Sorry Warren,
For the Email directed at you address.
-----Original Message-----
From: izak.integrative [mailto:izak.integrative@gmail.com]
Sent: Wednesday, July 25, 2007 11:58 PM
To: 'Warren V Camp'
Subject: RE: Bank Exploit
Guys,
I have been in the same position two years ago. We rolled up a porn network
which was exploited by open servers on the I-NET. This happened on the Dutch
Antilles and Netherlands. I hacked an IIS servers by "accident" en saw that
there were dropped on frequently basis child porn videos. I saw the hole and
contacted the ISP next day the law firm on which it was placed called the
police on me and wanted me in jail. Now I have tried to explain that I did
that to inform and not to damage. I left my IP and name on the logs there.
There was no way that they believed me. They wanted to arrest me but when
the dutch investigators came and I explained that I was able to reach files
from the outside on a server with file sharing etc, I was only warned. Still
the frustration is in me. To make a long story short I have been warning
these people for almost 4.5 years and I still don't know what it is but it
keeps going in the direction that I am the bad guy.
My advice is going to HQ of the Bank and tell them concerning the incident.
If they argue what your business is to try to scan and penetrate which
normally should be done with permission, one should say, in this time of
electronics I should be glad that people would tell me if I was vulnerable
without exploiting it. If you follow this procedure , there will not be a
court in the world that convict you. In law they have to make clear what
your intentions were and what kind of damage you have done. If this is
nothing and only advice with honoury intentions no worry you should be proud
on your self and F them. They still do not get the picture that a computer
is a weapon.
but please do not be afraid to tell them or if not do not speak of it again.
Let them bleed.
But never forget people fear not only what the do not know or understand but
the faulty actions in telling people that using banking applications is safe
is the most scariest thing for banks. They are like doctors never give in to
the fault.
If we keep on having this fear of sharing the knowledge we will have
problems coming.
Guys, I and not only I but also people who I referred to this community
learned so much about security that they appreciate when you call in. And I
am talking of a bank now and trust offices. So keep on the good work and
please do not come with the stories of I am afraid. We have a duty to call
in. Otherwise you have to use it ............ and choose a different colour
hat.
Thnx
Ice
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Warren V Camp
Sent: Wednesday, July 25, 2007 5:33 PM
To: Jason Thompson; Jax Lion
Cc: securityz@delahunty.com; security-basics@securityfocus.com
Subject: Re: Bank Exploit
This does not sound good. On the surface it appears that a "good" hacker
wants to tell the bank that he/she has see evidence of "bad" hackers on
their system and that the "good" hacker wants to sell consulting services to
the bank. The "good" hacker could be in just as much trouble as the "bad"
hackers.
---- Jax Lion <jv4l1n4@gmail.com> wrote:
So Jason - what happened to your collegue?
IMHO - I don't think option 2 is a good idea. Questions will come up
such as - how did you discover the vulnerability in the first place.
What were you doing... and it all goes downhill from there.
I don't agree with keeping quiet either...
Is there a medium where we can report the "accidental discoveries"
without risk of prosecution? Like a hot tip line with the FBI or
something.
On 7/25/07, Jason Thompson <securitux@gmail.com> wrote:
Risky... is this person a security professional?
This has happened to one of my colleagues before as well. There are
two solutions that are possible:
1) Do not reveal this or tell anyone about it. Leave it be. As there
is this heightened sense of urgency among banks to thwart potential
attackers the person could be in trouble with the bank for simply
discovering the issue. It really all depends on the person he or she
deals with there. Not saying it would hold up in court, it likely
wouldn't, but anyone who has the ability to find exploits is generally
regarded in a dim light by those who are uneducated on the subject.
2) Notify the bank's incident response team / security staff, OFFER a
non-disclosure agreement to them saying that you will not disclose
this to anyone regardless of what actions the bank decides to take on
their vulnerability, and state that this was discovered by accident
and that he or she simply wants to notify them about the issue and IS
NOT seeking ANY SORT of compensation. If they are notified and it
follows with the statement 'I would be willing to help consult you on
the solution for a small compensation' it instantly becomes extortion
and this person will likely be thrown in jail.
I am not a lawyer by any means, I am simply speaking from past
experiences and what I have seen happen to those who did things the
right way and the wrong way.
Solution 2 is a lot easier if your friend's client works in
information security and holds federal clearances and security
designations. Real ones, not Cisco or something :)
-J
On 25 Jul 2007 13:34:29 -0000, securityz@delahunty.com
<securityz@delahunty.com> wrote:
Friend of mine (not me, really) is working with a client of his who
claims to have inadvertently discovered a few web exploits of several
financial institutions. Does anyone have any insights as to how this guy
could bring these to the attention of the organizations involved without
being seen as a hacker? His minimal goal is to help the institutions,
optimally he would like to consult to help them rectify the issues.
thx
Steve
--
Warren V. Camp, CPA, CISA, CDP
