ8Kr
/PM1o20qCZV9RdwP8IJhfbg3aF4ko3VrJcsFTuHSp5w5Pi4O/k6l3Vggak3cRlejN26q
9nIjHl8C0V4KaismHL5cXS7OZKyDFI9uMnw/Mpmao5bF7+jxdo1qK6nnrBawojtRwifg
tjJTQic=
=OqUn
-----END PGP SIGNATURE-----
--
Hotel pics, info and virtual tours. Click here to book a hotel online.
http://tagline.hushmail.com/fc/Ioyw6h4eRClAkcJxO5raG2q61I2CHdEok8REye7AsAlE6A964lyJ9u/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker's, extradition to US
- Next by Date: Re: [Full-disclosure] [inbox] Comments on: Browser patches yearn to be free
- Previous by thread: Re: [Full-disclosure] To disclose or not to disclose
- Next by thread: [Full-disclosure] Comments on: Browser patches yearn to be free
- Index(es):
Relevant Pages
|
