RE: Question about exploit exposing SSN & user info

From: J. Patterson Wicks <pwicks(at)oxygen.com>
Date: Mon Aug 06 2007 - 13:35:23 EDT

If you discovered this vulnerability while performing your standard duties within the company, you have an obligation to your company and to your customers to report it to the appropriate company leaders as quickly as possible. Going on the assumption that you discovered the vulnerability while performing your standard duties, you should follow your company's formal incident response procedures. Each company should have incident response procedures or a whole incident response team to deal with these sort of situations. If you are not sure whether your company has incident response procedures or an incident response team, check with the HR department (to prevent premature distress the IT department).

If your company does not have an incident response team or incident response procedures, you have to determine how to best notify your company leadership. Since I do not know your company's social or political climate, this is a call that you have to make on your own. If you are not sure how your company will respond to your discovery, you should consult with an attorney before moving forward. If you found the vulnerability while performing unauthorized activities, you should DEFINITELY consult an attorney before doing anything else.

Once you decide to move forward, I have a few words of advice:

1. Do not disclose any aspect of the vulnerability to ANYONE until you have formally notified the leadership of the company (The company will provide you with disclosure guidelines after they have been formally notified)
2. Research the state and federal statues related to the protection of personal information and breach notification (Take special notice if you fall under special regulations like HIPAA or SOX)
3. Create a document to present to the company leadership: . a. Prepare a complete analysis of the vulnerability including the exact steps needed to repeat the exploit
4. Make sure that your documentation includes a risk analysis
   (without the standard FUD)
   
5. Make sure that your documentation includes the research on protection of personal information and breach notification
6. Make sure that your documentation includes both technical details as well as an executive summary for non-technical executives

And last but not least . . .

  4. Make sure that you give this information to more than one person in your company chain of command. This will ensure that it does not get buried and that

      someone else does not get credit for your discovery.

Once you submit your documentation to the company leadership, I am sure that the appropriate actions will be taken. I am confident that any conscientious company will respect your efforts and appreciate your dedication to the company and its customers.

Regular contributors to this forum are sure to provide you with a lot of good advice. They have a lot of experience with this sort of problem within the private sector as well as at the state/federal level. No matter what advice comes your way, remember that at the end of the day we are just advisors. You have to live the consequences of your discovery. Make sure that you protect yourself as well as your company and your customers.

-----Original Message-----
From: hsukowa@yahoo.com [mailto:hsukowa@yahoo.com] Sent: Sunday, August 05, 2007 10:35 PM
To: bugtraq@securityfocus.com
Subject: Question about exploit exposing SSN & user info

My apologies if this question is inappropriate for this email list, but it is a last resort and a friend recommended posting this question here.

In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole.

My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday
(a good thing) but do little or nothing to notify any user whose private
information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users.

My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"?

Again my apologies if my asking this question in the wrong forum has offended anyone.

And many thanks to anyone who responds.

---

Don't miss season 2 of Tori & Dean: Inn Love, Tuesdays at 10pm/9 C premiering August 14th, only on Oxygen! Watch Season 1: www.shedidwhat.tv

---

This e-mail is property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please notify me immediately and destroy all electronic and paper copies of this e-mail. Received on Mon Aug 6 14:49:45 2007