RE: Bank Exploit

[Bob Radvanovsky <rsradvan () unixworks net>]

However, you forgot to mention a few things about discussing vulnerabilities either at CERT or INFRAGARD (of which I am 
a participant to both):

(1)  Requires a background check before joining (looking to see if you've blown up any 83-story buildings recently).
(2)  Generally, there are a sufficient number of FBI agents for each participant attending.
(3)  Though not a 1:1 ratio, they make their presence known, and will try to co-mingle with everyone attending; ratio 
varies.
(4)  FBI agents will mingle with the INFRAGARD participants to discuss (or attempt to discuss) with you the topic that 
you're talking about.

Not to sound harsh, but FBI agents are only "intelligence gathers", usually taking in information, and never giving 
anything in return.  If you discuss something of national importance or significance in front of an FBI agent, don't be 
surprised if he/she shows an interest, but reveals very little about their intentions (why they want to know more, 
etc.).  Most times, they'll usually state that they're "curious" and are attempting to demonstrate some form of 
curiosity.

I am not saying that you shouldn't say anything in front of them, just realize that if you feel that you are talking 
about something of significance or national importance to, or in front of, a representative of the U.S. federal 
government, they might act on it.

-rad

P.S.  BTW, if I haven't indicated this thus far, INFRAGARD is a fantastic place to get involved with discussing this 
sort of thing...  ;))

----- Original Message -----
From: "Frary, Brock" [mailto:Brock.Frary () 53 com]
To: Jax Lion [mailto:jv4l1n4 () gmail com], Bob Radvanovsky [mailto:rsradvan () unixworks net]
Cc: Scott Race [mailto:srace () jdaarch com], Warren V Camp [mailto:wcamp () cox net], Jason Thompson [mailto:securitux 
() gmail com], securityz () delahunty com, security-basics () securityfocus com
Subject: RE: Bank Exploit


