Re: Bank Exploit

["Jason Thompson" <securitux () gmail com>]

Yes, you are absolutely right, option 2 is risky. We are an infosec
organization exclusively which carried some weight with them. We
weren't just someone who found an issue and reported it which is why I
asked if this person was an infosec professional. For the incident we
reported this to the company and they were appreciative of it. They
weren't a bank, but they were sizable and the nature of the issue
could have caused them to go out of business  if it had been
exploited. I know little more than that as I did not feel I had a need
to know.

An anonymous tip line would be good in this case... I too wonder if
there is such a thing. It really is in the businesses best interest...
If the bank has an incident response plan most IR teams have the
ability for an employee to report an incident anonymously... I wonder
if the same logic could be used for a non-employee...

-J

On 7/25/07, Jax Lion <jv4l1n4 () gmail com> wrote:
> So Jason - what happened to your collegue?
>
> IMHO - I don't think option 2 is a good idea.  Questions will come up
> such as - how did you discover the vulnerability in the first place.
> What were you doing... and it all goes downhill from there.
>
> I don't agree with keeping quiet either...
>
> Is there a medium where we can report the "accidental discoveries"
> without risk of prosecution?  Like a hot tip line with the FBI or
> something.
>
>
> On 7/25/07, Jason Thompson <securitux () gmail com> wrote:
> > Risky... is this person a security professional?
> >
> > This has happened to one of my colleagues before as well. There are
> > two solutions that are possible:
> >
> > 1) Do not reveal this or tell anyone about it. Leave it be. As there
> > is this heightened sense of urgency among banks to thwart potential
> > attackers the person could be in trouble with the bank for simply
> > discovering the issue. It really all depends on the person he or she
> > deals with there. Not saying it would hold up in court, it likely
> > wouldn't, but anyone who has the ability to find exploits is generally
> > regarded in a dim light by those who are uneducated on the subject.
> >
> > 2) Notify the bank's incident response team / security staff, OFFER a
> > non-disclosure agreement to them saying that you will not disclose
> > this to anyone regardless of what actions the bank decides to take on
> > their vulnerability, and state that this was discovered by accident
> > and that he or she simply wants to notify them about the issue and IS
> > NOT seeking ANY SORT of compensation. If they are notified and it
> > follows with the statement 'I would be willing to help consult you on
> > the solution for a small compensation' it instantly becomes extortion
> > and this person will likely be thrown in jail.
> >
> > I am not a lawyer by any means, I am simply speaking from past
> > experiences and what I have seen happen to those who did things the
> > right way and the wrong way.
> >
> > Solution 2 is a lot easier if your friend's client works in
> > information security and holds federal clearances and security
> > designations. Real ones, not Cisco or something :)
> >
> > -J
> >
> > On 25 Jul 2007 13:34:29 -0000, securityz () delahunty com
> > <securityz () delahunty com> wrote:
> > > Friend of mine (not me, really) is working with a client of his who claims to have inadvertently discovered a few 
> web exploits of several financial institutions.  Does anyone have any insights as to how this guy could bring these to the 
> attention of the organizations involved without being seen as a hacker?  His minimal goal is to help the institutions, 
> optimally he would like to consult to help them rectify the issues.
> > >
> > >
> > > thx
> > >
> > > Steve
> > >
> >