Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Bank Exploit

from [Frary, Brock] Network Security [Permanent Link]
Subject: RE: Bank Exploit
Date: Fri, 27 Jul 2007 13:55:01 -0400 
"In our case - who is our CDC?"

Both CERT and InfraGard come to mind.  CERT for the vulnerability and
InfraGard (it is the FBI after all) to get the word out.

CERT - http://www.cert.org/vuls/
InfraGard - http://www.infragard.net/index.htm and tips:
https://tips.fbi.gov/

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Jax Lion
Sent: Friday, July 27, 2007 8:56 AM
To: Bob Radvanovsky
Cc: Scott Race; Warren V Camp; Jason Thompson; securityz@delahunty.com;
security-basics@securityfocus.com
Subject: Re: Bank Exploit

In the case of doctors, if the disease is the deadly and communicable
one - they should follow up with the CDC who would then follow up and
find all who are infected or at least interacted with that individual
and possibly quarantine and contain.  Remember the TB patient who was
prevented from flying back to the US?

In our case - who is our CDC?

--------
On 7/26/07, Bob Radvanovsky <rsradvan@unixworks.net> wrote:

Ahhhh....but therein lies one of the biggest and most debated

issues/problems -- when (as a security professional) should I 'do the
right thing'?


Some might argue, "OK, you're receiving a paycheck from your client.

Do they want the world to know that they have a vulnerability?"  If ABC
is your client, and you've signed an NDA, legally, you can't approach
EFG, perhaps even if you wanted to.  Ethically, you are 'honor bound' to
divulge to EFG; civilally, you may be 'legally bound' to ABC.


One (possible) way out of this mess might be to:

(1) Have ABC acknowledge that EFG has vulnerabilities.
(2) Have ABC acknowledge that you, as a security professional, are NOT

legally bound to divulging into to EFG.

(3) That you will not be prosecuted, either civil or criminally.
(4) Have an ABC officer sign-off on the document.

The problem stems from what happens if ABC *refuses* to oblige in 
signing said document.  If there are criminal ramifications, do you 
notify the FBI or DOJ?  Legally, ABC could come after *YOU* 
afterwards.  So could the federal government.  In some circumstances, 
if you were simply hired to perform "X" function for ABC and found "X"



for ABC and "Y" for EFG, reveal only what you were requested to 
perform.  If you have significant amounts of data on EFG's 
vulnerabilities, it may be simply be better to destroy the findings.  
Again, you were requested ONLY to perform "X" for ABC.  You weren't 
requested to perform "Y" for EFG.  ;)

As a professional, you need to abide by what other professionals do.

Would your doctor do the same if he conducted a test and found out that
you and your wife (or girlfriend) had the same (or similar) disease (if
communicable)?  The fact is, the doctor is honor-bound up to a point;
same goes with legal notification.  A doctor, depending on the
circumstances may -- or may not -- notify your spouse or girlfriend of
the disease.  Legally, they may or may not have to -- again, depending
on the circumstances.  The same may hold true here.


-rad

----- Original Message -----
From: Jax Lion [mailto:jv4l1n4@gmail.com]
To: Scott Race [mailto:srace@jdaarch.com]
Cc: Warren V Camp [mailto:wcamp@cox.net], Jason Thompson 
[mailto:securitux@gmail.com], securityz@delahunty.com, 
security-basics@securityfocus.com
Subject: Re: Bank Exploit



In a scenario where you have been hired to test company ABC, in the 
process you discovered that there is vulnerability in company EFG.

You inform company ABC of your findings, but should you inform 
company EFG what you have discovered?

If company EFG is a client of company ABC, company ABC might* choose



not to divulge the finding to company EFG due to reasons of their

own.


As a security professional, do you have an obligation to inform 
company EFG of the finding, even though you were not hired to test?



----

On 7/26/07, Scott Race <srace@jdaarch.com> wrote:


Obviously there are many ways to look at this one.