> "In our case - who is our CDC?"
>
> Both CERT and InfraGard come to mind.  CERT for the vulnerability and
> InfraGard (it is the FBI after all) to get the word out.
>
> CERT - http://www.cert.org/vuls/
> InfraGard - http://www.infragard.net/index.htm and tips:
> https://tips.fbi.gov/
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Jax Lion
> Sent: Friday, July 27, 2007 8:56 AM
> To: Bob Radvanovsky
> Cc: Scott Race; Warren V Camp; Jason Thompson; securityz () delahunty com;
> security-basics () securityfocus com
> Subject: Re: Bank Exploit
>
> In the case of doctors, if the disease is the deadly and communicable
> one - they should follow up with the CDC who would then follow up and
> find all who are infected or at least interacted with that individual
> and possibly quarantine and contain.  Remember the TB patient who was
> prevented from flying back to the US?
>
> In our case - who is our CDC?
>
> --------
> On 7/26/07, Bob Radvanovsky <rsradvan () unixworks net> wrote:
> > Ahhhh....but therein lies one of the biggest and most debated
> issues/problems -- when (as a security professional) should I 'do the
> right thing'?
> > Some might argue, "OK, you're receiving a paycheck from your client.
> Do they want the world to know that they have a vulnerability?"  If ABC
> is your client, and you've signed an NDA, legally, you can't approach
> EFG, perhaps even if you wanted to.  Ethically, you are 'honor bound' to
> divulge to EFG; civilally, you may be 'legally bound' to ABC.
> > One (possible) way out of this mess might be to:
> >
> > (1) Have ABC acknowledge that EFG has vulnerabilities.
> > (2) Have ABC acknowledge that you, as a security professional, are NOT
> legally bound to divulging into to EFG.
> > (3) That you will not be prosecuted, either civil or criminally.
> > (4) Have an ABC officer sign-off on the document.
> >
> > The problem stems from what happens if ABC *refuses* to oblige in 
> > signing said document.  If there are criminal ramifications, do you 
> > notify the FBI or DOJ?  Legally, ABC could come after *YOU* 
> > afterwards.  So could the federal government.  In some circumstances, 
> > if you were simply hired to perform "X" function for ABC and found "X"
>
> > for ABC and "Y" for EFG, reveal only what you were requested to 
> > perform.  If you have significant amounts of data on EFG's 
> > vulnerabilities, it may be simply be better to destroy the findings.  
> > Again, you were requested ONLY to perform "X" for ABC.  You weren't 
> > requested to perform "Y" for EFG.  ;)
> >
> > As a professional, you need to abide by what other professionals do.
> Would your doctor do the same if he conducted a test and found out that
> you and your wife (or girlfriend) had the same (or similar) disease (if
> communicable)?  The fact is, the doctor is honor-bound up to a point;
> same goes with legal notification.  A doctor, depending on the
> circumstances may -- or may not -- notify your spouse or girlfriend of
> the disease.  Legally, they may or may not have to -- again, depending
> on the circumstances.  The same may hold true here.
> > -rad
> >
> > ----- Original Message -----
> > From: Jax Lion [mailto:jv4l1n4 () gmail com]
> > To: Scott Race [mailto:srace () jdaarch com]
> > Cc: Warren V Camp [mailto:wcamp () cox net], Jason Thompson 
> > [mailto:securitux () gmail com], securityz () delahunty com, 
> > security-basics () securityfocus com
> > Subject: Re: Bank Exploit
> >
> >
> > > In a scenario where you have been hired to test company ABC, in the 
> > > process you discovered that there is vulnerability in company EFG.
> > >
> > > You inform company ABC of your findings, but should you inform 
> > > company EFG what you have discovered?
> > >
> > > If company EFG is a client of company ABC, company ABC might* choose
>
> > > not to divulge the finding to company EFG due to reasons of their
> own.
> > > As a security professional, do you have an obligation to inform 
> > > company EFG of the finding, even though you were not hired to test?
> > >
> > >
> > >
> > > ----
> > >
> > > On 7/26/07, Scott Race <srace () jdaarch com> wrote:
> > > > Obviously there are many ways to look at this one.
> > > >
> > > > The bottom line is you have discovered a security hole that the 
> > > > bank
> > > should
> > > > be aware of.  Your letting the bank know will benefit them, but at
>
> > > > cost
> > > for
> > > > your services. Will they think you are looking out for them, or 
> > > > will they think you are just trying to justify a job?
> > > >
> > > > It's all about communicating your INTENTION (as with everything in
>
> > > > life
> > > for
> > > > that matter).
> > > >
> > > > Approaching it like "I have hacked you, now pay me to fix it" is 
> > > > like ransom.
> > > >
> > > > If your intention is to help them, you need to clearly communicate
>
> > > > that to them, with the risk that they don't understand, in which 
> > > > case you need to
> > > be
> > > > ready to seriously explain in way they understand (we don't know 
> > > > your
> > > boss,
> > > > so only you know the way to communicate this).
