Security Basics mailing list archives

Re: Bank Exploit

From: "Jason Thompson" <securitux () gmail com>
Date: Wed, 25 Jul 2007 15:15:57 -0400

Risky... is this person a security professional?

This has happened to one of my colleagues before as well. There are
two solutions that are possible:

1) Do not reveal this or tell anyone about it. Leave it be. As there
is this heightened sense of urgency among banks to thwart potential
attackers the person could be in trouble with the bank for simply
discovering the issue. It really all depends on the person he or she
deals with there. Not saying it would hold up in court, it likely
wouldn't, but anyone who has the ability to find exploits is generally
regarded in a dim light by those who are uneducated on the subject.

2) Notify the bank's incident response team / security staff, OFFER a
non-disclosure agreement to them saying that you will not disclose
this to anyone regardless of what actions the bank decides to take on
their vulnerability, and state that this was discovered by accident
and that he or she simply wants to notify them about the issue and IS
NOT seeking ANY SORT of compensation. If they are notified and it
follows with the statement 'I would be willing to help consult you on
the solution for a small compensation' it instantly becomes extortion
and this person will likely be thrown in jail.

I am not a lawyer by any means, I am simply speaking from past
experiences and what I have seen happen to those who did things the
right way and the wrong way.

Solution 2 is a lot easier if your friend's client works in
information security and holds federal clearances and security
designations. Real ones, not Cisco or something :)

-J

On 25 Jul 2007 13:34:29 -0000, securityz () delahunty com
<securityz () delahunty com> wrote:

Friend of mine (not me, really) is working with a client of his who claims to have inadvertently discovered a few web 
exploits of several financial institutions.  Does anyone have any insights as to how this guy could bring these to the 
attention of the organizations involved without being seen as a hacker?  His minimal goal is to help the institutions, 
optimally he would like to consult to help them rectify the issues.


thx

Steve

Current thread:

Bank Exploit securityz (Jul 25)
- Re: Bank Exploit Jason Thompson (Jul 25)
  - Re: Bank Exploit Jax Lion (Jul 25)
    - Re: Bank Exploit Chris Halverson (Jul 25)
    - Re: Bank Exploit gjgowey (Jul 25)
    - Re: Bank Exploit Yves Bourdic (Jul 26)
    - Re: Bank Exploit Ivan . (Jul 26)
    - Re: Bank Exploit John Kennedy (Jul 27)
    - RE: Bank Exploit Burns, Doug (Jul 27)
    - Re: Bank Exploit Jason Thompson (Jul 26)
- RE: Bank Exploit Murda Mcloud (Jul 26)
- Re: Bank Exploit Adam Pal (Jul 27)

(Thread continues...)