Security Basics mailing list archives
Re: Bank Exploit
From: krymson () gmail com
Date: 27 Jul 2007 14:00:49 -0000
There are a number of rubs with this question, making it very interesting. 1) If you decide to anonymously divulge the issue, make sure you're conscious of how you found out about the issue in the first place. Did your friend find it from his home system? Any team worth their pay that receives this information may look into their exposure, i.e. did someone already leverage this exploit? They check their logs, see you've done it, track you down anyway. This is especially easy if the methods leave distinct and easily-searchable log entries. 2) If your friend or you are a customer of that bank, you might be a little "safer" than if you were just some third party. As a concerned customer, you could present your findings and they may treat your differently. 3) So, let's say you're a customer of this bank for the sake of this third point. You find this exploit. You read advice on this board that says, "don't divulge it, just keep quiet and move on with life." You found it, which means others can likely find it. Do you remain a customer? Do you feel less secure? That's an interesting dilemma and I think I know what the business would rather have you do: remain a customer. If you and your friend have no ties to the bank, then I think you're back in an "easier" seat of either divulging, anonymously divulging, or just walking away. <- snip ->
Friend of mine (not me, really) is working with a client of his whoclaims to have inadvertently discovered a few web exploits of several financial institutions. Does anyone have any insights as to how this guy could bring these to the attention of the organizations involved without being seen as a hacker? His minimal goal is to help the institutions, optimally he would like to consult to help them rectify the issues.
Current thread:
- Re: Bank Exploit, (continued)
- Re: Bank Exploit gjgowey (Jul 27)
- RE: Bank Exploit Siscar, Emerson E. (Jul 26)
- FW: Bank Exploit izak.integrative (Jul 26)
- Re: Bank Exploit Bob Radvanovsky (Jul 27)
- Re: Bank Exploit Jax Lion (Jul 27)
- RE: Bank Exploit Frary, Brock (Jul 27)
- Re: Bank Exploit Jim Nelson (Jul 27)
- Re: Bank Exploit Jason Thompson (Jul 27)
- Re: Bank Exploit Jax Lion (Jul 27)
- RE: Bank Exploit Bob Radvanovsky (Jul 27)
- Re: Bank Exploit Bob Radvanovsky (Jul 27)
- Re: Bank Exploit krymson (Jul 30)