PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw (zdnet.com) 188
An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.
first (Score:2, Insightful)
comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!
Cheaper to shoot the messenger (Score:2)
Besides ... patching the software is never a permanent solution. Anarchist sympathisers will burrow into the system until they've found another vulnerability. And another. And another.
Best to attack the problem at its root: sue anyone who publishes a leak out of existence. That will also deter malfeasants, right?
Re: (Score:2)
Exactly.
When you can't innovate, litigate!
Re: (Score:2)
comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!
I would say that a "They are bothered and concerned and want to fix it but, the author of that module no longer works for them and they can't find the staff with the in-depth knowledge of that particular module. If the analyst person can't understand the module, he will not understand the security flaw. And the search to find the competent individual is at least a three month job. That's my take on this subject.
Re: (Score:2)
R-arrange these words : "shit" and "tough".
Surely the minute that the author of that module handed in their notice, his managers should have started the search process (internally and externally) for someone to grok the departed person's work and get up to speed. Oh, and they could try having a lower staff turnover rate by [insert 50 volumes of standard staff retention advice, whic
Re:first (Score:5, Informative)
Their job? Their job is to make money. Sometimes fixing large scale problems costs money. I guess threating with a law suit is actually closer to "doing their job" than you think.
Reputation have an impact on the job of making money. So does ethics.
Perhaps one day failing companies will pull their head out of their lawyers ass and realize that.
Re:first (Score:5, Insightful)
A larger bit of context here is that this wasn't a business unit that makes hockey pucks. This was a business unit that is involved in cybersecurity. So for them to show ignorance of how things should be done with regard to this...ugh.
On the other hand, PwC is a partnership organization, not a corporation. As such, a lot of control is decentralized; partners are responsible for the business beneath them and while that responsibility does run upwards, with every step up there's an order of magnitude by which detail is removed. So fundamentally this could be one guy getting his panties in a wad over things.
But still...he should know better.
Re: (Score:2)
pen as in a pen or is that supposed to be short for something?
Or if you are lazy, 'pen' comes from 'penetrate'. If you corporate the word with cyber or Internet, you should now know what kind of testing they do (no pun!).
Re: first (Score:5, Funny)
pen as in a pen or is that supposed to be short for something?
Duh, it should be obvious from the context. PwC is an accounting firm. Accounting firms use a lot of pens. It would be ludicrous to give an accountant a non-functional pen, so they have a pen testing division that runs each pen through a battery of tests before they deploy it to an accountant.
Re: (Score:2)
Big Bad Wolf (Score:2)
It stands for penetration testing [wikipedia.org], like what the Big Bad Wolf was hired to do [allthetropes.org] in the short story "The Three Little Pigs".
Re: (Score:3, Insightful)
So it's pencil pushers vs. pen testers
Re: (Score:1)
Re: (Score:2)
" Reputation have an impact on the job of making money. So does ethics. "
How's the weather in 1954, gramps? Ethics went the way of tailfins...
So, you're saying we need to bring back ethics and tailfins? I'll go with that.
Re: (Score:2)
Reputation have an impact on the job of making money. So does ethics.
Not in the US they don't. Microsoft, Apple, Verizon, the list goes on.
Those aren't companies. Those are MegaCorps who lobby in order to ensure they win every time, because they're now Too Big to Fail.
Ain't legal precedent a bitch...
Re: (Score:2)
Their job? Their job is to make money.
One would from this anecdote think that their job is sending legal letters... Which it probably is.
Re: (Score:2)
I'm pretty sure that lawyers aren't cheap. Maybe I am wrong in saying that they could use their staff of coders to fix this problem, or if necessary buy a security audit and assistance, but I'm pretty sure either would be cheaper than lawyers. Data breaches are also far more expensive than all of those, pushing millions of dollars in recovery costs.
Since when... (Score:2, Interesting)
...are laywers cheaper than developers?
Or is the Higher Management unable to think in any other way because they are only laywers themselves??
Re:Since when... (Score:4, Informative)
Re:Since when... (Score:5, Interesting)
...are laywers cheaper than developers?
Or is the Higher Management unable to think in any other way because they are only laywers themselves??
I worked for a tech firm that was run by a lawyer; when the shit hit the fan during the dotcom meltdown, we found out the only ass that was covered was his.
While we were scrambling to find new jobs & pay bills, he went off to head up some board filled with other cunts like himself
Re: (Score:2)
I worked for a tech firm that was run by a lawyer; when the shit hit the fan during the dotcom meltdown, we found out the only ass that was covered was his.
While we were scrambling to find new jobs & pay bills, he went off to head up some board filled with other cunts like himself.
In other words while you were looking for a new job, he did the same, and found one.
Re: (Score:3)
"In other words while you were looking for a new job, he did the same, and found one"
He had this lined up before we knew the sky was falling. And he had quitely negotiated a nice parting gift for himself while 50 of us lost thousands in unpaid salary & benefits.
That detail only came to light years later when a couple of us finally were able to get our hands on some withheld company documents.
