On Friday 17 February 2006 14:23, Ansgar -59cobalt- Wiechers wrote: > is in german, but maybe an online translator will help). The OBSOC > (Online Business Solution Operation Center) system of the Deutsche > Telekom AG did not do proper authentication, so by manipulating the URL > you could access other customers' data. How would you detect such a > vulnerability without actually hacking the system? Is one supposed to > not notice these things? Will that really make them go away? This indeed is a great example. It's got the whole story right - you know there's this company with this on-line content, and you have a hunch there's something broken. You don't know what is it, so you have to punch a hole in their system to see for yourself. There's just no other way to do it. What would you do? a) talk to them? They don't know if they have a security problem or not. But, they'd rather not know about it. Company reasoning goes this way: there's someone who thinks he has found a security hole in our software, and he's asking us to permit him to do security audit; well, we do not know him, and we do not know if we have a hole in the first place... so, best solution is to deny security audit and pretend there's no hole. That way we can save money and avoid risking our brand, and after all, we do have some IT experts of our own, and they say everything is Ok. b) not talk to them? In that case yes, you might find a flaw. You might go to jail as well, because of the same company reasoning: there's this evil hacker who broke into our system. Who knows what he has done, it is an evil hacker, and evil hackers do many evil things we could not possibly know about, so our system is completely compromised, and we have huge losses. Yes, he told us about that security hole, but this is probably just to blackmail us later with more and more security holes, some of them could even be planted by this evil hacker. Our customers will loose confidence in our services, and this is bad, very bad for our business. So, let's call police and put this evil creature behind the bars for good. c) leave it as it is If you do not touch, you're saving yourself from a lot of trouble. Surely, the problem will stay, but it's not you who's going to have pants on fire. IMHO, the best approach would be to do (a) in a very polite manner, and if they refuse, simply switch to (c). That's reasonable. After all, their system is their property, as are all the security holes. And, we shouldn't get emotional about other people's security problems. You're never going to be a great brain surgeon if you cry over someone's open skull while operating a brain tumour. -- Radoslav Dejanović Operacijski sustavi d.o.o. http://www.opsus.hr
