Re: Bank Exploit

[gjgowey () tmo blackberry net]

My thoughts are that it would be hard to prove breach of contract if the data provided was totally unrelated to the 
company that you were contracted by and you never mention their name nor hinted at who they were.  I'm sort of in a 
similar situation where I was the senior software engineer of an audit team and had to examine the source code of a 
product.  The audit was asked for by two different companies due to the financial investment they were going to make in 
the company providing the product.  

Now I provide on my resume the name of the company that I auditted, but I list the investing companies as 'unlisted 
companies due to confidentiality'.  So long as I don't disclose my findings or otherwise influence opinions of the 
named company (such as by mentioning on whose behalf the audit was requested by) none of the parties to the audit can 
cite disclosure of confidential information or that I altered the financial viability of any of the companies.

Imho, data gathered not explicitly restricted by NDA nor able to affect the parties involved in the contract in any 
way, shape, or form can not be laid claim to by the parties (not that if they see a potential monetary gain from that 
data that they will try to anyway under possible threat of legal action).  If you want to protect yourself further do 
not bill the client during the time which the data of concern was found to completely insulate yourself from them 
saying something like "but we paid for that data."
 
Geoff


Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Jax Lion" <jv4l1n4 () gmail com>

Date: Thu, 26 Jul 2007 09:38:14 
To:security-basics () securityfocus com
Cc:"Warren V Camp" <wcamp () cox net>,"Jason Thompson" <securitux () gmail com>, securityz () delahunty com,"Scott 
Race" <srace () jdaarch com>
Subject: Re: Bank Exploit


P.S.

As in any standard test engagement - results are confidential (signed
in contracts), so by informing company EFG - did you break the
confidentiality and contract with ABC?


On 7/26/07, Jax Lion <jv4l1n4 () gmail com> wrote:
> In a scenario where you have been hired to test company ABC, in the
> process you discovered that there is vulnerability in company EFG.
>
> You inform company ABC of your findings, but should you inform company
> EFG what you have discovered?
>
> If company EFG is a client of company ABC, company ABC might* choose
> not to divulge the finding to company EFG due to reasons of their own.
>
> As a security professional, do you have an obligation to inform
> company EFG of the finding, even though you were not hired to test?
>
>
>
> ----
>
> On 7/26/07, Scott Race <srace () jdaarch com> wrote:
> > Obviously there are many ways to look at this one.
> >
> > The bottom line is you have discovered a security hole that the bank should
> > be aware of.  Your letting the bank know will benefit them, but at cost for
> > your services. Will they think you are looking out for them, or will they
> > think you are just trying to justify a job?
> >
> > It's all about communicating your INTENTION (as with everything in life for
> > that matter).
> >
> > Approaching it like "I have hacked you, now pay me to fix it" is like
> > ransom.
> >
> > If your intention is to help them, you need to clearly communicate that to
> > them, with the risk that they don't understand, in which case you need to be
> > ready to seriously explain in way they understand (we don't know your boss,
> > so only you know the way to communicate this).
> >
> > As with all jobs, it comes down to communication.  I've always felt a good
> > IT professional needs to cultivate both techincal skills AND people skills.
> >
> > So, it's up to you. Can you communicate in a way they can understand and
> > TRUST?  If so, go for it.  If you are not confident then I would not suggest
> > you hold off.
> >
> > ________________________________
> > From: listbounce () securityfocus com on behalf of Warren V Camp
> > Sent: Wed 7/25/2007 2:32 PM
> > To: Jason Thompson; Jax Lion
> > Cc: securityz () delahunty com;
> > security-basics () securityfocus com
> > Subject: Re: Bank Exploit
> >
> >
> >
> >
> > This does not sound good. On the surface it appears that a "good" hacker
> > wants to tell the bank that he/she has see evidence of "bad" hackers on
> > their system and that the "good" hacker wants to sell consulting services to
> > the bank.   The "good" hacker could be in just as much trouble as the "bad"
> > hackers.
> >
> >
> > ---- Jax Lion <jv4l1n4 () gmail com> wrote:
> > > So Jason - what happened to your collegue?
> > >
> > > IMHO - I don't think option 2 is a good idea.  Questions will come up
> > > such as - how did you discover the vulnerability in the first place.
> > > What were you doing... and it all goes downhill from there.
> > >
> > > I don't agree with keeping quiet either...
> > >
> > > Is there a medium where we can report the "accidental discoveries"
> > > without risk of prosecution?  Like a hot tip line with the FBI or
> > > something.
> > >
> > >
> > > On 7/25/07, Jason Thompson <securitux () gmail com> wrote:
> > > > Risky... is this person a security professional?
> > > >
> > > > This has happened to one of my colleagues before as well. There are
> > > > two solutions that are possible:
> > > >
> > > > 1) Do not reveal this or tell anyone about it. Leave it be. As there
> > > > is this heightened sense of urgency among banks to thwart potential
> > > > attackers the person could be in trouble with the bank for simply
> > > > discovering the issue. It really all depends on the person he or she
> > > > deals with there. Not saying it would hold up in court, it likely
> > > > wouldn't, but anyone who has the ability to find exploits is generally
> > > > regarded in a dim light by those who are uneducated on the subject.
> > > >
> > > > 2) Notify the bank's incident response team / security staff, OFFER a
> > > > non-disclosure agreement to them saying that you will not disclose
> > > > this to anyone regardless of what actions the bank decides to take on
> > > > their vulnerability, and state that this was discovered by accident
> > > > and that he or she simply wants to notify them about the issue and IS
> > > > NOT seeking ANY SORT of compensation. If they are notified and it
> > > > follows with the statement 'I would be willing to help consult you on
> > > > the solution for a small compensation' it instantly becomes extortion
> > > > and this person will likely be thrown in jail.
> > > >
> > > > I am not a lawyer by any means, I am simply speaking from past
> > > > experiences and what I have seen happen to those who did things the
> > > > right way and the wrong way.
> > > >
> > > > Solution 2 is a lot easier if your friend's client works in
> > > > information security and holds federal clearances and security
> > > > designations. Real ones, not Cisco or something :)
> > > >
> > > > -J
> > > >
> > > > On 25 Jul 2007 13:34:29 -0000, securityz () delahunty com
> > > > <securityz () delahunty com> wrote:
> > > > > Friend of mine (not me, really) is working with a client of his who
> > claims to have inadvertently discovered a few web exploits of several
> > financial institutions.  Does anyone have any insights as to how this guy
> > could bring these to the attention of the organizations involved without
> > being seen as a hacker?  His minimal goal is to help the institutions,
> > optimally he would like to consult to help them rectify the issues.
> > > > > thx
> > > > >
> > > > > Steve
> >
> > --
> > Warren V. Camp, CPA, CISA, CDP