RE: Bank Exploit
- From: "Burns, Doug" <burns_doug@xxxxxxx>
- Date: Thu, 26 Jul 2007 08:29:37 -0400
Unless you opt to keep completely quiet, my next step would be to hire
a knowledgeable attorney.
Doug
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Chris Halverson
Sent: Wednesday, July 25, 2007 5:34 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Bank Exploit
Sign up an email account as one of your not so close "friends" and send
the email on their behalf. :)
You could do so through a 3rd party, reputable security vendor such as
sophos or similar. They might help with the information disclosure.
CH
On 7/25/07, Jax Lion <jv4l1n4@xxxxxxxxx> wrote:
So Jason - what happened to your collegue?
IMHO - I don't think option 2 is a good idea. Questions will come up
such as - how did you discover the vulnerability in the first place.
What were you doing... and it all goes downhill from there.
I don't agree with keeping quiet either...
Is there a medium where we can report the "accidental discoveries"
without risk of prosecution? Like a hot tip line with the FBI or
something.
On 7/25/07, Jason Thompson <securitux@xxxxxxxxx> wrote:
Risky... is this person a security professional?
This has happened to one of my colleagues before as well. There are
two solutions that are possible:
1) Do not reveal this or tell anyone about it. Leave it be. As there
is this heightened sense of urgency among banks to thwart potential
attackers the person could be in trouble with the bank for simply
discovering the issue. It really all depends on the person he or she
subject.deals with there. Not saying it would hold up in court, it likely
wouldn't, but anyone who has the ability to find exploits is
generally regarded in a dim light by those who are uneducated on the
2) Notify the bank's incident response team / security staff, OFFER
a non-disclosure agreement to them saying that you will not disclose
jail.this to anyone regardless of what actions the bank decides to take
on their vulnerability, and state that this was discovered by
accident and that he or she simply wants to notify them about the
issue and IS NOT seeking ANY SORT of compensation. If they are
notified and it follows with the statement 'I would be willing to
help consult you on the solution for a small compensation' it
instantly becomes extortion and this person will likely be thrown in
who claims to have inadvertently discovered a few web exploits of
I am not a lawyer by any means, I am simply speaking from past
experiences and what I have seen happen to those who did things the
right way and the wrong way.
Solution 2 is a lot easier if your friend's client works in
information security and holds federal clearances and security
designations. Real ones, not Cisco or something :)
-J
On 25 Jul 2007 13:34:29 -0000, securityz@xxxxxxxxxxxxx
<securityz@xxxxxxxxxxxxx> wrote:
Friend of mine (not me, really) is working with a client of his
several financial institutions. Does anyone have any insights as to how
this guy could bring these to the attention of the organizations
involved without being seen as a hacker? His minimal goal is to help
the institutions, optimally he would like to consult to help them
rectify the issues.
thx
Steve
- References:
- Re: Bank Exploit
- From: Chris Halverson
- Re: Bank Exploit
- Prev by Date: Re: All-in-one Spam/Virus Solution
- Next by Date: R: All-in-one Spam/Virus Solution
- Previous by thread: Re: Bank Exploit
- Next by thread: Re: Bank Exploit
- Index(es):
Relevant Pages
|