The bottom line is you have discovered a security hole that the 
bank

should

be aware of.  Your letting the bank know will benefit them, but at



cost

for

your services. Will they think you are looking out for them, or 
will they think you are just trying to justify a job?

It's all about communicating your INTENTION (as with everything in



life

for

that matter).

Approaching it like "I have hacked you, now pay me to fix it" is 
like ransom.

If your intention is to help them, you need to clearly communicate



that to them, with the risk that they don't understand, in which 
case you need to

be

ready to seriously explain in way they understand (we don't know 
your

boss,

so only you know the way to communicate this).

As with all jobs, it comes down to communication.  I've always 
felt a good IT professional needs to cultivate both techincal 
skills AND people

skills.


So, it's up to you. Can you communicate in a way they can 
understand and TRUST?  If so, go for it.  If you are not confident



then I would not

suggest

you hold off.

________________________________
From: listbounce@securityfocus.com on behalf of Warren V Camp
Sent: Wed 7/25/2007 2:32 PM
To: Jason Thompson; Jax Lion
Cc: securityz@delahunty.com;
security-basics@securityfocus.com
Subject: Re: Bank Exploit




This does not sound good. On the surface it appears that a "good" 
hacker wants to tell the bank that he/she has see evidence of 
"bad" hackers on their system and that the "good" hacker wants to 
sell consulting services

to

the bank.   The "good" hacker could be in just as much trouble as

the

"bad"

hackers.


---- Jax Lion <jv4l1n4@gmail.com> wrote:

So Jason - what happened to your collegue?

IMHO - I don't think option 2 is a good idea.  Questions will 
come up such as - how did you discover the vulnerability in the

first place.

What were you doing... and it all goes downhill from there.

I don't agree with keeping quiet either...

Is there a medium where we can report the "accidental

discoveries"

without risk of prosecution?  Like a hot tip line with the FBI 
or something.


On 7/25/07, Jason Thompson <securitux@gmail.com> wrote:

Risky... is this person a security professional?

This has happened to one of my colleagues before as well. 
There are two solutions that are possible:

1) Do not reveal this or tell anyone about it. Leave it be. As



there is this heightened sense of urgency among banks to 
thwart potential attackers the person could be in trouble with



the bank for simply discovering the issue. It really all 
depends on the person he or she deals with there. Not saying 
it would hold up in court, it likely wouldn't, but anyone who 
has the ability to find exploits is generally regarded in a

dim light by those who are uneducated on the subject.


2) Notify the bank's incident response team / security staff, 
OFFER a non-disclosure agreement to them saying that you will 
not disclose this to anyone regardless of what actions the 
bank decides to take on their vulnerability, and state that 
this was discovered by accident and that he or she simply 
wants to notify them about the issue and IS NOT seeking ANY 
SORT of compensation. If they are notified and it follows with



the statement 'I would be willing to help consult you on the 
solution for a small compensation' it instantly becomes

extortion and this person will likely be thrown in jail.


I am not a lawyer by any means, I am simply speaking from past



experiences and what I have seen happen to those who did 
things the right way and the wrong way.

Solution 2 is a lot easier if your friend's client works in 
information security and holds federal clearances and security



designations. Real ones, not Cisco or something :)

-J

On 25 Jul 2007 13:34:29 -0000, securityz@delahunty.com 
<securityz@delahunty.com> wrote:

Friend of mine (not me, really) is working with a client of 
his who

claims to have inadvertently discovered a few web exploits of 
several financial institutions.  Does anyone have any insights as 
to how this guy could bring these to the attention of the 
organizations involved without being seen as a hacker?  His 
minimal goal is to help the institutions, optimally he would like

to consult to help them rectify the issues.



thx

Steve





--
Warren V. Camp, CPA, CISA, CDP









This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  R: All-in-one Spam/Virus Solution, carverrace
Next by Date:  Re: Starting a New Security Department/Division, krymson
Previous by Thread:  Re: Bank Exploit, Jax Lion
Next by Thread:  Re: Bank Exploit, Jason Thompson
Indexes:  [Date] [Thread] [Top] [All Lists]