From: Bob Radvanovsky (rsradvan@unixworks.net)
Date: Thu Mar 18 2004 - 15:44:36 EST
See comments below.
----- Original Message -----
From: "Serg B." <sbonlinux@hotmail.com>
To: <pen-test@securityfocus.com>
Cc: <sbonlinux@hotmail.com>
Sent: Thursday, March 18, 2004 11:23 AM
Subject: how to alert company of security hole
> Hi All,
> Not sure if this question belongs here or not, but ...
> I am curious about an approach one would take in alerting a company that
> their web site/e-shop has multiple vulnerabilities. In other words should
> the individual who discovered the holes contact the parties involved
> directly or anonymously in fear of law suit?
Depending upon where (as in which country) you are located, this response may be different. Within the United States, the 'Corporate America' environment's attitude is 'hear no evil, see no evil, speak no evil', usually avoiding any (or all) responsibilities associated with the vulnerability. Remember: security is a matter of perception -- if a corporation does not perceive their vulnerability (though it is reported through proper exploitation communication channels from respectible security-related entities) as a "threat", it simply is not acknowledged as such. Many large corporations see the reporting, specifically, some 'insect' (not that I am calling you that, however, as an individual, we are often ignored by large corporate entities) report to them of their vulnerabilities, poses more of a risk of their stock price because it was reported to them and/or news of risk associated from that vulnerability was leaked to the news media. Most corporations will (more often)
respond with a lawsuit and/or 'cease and decist' letter, stating the penalities of informing them of such.
For the corporate entity that I work with, they are bound by federal government regulations (without going into further specifics), yet, they do NOT have: (1) any security group or entity representing the corporation; (2) point-of-contact, except the executive compliance officer, who is an "attorney", NOT a "security officer"; (3) been stated by the CIO that he does not perceive the environment as having any threats whatsoever (classic case whereby the CIO sees only from the "outside->in", in that the perimeter defenses are decently strong, but interior defenses are nonexistent), risk paying for attorney fees rather spending the money on a security group or taskforce (another classic case whereby the CIO wants to see tangible results from security implementations, rather than be reactive of the situation - obviously, the CIO is unaware of the ramnifications that may surmount if there is a 'situation'; nonetheless, the CIO does not appear to care at the present time, which, th
rough observation of many large corporate environments [including this one], is very typical for today); and (4) perform a "securification task" of simply restoring the data on the compromised servers, rather than (actually) fixing the problem.
By you demonstrating to a large corporate entity that you have accessibility to their environment, either external and/or internal, and depending upon the level of severity, the amount of exposure, and the amount of information that may have been leaked as a result of the communication, will determine if you are greeted with a warm and friendly telephone call, or pursued by a group of ravenous, corporate attorneys.
> Also, would one be swimming in murky waters if they were looking at some
> reward for the discovery ...
Every heard of the word "extortion"?
My advise to you, from both recent and past occurrences that have resulted in individuals reporting risks or vulnerabilities to large corporate entities, is: "DO NOT DO IT". 'Corporate America' wants to find the risks on their own terms, in their own time, however they see fit. By you stating that risk to them, you are waving a 'red flag in front of a bull' -- sooner or later, you're going to get the horns!
If you value your freedom, and enjoy the privileges of not living in very confined living quarters, "don't tell them". Sooner or later, the corporation in question, will get hacked and exploited, either much to your satisfaction or dismay.
Some would argue that corporations need to be hacked, anonymously, and in significant numbers, before they'll finally do something about it, and are willing to spend the money towards some form of "securification" process. If you are a member to such as group, it would be foolish to brag or discuss your efforts or endeavors outside of your trusted, covertive communication channels. If you aren't, do NOT consider joining one solely for the purpose of performing 'cyber-vigilism', if even to make your point known.
In other words (and contrary to the Nike commercials), "*Don't* do it!"
Cheers.
Bob Radvanovsky [/unixworks]
rsradvan(at)unixworks(dot)net
"knowledge squared is information shared."
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT