Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bank Exploit

from [Yves Bourdic] Network Security [Permanent Link]
Subject: Re: Bank Exploit
Date: Thu, 26 Jul 2007 07:35:02 -0400
My advice would be NOT to contact the financial institution as from there point of view they wont be willing to take any risk and they will overreact.
NOT to contact the authority unless a crime has been committed has there job starts only at that time and they wont address any other problem.
IMHO the only solution is to tell a security community such as a mailing list or SANS or whatever what the problem is a do it anonymously to avoid further troubles.
As a matter of fact it is the financial institutions responsibility to care about there own security so either they have implemented something so that you could push the information to them either they don't for business/marketing purpose and they should retrieve the information from a public area.
Trying to help the other when they don't want because it could trouble them for many reasons is never a good idea.
YB

On 25-Jul-07, at 6:21 PM, gjgowey@tmo.blackberry.net wrote:

Who needs to sign up? Just point your mail client at the smtp server in the banks Mx record and you can use bogus from: information. Granted you're exposing you IP address, but that's only meaningful if they decide to subponea your ISP which they could do to hotmail then your ISP anyway if they're that determined to find you.


Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Chris Halverson" <darus.integration@gmail.com>

Date: Wed, 25 Jul 2007 15:33:41
To:security-basics@securityfocus.com
Subject: Re: Bank Exploit


Sign up an email account as one of your not so close "friends" and
send the email on their behalf.  :)

You could do so through a 3rd party, reputable security vendor such as
sophos or similar.  They might help with the information disclosure.

CH


On 7/25/07, Jax Lion <jv4l1n4@gmail.com> wrote: 
So Jason - what happened to your collegue?

IMHO - I don't think option 2 is a good idea.  Questions will come up
such as - how did you discover the vulnerability in the first place.
What were you doing... and it all goes downhill from there.

I don't agree with keeping quiet either...

Is there a medium where we can report the "accidental discoveries"
without risk of prosecution?  Like a hot tip line with the FBI or
something.


On 7/25/07, Jason Thompson <securitux@gmail.com> wrote: 
Risky... is this person a security professional?

This has happened to one of my colleagues before as well. There are
two solutions that are possible:

1) Do not reveal this or tell anyone about it. Leave it be. As there
is this heightened sense of urgency among banks to thwart potential
attackers the person could be in trouble with the bank for simply
discovering the issue. It really all depends on the person he or she
deals with there. Not saying it would hold up in court, it likely
wouldn't, but anyone who has the ability to find exploits is generally
regarded in a dim light by those who are uneducated on the subject.

2) Notify the bank's incident response team / security staff, OFFER a
non-disclosure agreement to them saying that you will not disclose
this to anyone regardless of what actions the bank decides to take on
their vulnerability, and state that this was discovered by accident
and that he or she simply wants to notify them about the issue and IS
NOT seeking ANY SORT of compensation. If they are notified and it
follows with the statement 'I would be willing to help consult you on
the solution for a small compensation' it instantly becomes extortion
and this person will likely be thrown in jail.

I am not a lawyer by any means, I am simply speaking from past
experiences and what I have seen happen to those who did things the
right way and the wrong way.

Solution 2 is a lot easier if your friend's client works in
information security and holds federal clearances and security
designations. Real ones, not Cisco or something :)

-J

On 25 Jul 2007 13:34:29 -0000, securityz@delahunty.com
<securityz@delahunty.com> wrote:
Friend of mine (not me, really) is working with a client of his who claims to have inadvertently discovered a few web exploits of several financial institutions. Does anyone have any insights as to how this guy could bring these to the attention of the organizations involved without being seen as a hacker? His minimal goal is to help the institutions, optimally he would like to consult to help them rectify the issues.


thx

Steve




[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Bank Exploit, Murda Mcloud
Next by Date:  RE: Administrators & Power Users, Tinu Koshy (CISD)
Previous by Thread:  Re: Bank Exploit, gjgowey
Next by Thread:  Re: Bank Exploit, Ivan .
Indexes:  [Date] [Thread] [Top] [All Lists]