J. Patterson Wicks
06/08/07, 22:43
If you discovered this vulnerability while performing your standard
duties within the company, you have an obligation to your company and to
your customers to report it to the appropriate company leaders as
quickly as possible. Going on the assumption that you discovered the
vulnerability while performing your standard duties, you should follow
your company's formal incident response procedures. Each company should
have incident response procedures or a whole incident response team to
deal with these sort of situations. If you are not sure whether your
company has incident response procedures or an incident response team,
check with the HR department (to prevent premature distress the IT
department).
If your company does not have an incident response team or incident
response procedures, you have to determine how to best notify your
company leadership. Since I do not know your company's social or
political climate, this is a call that you have to make on your own. If
you are not sure how your company will respond to your discovery, you
should consult with an attorney before moving forward. If you found the
vulnerability while performing unauthorized activities, you should
DEFINITELY consult an attorney before doing anything else. =20
Once you decide to move forward, I have a few words of advice:
1. Do not disclose any aspect of the vulnerability to ANYONE until
you have formally notified the leadership of the company
(The company will provide you with disclosure guidelines after
they have been formally notified)
2. Research the state and federal statues related to the protection
of personal information and breach notification
(Take special notice if you fall under special regulations like
HIPAA or SOX)=20
3. Create a document to present to the company leadership:
.. a. Prepare a complete analysis of the vulnerability including the
exact steps needed to repeat the exploit
b. Make sure that your documentation includes a risk analysis
(without the standard FUD)
c. Make sure that your documentation includes the research on
protection of personal information and breach notification
d. Make sure that your documentation includes both technical
details as well as an executive summary for non-technical executives
=09
And last but not least . . .=20
4. Make sure that you give this information to more than one person
in your company chain of command. This will ensure that it does not get
buried and that=20
someone else does not get credit for your discovery.
Once you submit your documentation to the company leadership, I am sure
that the appropriate actions will be taken. I am confident that any
conscientious company will respect your efforts and appreciate your
dedication to the company and its customers. =20
Regular contributors to this forum are sure to provide you with a lot of
good advice. They have a lot of experience with this sort of problem
within the private sector as well as at the state/federal level. No
matter what advice comes your way, remember that at the end of the day
we are just advisors. You have to live the consequences of your
discovery. Make sure that you protect yourself as well as your company
and your customers.
-----Original Message-----
From: hsukowa@yahoo.com [mailto:hsukowa@yahoo.com]=20
Sent: Sunday, August 05, 2007 10:35 PM
To: bugtraq@securityfocus.com
Subject: Question about exploit exposing SSN & user info
My apologies if this question is inappropriate for this email list, but
it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private
information of thousands of individuals - including SSN and address
information. I cannot judge whether or not the exploit is easy to find.
I do know that if found, it would not be difficult to write a simple
script in php or perl to exploit the hole. =20
My concern is that the company responsible for this hole (for whom I am
currently employed) will patch the problem on seeing it occur on Monday
(a good thing) but do little or nothing to notify any user whose private
information is on their system (downplaying the likelihood of risk).
This exploit has very likely existed for years and whether or not a
company typically keeps logs for years is beyond my knowledge - the
exploit is however detectable through web log files. I also lack faith
in the company's ability to make an objective determination whether or
not the exploit has been used to download the private information of
its' users.
My question is this - does anyone out there have any experience dealing
with this type of a situation? --- Where a company has silenced an
exploit without notifying customers who may have been victims of it?
Does anyone have any recommendations for a course of action I might take
to somehow ensure users whose private information may have been
compromised are notified in the event the company chooses to "sweep it
under the rug"?=20
Again my apologies if my asking this question in the wrong forum has
offended anyone. =20
And many thanks to anyone who responds.
--------------------------------------------------------
Don't miss season 2 of Tori & Dean: Inn Love, Tuesdays at 10pm/9 C =
premiering August 14th, only on Oxygen! Watch Season 1: =
www.shedidwhat.tv
--------------------------------------------------------
This e-mail is property of Oxygen Media, LLC. It is intended only for =
the person or entity to which it is addressed and may contain =
information that is privileged, confidential, or otherwise protected =
from disclosure. Distribution or copying of this e-mail or the =
information contained herein by anyone other than the intended recipient =
is prohibited. If you have received this e-mail in error, please notify =
me immediately and destroy all electronic and paper copies of this =
e-mail.
duties within the company, you have an obligation to your company and to
your customers to report it to the appropriate company leaders as
quickly as possible. Going on the assumption that you discovered the
vulnerability while performing your standard duties, you should follow
your company's formal incident response procedures. Each company should
have incident response procedures or a whole incident response team to
deal with these sort of situations. If you are not sure whether your
company has incident response procedures or an incident response team,
check with the HR department (to prevent premature distress the IT
department).
If your company does not have an incident response team or incident
response procedures, you have to determine how to best notify your
company leadership. Since I do not know your company's social or
political climate, this is a call that you have to make on your own. If
you are not sure how your company will respond to your discovery, you
should consult with an attorney before moving forward. If you found the
vulnerability while performing unauthorized activities, you should
DEFINITELY consult an attorney before doing anything else. =20
Once you decide to move forward, I have a few words of advice:
1. Do not disclose any aspect of the vulnerability to ANYONE until
you have formally notified the leadership of the company
(The company will provide you with disclosure guidelines after
they have been formally notified)
2. Research the state and federal statues related to the protection
of personal information and breach notification
(Take special notice if you fall under special regulations like
HIPAA or SOX)=20
3. Create a document to present to the company leadership:
.. a. Prepare a complete analysis of the vulnerability including the
exact steps needed to repeat the exploit
b. Make sure that your documentation includes a risk analysis
(without the standard FUD)
c. Make sure that your documentation includes the research on
protection of personal information and breach notification
d. Make sure that your documentation includes both technical
details as well as an executive summary for non-technical executives
=09
And last but not least . . .=20
4. Make sure that you give this information to more than one person
in your company chain of command. This will ensure that it does not get
buried and that=20
someone else does not get credit for your discovery.
Once you submit your documentation to the company leadership, I am sure
that the appropriate actions will be taken. I am confident that any
conscientious company will respect your efforts and appreciate your
dedication to the company and its customers. =20
Regular contributors to this forum are sure to provide you with a lot of
good advice. They have a lot of experience with this sort of problem
within the private sector as well as at the state/federal level. No
matter what advice comes your way, remember that at the end of the day
we are just advisors. You have to live the consequences of your
discovery. Make sure that you protect yourself as well as your company
and your customers.
-----Original Message-----
From: hsukowa@yahoo.com [mailto:hsukowa@yahoo.com]=20
Sent: Sunday, August 05, 2007 10:35 PM
To: bugtraq@securityfocus.com
Subject: Question about exploit exposing SSN & user info
My apologies if this question is inappropriate for this email list, but
it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private
information of thousands of individuals - including SSN and address
information. I cannot judge whether or not the exploit is easy to find.
I do know that if found, it would not be difficult to write a simple
script in php or perl to exploit the hole. =20
My concern is that the company responsible for this hole (for whom I am
currently employed) will patch the problem on seeing it occur on Monday
(a good thing) but do little or nothing to notify any user whose private
information is on their system (downplaying the likelihood of risk).
This exploit has very likely existed for years and whether or not a
company typically keeps logs for years is beyond my knowledge - the
exploit is however detectable through web log files. I also lack faith
in the company's ability to make an objective determination whether or
not the exploit has been used to download the private information of
its' users.
My question is this - does anyone out there have any experience dealing
with this type of a situation? --- Where a company has silenced an
exploit without notifying customers who may have been victims of it?
Does anyone have any recommendations for a course of action I might take
to somehow ensure users whose private information may have been
compromised are notified in the event the company chooses to "sweep it
under the rug"?=20
Again my apologies if my asking this question in the wrong forum has
offended anyone. =20
And many thanks to anyone who responds.
--------------------------------------------------------
Don't miss season 2 of Tori & Dean: Inn Love, Tuesdays at 10pm/9 C =
premiering August 14th, only on Oxygen! Watch Season 1: =
www.shedidwhat.tv
--------------------------------------------------------
This e-mail is property of Oxygen Media, LLC. It is intended only for =
the person or entity to which it is addressed and may contain =
information that is privileged, confidential, or otherwise protected =
from disclosure. Distribution or copying of this e-mail or the =
information contained herein by anyone other than the intended recipient =
is prohibited. If you have received this e-mail in error, please notify =
me immediately and destroy all electronic and paper copies of this =
e-mail.