Re: Bank Exploit

Uh...OK. So, maybe the doctor analogy wasn't such a good idea. ;)

And 'yes', the security, homeland security and critical infrastructure protection industries are NOT regulated (and even if they are, it isn't as much as, say, the medical or financial industries). So, 'yes', we do have a bit of a dilemma.

BTW, there is a growing movement to regulate security professionals throughout the U.S. (and perhaps, the entire world). If that happens, you, as a security professional, will be required to be certified in your area of expertise, registered with your local state or province, and licensed with your federal or national government. It's only a matter of time... :((

-rad

----- Original Message -----
From: Jason Thompson [mailto:securitux@xxxxxxxxx]
To: Jax Lion [mailto:jv4l1n4@xxxxxxxxx]
Cc: Bob Radvanovsky [mailto:rsradvan@xxxxxxxxxxxxx], Scott Race [mailto:srace@xxxxxxxxxxx], Warren V Camp [mailto:wcamp@xxxxxxx], securityz@xxxxxxxxxxxxx, security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Bank Exploit


Not sure.. It would be good if there was such a thing, and the
community were able to offer assistance to businesses and institutions
which is in everyone's best interest. Unfortunately in our case the
doctor is usually accused of creating the disease just because he
found it.

-J

On 7/27/07, Jax Lion <jv4l1n4@xxxxxxxxx> wrote:
In the case of doctors, if the disease is the deadly and communicable
one - they should follow up with the CDC who would then follow up and
find all who are infected or at least interacted with that individual
and possibly quarantine and contain. Remember the TB patient who was
prevented from flying back to the US?

In our case - who is our CDC?

--------
On 7/26/07, Bob Radvanovsky <rsradvan@xxxxxxxxxxxxx> wrote:
Ahhhh....but therein lies one of the biggest and most debated
issues/problems -- when (as a security professional) should I 'do the right
thing'?

Some might argue, "OK, you're receiving a paycheck from your client. Do
they want the world to know that they have a vulnerability?" If ABC is your
client, and you've signed an NDA, legally, you can't approach EFG, perhaps
even if you wanted to. Ethically, you are 'honor bound' to divulge to EFG;
civilally, you may be 'legally bound' to ABC.

One (possible) way out of this mess might be to:

(1) Have ABC acknowledge that EFG has vulnerabilities.
(2) Have ABC acknowledge that you, as a security professional, are NOT
legally bound to divulging into to EFG.
(3) That you will not be prosecuted, either civil or criminally.
(4) Have an ABC officer sign-off on the document.

The problem stems from what happens if ABC *refuses* to oblige in
signing said document. If there are criminal ramifications, do you notify
the FBI or DOJ? Legally, ABC could come after *YOU* afterwards. So could
the federal government. In some circumstances, if you were simply hired to
perform "X" function for ABC and found "X" for ABC and "Y" for EFG, reveal
only what you were requested to perform. If you have significant amounts of
data on EFG's vulnerabilities, it may be simply be better to destroy the
findings. Again, you were requested ONLY to perform "X" for ABC. You
weren't requested to perform "Y" for EFG. ;)

As a professional, you need to abide by what other professionals do.
Would your doctor do the same if he conducted a test and found out that you
and your wife (or girlfriend) had the same (or similar) disease (if
communicable)? The fact is, the doctor is honor-bound up to a point; same
goes with legal notification. A doctor, depending on the circumstances may
-- or may not -- notify your spouse or girlfriend of the disease. Legally,
they may or may not have to -- again, depending on the circumstances. The
same may hold true here.

-rad

----- Original Message -----
From: Jax Lion [mailto:jv4l1n4@xxxxxxxxx]
To: Scott Race [mailto:srace@xxxxxxxxxxx]
Cc: Warren V Camp [mailto:wcamp@xxxxxxx], Jason Thompson
[mailto:securitux@xxxxxxxxx], securityz@xxxxxxxxxxxxx,
security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Bank Exploit


In a scenario where you have been hired to test company ABC, in the
process you discovered that there is vulnerability in company EFG.

You inform company ABC of your findings, but should you inform company
EFG what you have discovered?

If company EFG is a client of company ABC, company ABC might* choose
not to divulge the finding to company EFG due to reasons of their own.

As a security professional, do you have an obligation to inform
company EFG of the finding, even though you were not hired to test?



----

On 7/26/07, Scott Race <srace@xxxxxxxxxxx> wrote:

Obviously there are many ways to look at this one.

The bottom line is you have discovered a security hole that the bank
should
be aware of. Your letting the bank know will benefit them, but at
cost
for
your services. Will they think you are looking out for them, or will
they
think you are just trying to justify a job?

It's all about communicating your INTENTION (as with everything in
life
for
that matter).

Approaching it like "I have hacked you, now pay me to fix it" is
like
ransom.

If your intention is to help them, you need to clearly communicate
that to
them, with the risk that they don't understand, in which case you
need to
be
ready to seriously explain in way they understand (we don't know
your
boss,
so only you know the way to communicate this).

As with all jobs, it comes down to communication. I've always felt
a good
IT professional needs to cultivate both techincal skills AND people
skills.

So, it's up to you. Can you communicate in a way they can understand
and
TRUST? If so, go for it. If you are not confident then I would not
suggest
you hold off.

________________________________
From: listbounce@xxxxxxxxxxxxxxxxx on behalf of Warren V Camp
Sent: Wed 7/25/2007 2:32 PM
To: Jason Thompson; Jax Lion
Cc: securityz@xxxxxxxxxxxxx;
security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Bank Exploit




This does not sound good. On the surface it appears that a "good"
hacker
wants to tell the bank that he/she has see evidence of "bad" hackers
on
their system and that the "good" hacker wants to sell consulting
services
to
the bank. The "good" hacker could be in just as much trouble as
the
"bad"
hackers.


---- Jax Lion <jv4l1n4@xxxxxxxxx> wrote:
So Jason - what happened to your collegue?

IMHO - I don't think option 2 is a good idea. Questions will come
up
such as - how did you discover the vulnerability in the first
place.
What were you doing... and it all goes downhill from there.

I don't agree with keeping quiet either...

Is there a medium where we can report the "accidental discoveries"
without risk of prosecution? Like a hot tip line with the FBI or
something.


On 7/25/07, Jason Thompson <securitux@xxxxxxxxx> wrote:
Risky... is this person a security professional?

This has happened to one of my colleagues before as well. There
are
two solutions that are possible:

1) Do not reveal this or tell anyone about it. Leave it be. As
there
is this heightened sense of urgency among banks to thwart
potential
attackers the person could be in trouble with the bank for
simply
discovering the issue. It really all depends on the person he or
she
deals with there. Not saying it would hold up in court, it
likely
wouldn't, but anyone who has the ability to find exploits is
generally
regarded in a dim light by those who are uneducated on the
subject.

2) Notify the bank's incident response team / security staff,
OFFER a
non-disclosure agreement to them saying that you will not
disclose
this to anyone regardless of what actions the bank decides to
take on
their vulnerability, and state that this was discovered by
accident
and that he or she simply wants to notify them about the issue
and IS
NOT seeking ANY SORT of compensation. If they are notified and
it
follows with the statement 'I would be willing to help consult
you on
the solution for a small compensation' it instantly becomes
extortion
and this person will likely be thrown in jail.

I am not a lawyer by any means, I am simply speaking from past
experiences and what I have seen happen to those who did things
the
right way and the wrong way.

Solution 2 is a lot easier if your friend's client works in
information security and holds federal clearances and security
designations. Real ones, not Cisco or something :)

-J

On 25 Jul 2007 13:34:29 -0000, securityz@xxxxxxxxxxxxx
<securityz@xxxxxxxxxxxxx> wrote:
Friend of mine (not me, really) is working with a client of
his who
claims to have inadvertently discovered a few web exploits of
several
financial institutions. Does anyone have any insights as to how
this guy
could bring these to the attention of the organizations involved
without
being seen as a hacker? His minimal goal is to help the
institutions,
optimally he would like to consult to help them rectify the issues.


thx

Steve



--
Warren V. Camp, CPA, CISA, CDP








Relevant Pages

  • RE: Bank Exploit
    ... EFG, perhaps even if you wanted to. ... Have ABC acknowledge that EFG has vulnerabilities. ... process you discovered that there is vulnerability in company EFG. ...
    (Security-Basics)
  • Re: Bank Exploit
    ... Have ABC acknowledge that you, as a security professional, are NOT legally bound to divulging into to EFG. ... If company EFG is a client of company ABC, ...
    (Security-Basics)
  • Re: Bank Exploit
    ... Our CDC for banks? ... you are 'honor bound' to divulge to EFG; ... Have ABC acknowledge that EFG has vulnerabilities. ... If company EFG is a client of company ABC, ...
    (Security-Basics)
  • Re: Find and Replace against set of rules in 2nd column
    ... > For Each myCell In ValsToFixRng.Cells ... >>> 12xyz798 xyz ... >>> 12abc798 abc ... >>> 12efg798 efg ...
    (microsoft.public.excel)
  • Re: Find and Replace against set of rules in 2nd column
    ... I want to replace a special character "^" with the contents of Column ... >> 12xyz798 xyz ... >> 12abc798 abc ... >> 12efg798 efg ...
    (microsoft.public.excel)