> > > >
> > > > As with all jobs, it comes down to communication.  I've always 
> > > > felt a good IT professional needs to cultivate both techincal 
> > > > skills AND people
> > > skills.
> > > > So, it's up to you. Can you communicate in a way they can 
> > > > understand and TRUST?  If so, go for it.  If you are not confident
>
> > > > then I would not
> > > suggest
> > > > you hold off.
> > > >
> > > > ________________________________
> > > > From: listbounce () securityfocus com on behalf of Warren V Camp
> > > > Sent: Wed 7/25/2007 2:32 PM
> > > > To: Jason Thompson; Jax Lion
> > > > Cc: securityz () delahunty com;
> > > > security-basics () securityfocus com
> > > > Subject: Re: Bank Exploit
> > > >
> > > >
> > > >
> > > >
> > > > This does not sound good. On the surface it appears that a "good" 
> > > > hacker wants to tell the bank that he/she has see evidence of 
> > > > "bad" hackers on their system and that the "good" hacker wants to 
> > > > sell consulting services
> > > to
> > > > the bank.   The "good" hacker could be in just as much trouble as
> the
> > > "bad"
> > > > hackers.
> > > >
> > > >
> > > > ---- Jax Lion <jv4l1n4 () gmail com> wrote:
> > > > > So Jason - what happened to your collegue?
> > > > >
> > > > > IMHO - I don't think option 2 is a good idea.  Questions will 
> > > > > come up such as - how did you discover the vulnerability in the
> first place.
> > > > > What were you doing... and it all goes downhill from there.
> > > > >
> > > > > I don't agree with keeping quiet either...
> > > > >
> > > > > Is there a medium where we can report the "accidental
> discoveries"
> > > > > without risk of prosecution?  Like a hot tip line with the FBI 
> > > > > or something.
> > > > >
> > > > >
> > > > > On 7/25/07, Jason Thompson <securitux () gmail com> wrote:
> > > > > > Risky... is this person a security professional?
> > > > > >
> > > > > > This has happened to one of my colleagues before as well. 
> > > > > > There are two solutions that are possible:
> > > > > >
> > > > > > 1) Do not reveal this or tell anyone about it. Leave it be. As
>
> > > > > > there is this heightened sense of urgency among banks to 
> > > > > > thwart potential attackers the person could be in trouble with
>
> > > > > > the bank for simply discovering the issue. It really all 
> > > > > > depends on the person he or she deals with there. Not saying 
> > > > > > it would hold up in court, it likely wouldn't, but anyone who 
> > > > > > has the ability to find exploits is generally regarded in a
> dim light by those who are uneducated on the subject.
> > > > > > 2) Notify the bank's incident response team / security staff, 
> > > > > > OFFER a non-disclosure agreement to them saying that you will 
> > > > > > not disclose this to anyone regardless of what actions the 
> > > > > > bank decides to take on their vulnerability, and state that 
> > > > > > this was discovered by accident and that he or she simply 
> > > > > > wants to notify them about the issue and IS NOT seeking ANY 
> > > > > > SORT of compensation. If they are notified and it follows with
>
> > > > > > the statement 'I would be willing to help consult you on the 
> > > > > > solution for a small compensation' it instantly becomes
> extortion and this person will likely be thrown in jail.
> > > > > > I am not a lawyer by any means, I am simply speaking from past
>
> > > > > > experiences and what I have seen happen to those who did 
> > > > > > things the right way and the wrong way.
> > > > > >
> > > > > > Solution 2 is a lot easier if your friend's client works in 
> > > > > > information security and holds federal clearances and security
>
> > > > > > designations. Real ones, not Cisco or something :)
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > On 25 Jul 2007 13:34:29 -0000, securityz () delahunty com 
> > > > > > <securityz () delahunty com> wrote:
> > > > > > > Friend of mine (not me, really) is working with a client of 
> > > > > > > his who
> > > > claims to have inadvertently discovered a few web exploits of 
> > > > several financial institutions.  Does anyone have any insights as 
> > > > to how this guy could bring these to the attention of the 
> > > > organizations involved without being seen as a hacker?  His 
> > > > minimal goal is to help the institutions, optimally he would like
> to consult to help them rectify the issues.
> > > > > > > thx
> > > > > > >
> > > > > > > Steve
> > > >
> > > > --
> > > > Warren V. Camp, CPA, CISA, CDP
>
> This e-mail transmission contains information that is confidential and may
> be privileged.   It is intended only for the addressee(s) named above. If
> you receive this e-mail in error, please do not read, copy or disseminate it
> in any manner. If you are not the intended recipient, any disclosure,
> copying, distribution or use of the contents of this information is
> prohibited. Please reply to the message immediately by informing the sender
> that the message was misdirected. After replying, please erase it from your
> computer system. Your assistance in correcting this error is appreciated.