Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: To disclose or not to disclose
From: "Elazar Broad" <elazar () hushmail com>
Date: Sun, 28 Sep 2008 17:54:08 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon,
 If the issue really involves critical infrastructure you can
expect(to an extent) many government and quasi-government
organizations to step in  and pressure the vendor to fix the issue
before you go public. A real world example. At a recent conference,
I was talking to a security executive of a rather large utility and
the recently disclosed Citec issue came up. He mentioned that he
was at a certain government organizations lab while they were
assessing the issue based on the information they received from
CORE. If you read CORE's disclosure timeline, the real fire hadn't
been lit until this organization, along with some others, stepped
in and really got under the vendor's skin. He also mentioned how
clueless Citec's initial response was, but thats another story.
Given the general awareness of these organizations of the fact that
critical infrastructure vulnerabilities = potentially major
problems, I think setting a deadline(which will probably be
extended at the behest of these organizations) for the vendor is
not a bad idea, and the chances of the issue getting fixed before
you spill the beans are pretty high. You can't forget the
"somewhat" obvious as well, if you found it, someone else can find
it too. As far as the vendor is concerned, well, we all know what
happened to a certain electronic voting machine vendor...Look, I'm
not expert, this is just my .02...

elazar

On Sun, 28 Sep 2008 03:01:08 +0000 Simon Smith <simon () snosoft com>
wrote:
Elazar,
      I suppose that could be a good action, but doing that would
potentially
put the security companies customer at risk. Granted, in the
argument
they were already notified of the risk. So the question is, is
that the
ethical choice? Is that a good business choice?


Elazar Broad wrote:
I would opt for #1, additionally, contacting CERT and other
quasi-
government security organizations would be a plus, they might
have
better luck lighting a fire under the theoretical vendors ass...

elazar

On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith
<simon () snosoft com>
wrote:
Greetings,
    I have a theoretical question of ethics for other security
professionals that participate in this list. This is not an
actual
situation, but it is a potentially realistic situation that I'm
interested in exploring and finding an acceptable solution to.

    Supposed a penetration testing company delivers a service to a
customer. That customer uses a technology that was created by a
third
party to host a critical component of their infrastructure. The
penetration testing company identifies several critical flaws
in
the
technology and notifies the customer, and the vendor.

    One year passes and the vendor had done nothing to fix the
issue.
The
customer is still vulnerable and they have done nothing to
change
their
level of risk and exposure. In fact, lets say that the vendor
flat
out
refuses to do anything about the issue even though they have
been
notified of the problem. Lets also assume that this issue
affects
thousands of customers in the financial and medical industry
and
puts
them at dire risk.

    What should the security company do?

1-) Create a formal advisory, contact the vendor and notify
them
of the
intent to release the advisory in a period of "n" days? If the
vendor
refuses to fix the issue does the security company still
release
the
advisory in "n" days? Is that protecting the customer or
putting
the
customer at risk? Or does it even change the risk level as
their
risk
still exists.

2-) Does the security company collect a list of users of the
technology
and notify those users one by one? The process might be very
time
consuming but by doing that the security company might not
increase the
risk faced by the users of the technology, will they?

3-) Does the security company release a low level advisory that
notifies
users of the technology to contact the vendor in order to gain
access to
the technical details about the issue?

4-) Does the security company do something else? If so, what is
the
appropriate course of action?

5-) Does the security company do nothing?

I'm very interested to hear what people thin the "responsible"
action
would be here. It appears that this is a challenge that will at
some
level create risk for the customer. Is it impossible to do this
without
creating an unacceptable level of risk?

Looking forward to real responses (and troll responses too...
especially
n3td3v).

--

- simon

----------------------
http://www.snosoft.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Self Storage Options - Click Here.
http://tagline.hushmail.com/fc/Ioyw6h4eNgR1BRhFB3CXCR61VEtfAqJ45ZV3
4qDMKcjsXBCGM0kWG5/



--

- simon

----------------------
http://www.snosoft.com
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkjfxMEACgkQi04xwClgpZjClAP/frm/enc7E52FjvW7QWhEbtZCJ8Kr
/PM1o20qCZV9RdwP8IJhfbg3aF4ko3VrJcsFTuHSp5w5Pi4O/k6l3Vggak3cRlejN26q
9nIjHl8C0V4KaismHL5cXS7OZKyDFI9uMnw/Mpmao5bF7+jxdo1qK6nnrBawojtRwifg
tjJTQic=
=OqUn
-----END PGP SIGNATURE-----

--
Hotel pics, info and virtual tours.  Click here to book a hotel online.
http://tagline.hushmail.com/fc/Ioyw6h4eRClAkcJxO5raG2q61I2CHdEok8REye7AsAlE6A964lyJ9u/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault