-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon, If the issue really involves critical infrastructure you can expect(to an extent) many government and quasi-government organizations to step in and pressure the vendor to fix the issue before you go public. A real world example. At a recent conference, I was talking to a security executive of a rather large utility and the recently disclosed Citec issue came up. He mentioned that he was at a certain government organizations lab while they were assessing the issue based on the information they received from CORE. If you read CORE's disclosure timeline, the real fire hadn't been lit until this organization, along with some others, stepped in and really got under the vendor's skin. He also mentioned how clueless Citec's initial response was, but thats another story. Given the general awareness of these organizations of the fact that critical infrastructure vulnerabilities = potentially major problems, I think setting a deadline(which will probably be extended at the behest of these organizations) for the vendor is not a bad idea, and the chances of the issue getting fixed before you spill the beans are pretty high. You can't forget the "somewhat" obvious as well, if you found it, someone else can find it too. As far as the vendor is concerned, well, we all know what happened to a certain electronic voting machine vendor...Look, I'm not expert, this is just my .02...
elazar On Sun, 28 Sep 2008 03:01:08 +0000 Simon Smith <[EMAIL PROTECTED]> wrote: >Elazar, > I suppose that could be a good action, but doing that would >potentially >put the security companies customer at risk. Granted, in the >argument >they were already notified of the risk. So the question is, is >that the >ethical choice? Is that a good business choice? > > >Elazar Broad wrote: >> I would opt for #1, additionally, contacting CERT and other >quasi- >> government security organizations would be a plus, they might >have >> better luck lighting a fire under the theoretical vendors ass... >> >> elazar >> >> On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith ><[EMAIL PROTECTED]> >> wrote: >>> Greetings, >>> I have a theoretical question of ethics for other security >>> professionals that participate in this list. This is not an >actual >>> situation, but it is a potentially realistic situation that I'm >>> interested in exploring and finding an acceptable solution to. >> >>> Supposed a penetration testing company delivers a service to a >>> customer. That customer uses a technology that was created by a >>> third >>> party to host a critical component of their infrastructure. The >>> penetration testing company identifies several critical flaws >in >>> the >>> technology and notifies the customer, and the vendor. >> >>> One year passes and the vendor had done nothing to fix the >issue. >>> The >>> customer is still vulnerable and they have done nothing to >change >>> their >>> level of risk and exposure. In fact, lets say that the vendor >flat >>> out >>> refuses to do anything about the issue even though they have >been >>> notified of the problem. Lets also assume that this issue >affects >>> thousands of customers in the financial and medical industry >and >>> puts >>> them at dire risk. >> >>> What should the security company do? >> >>> 1-) Create a formal advisory, contact the vendor and notify >them >>> of the >>> intent to release the advisory in a period of "n" days? If the >>> vendor >>> refuses to fix the issue does the security company still >release >>> the >>> advisory in "n" days? Is that protecting the customer or >putting >>> the >>> customer at risk? Or does it even change the risk level as >their >>> risk >>> still exists. >> >>> 2-) Does the security company collect a list of users of the >>> technology >>> and notify those users one by one? The process might be very >time >>> consuming but by doing that the security company might not >>> increase the >>> risk faced by the users of the technology, will they? >> >>> 3-) Does the security company release a low level advisory that >>> notifies >>> users of the technology to contact the vendor in order to gain >>> access to >>> the technical details about the issue? >> >>> 4-) Does the security company do something else? If so, what is >>> the >>> appropriate course of action? >> >>> 5-) Does the security company do nothing? >> >>> I'm very interested to hear what people thin the "responsible" >>> action >>> would be here. It appears that this is a challenge that will at >>> some >>> level create risk for the customer. Is it impossible to do this >>> without >>> creating an unacceptable level of risk? >> >>> Looking forward to real responses (and troll responses too... >>> especially >>> n3td3v). >> >>> -- >> >>> - simon >> >>> ---------------------- >>> http://www.snosoft.com >> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ > >-- >Self Storage Options - Click Here. >http://tagline.hushmail.com/fc/Ioyw6h4eNgR1BRhFB3CXCR61VEtfAqJ45ZV3 >4qDMKcjsXBCGM0kWG5/ > > > >-- > >- simon > >---------------------- >http://www.snosoft.com -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkjfxMEACgkQi04xwClgpZjClAP/frm/enc7E52FjvW7QWhEbtZCJ8Kr /PM1o20qCZV9RdwP8IJhfbg3aF4ko3VrJcsFTuHSp5w5Pi4O/k6l3Vggak3cRlejN26q 9nIjHl8C0V4KaismHL5cXS7OZKyDFI9uMnw/Mpmao5bF7+jxdo1qK6nnrBawojtRwifg tjJTQic= =OqUn -----END PGP SIGNATURE----- -- Hotel pics, info and virtual tours. Click here to book a hotel online. http://tagline.hushmail.com/fc/Ioyw6h4eRClAkcJxO5raG2q61I2CHdEok8REye7AsAlE6A964lyJ9u/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
