On Friday 17 February 2006 14:23, Ansgar -59cobalt- Wiechers wrote:
is in german, but maybe an online translator will help). The OBSOC
(Online Business Solution Operation Center) system of the Deutsche
Telekom AG did not do proper authentication, so by manipulating the URL
you could access other customers' data. How would you detect such a
vulnerability without actually hacking the system? Is one supposed to
not notice these things? Will that really make them go away?
This indeed is a great example. It's got the whole story right - you know
there's this company with this on-line content, and you have a hunch
there's something broken. You don't know what is it, so you have to punch
a hole in their system to see for yourself. There's just no other way to
do it.
What would you do?
a) talk to them?
They don't know if they have a security problem or not. But, they'd rather
not know about it. Company reasoning goes this way: there's someone who
thinks he has found a security hole in our software, and he's asking us to
permit him to do security audit; well, we do not know him, and we do not
know if we have a hole in the first place... so, best solution is to deny
security audit and pretend there's no hole. That way we can save money and
avoid risking our brand, and after all, we do have some IT experts of our
own, and they say everything is Ok.
b) not talk to them?
In that case yes, you might find a flaw. You might go to jail as well,
because of the same company reasoning: there's this evil hacker who broke
into our system. Who knows what he has done, it is an evil hacker, and
evil hackers do many evil things we could not possibly know about, so our
system is completely compromised, and we have huge losses. Yes, he told us
about that security hole, but this is probably just to blackmail us later
with more and more security holes, some of them could even be planted by
this evil hacker. Our customers will loose confidence in our services, and
this is bad, very bad for our business. So, let's call police and put this
evil creature behind the bars for good.
c) leave it as it is
If you do not touch, you're saving yourself from a lot of trouble. Surely,
the problem will stay, but it's not you who's going to have pants on fire.
IMHO, the best approach would be to do (a) in a very polite manner, and if
they refuse, simply switch to (c). That's reasonable. After all, their
system is their property, as are all the security holes. And, we shouldn't
get emotional about other people's security problems. You're never going
to be a great brain surgeon if you cry over someone's open skull while
operating a brain tumour.
--
Radoslav Dejanović
Operacijski sustavi d.o.o.
http://www.opsus.hr