Re: (Score:2)
Re: Since when... (Score:2)
But, how much would it cost the company had some hacker waltzed into their system and started stealing information. Lawsuits at the end of the day can be hefty, especislly if they are a classaction suit.
Re: (Score:2)
I can tell you that based on this if I now found a flaw in PwC's system I would not inform them, nor would I warn them. I would just release the info as AC.
Re: (Score:3)
No.
1) Inform PwC.
2) Receive C&D letter.
3) Use exploit on PwC's customers.
4) Take nothing, just leave the C&D letter behind.
5) Buy popcorn.
Streisand effect (Score:5, Interesting)
Well this company completely missed the memo regarding the Streisand effect. This company obviously thought that using lawyers and burying the truth was cheaper than fixing the problem. Now, not only will they have to fix the problem, their users will be aware of the fact that the company tried to hide it from the users of the software. Talk about damage of trust. This company may also get hammered in court with anti-SLAPP penalties from the company they were threatening. Hopefully, this ends up being a very costly bout of stupidity making the company think twice about doing it again.
Re:Streisand effect (Score:5, Insightful)
Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time.
Many a head must have been scratched in trying to understand why their threats failed. "Did the researchers not understand they were being threatened?". "Why would they do the right thing if it could cost them money?". "It's almost decided to do what would be best for other people instead of themselves.".
Re: (Score:3, Informative)
"Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time."
You're not kidding there. I'd never heard of them but pulled up their wiki page. It's quite long. And a good half of it is dedicated to controversies and scandals. Almost all around financial fraud. How are these clowns not in prison?
Re:Streisand effect (Score:5, Insightful)
Because only the plebs go to prison.
Re: Streisand effect (Score:2)
Re: (Score:2)
Madoff went to prison, and will be there for the rest of his life. He was no "pleb".
The exception proves the rule, as they say.
Re: (Score:2)
The meaning of "prove" in "The exception proves the rule" is tests. Prove has a long history outside of math, and the math meaning is a specialization. You can still consider a "proof" of a conjecture as a test of it, and that meaning works, and that's the origin of the use of proof in that context.
All that said, you can point to two or three rich and powerful people who ended up in jail, but you won't find many, and you'll find many that should have. So as a statistical measure, you can say rich people
Re: (Score:2)
That was quite enlightening. I never would have known about this company had it not been for this story.
These guys run with the big boys, it doesn't surprise me at all that their first response was legal action. As a matter of fact, I wouldn't be surprised if that is their first reaction to any bad news.
Re: (Score:2)
HA!
It's their first reaction to *any* news including a curious lack of news.
"Good news sir!" -> Lawyers
"Bad news..." -> Lawyers
"Jeeves! I have not seen any news lately." -"I'll dial up the legal dept. sir."
Re: (Score:2)
They know where everyone else's skeletons lie.
Re: (Score:2)
They've made enough money to buy off the politicians who would create laws, and those who would prosecute them.
Re: (Score:2)
Actually, I didn't recognize it by the abbreviation they used in the summary. I had to Google the acronym to get the actual name. I thankfully have never had to deal much with the financial services sector so I am not as familiar with this company or its reputation. As far as I'm concerned they're all greedy self-serving bastards with no regards for anything except how much of someone else's money they get to swindle and take home today.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
As far as I'm concerned they're all greedy self-serving bastards with no regards for anything except how much of someone else's money they get to swindle and take home today.
The Slahsdot Editors have announced that they are now looking for a new Financial News Correspondent.
Interestingly, a copy of the Encyclopedia Britanica's web page on Financial Services Companies from the year 2347 that, due to a temporal disturbance caused by the LHC, appeared on the screen of a Mrs. Trumble of Avon-by-the-Sea described those companies as "...all greedy self-serving bastards with no regards for anything except how much of someone else's money they get to swindle and take home today.
Re: Streisand effect (Score:2)
Oh the irony...
Re: (Score:2)
Oh it sounds awesome!
Is it true?
Hmm, not really
Fuck it, send to print
Re: (Score:2)
Yeah, they write that for the same reason that it was called the "German democratic republic". Hint: It wasn't because the GDR was so democratic...
So what? You're suggesting the DPRK isn't democratic, a republic or for the people?
License is a fair question (Score:2, Flamebait)
Re: (Score:3, Insightful)
They need a license to *use* it. Research is fair use, so go suck Walt Disney's mummified cock.
Re: (Score:2)
Citation needed. I'm pretty sure this is not true.
Re: (Score:3)
Citation needed. I'm pretty sure this is not true.
It is not easy to determine fair use; however, for most part research is fallen into fair use category. However, most of the time, fair use is a case-by-case basis, so the issue may be tested in court. You can go here [wsu.edu].
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:
1. The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
2. The nature of the copyrighted work;
3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
4. The effect upon the potential market for or value of the copyrighted work.The fact that a work is unpublished shall not by itself bar a finding of fair use if such finding is made upon consideration of all the above factors.
Re: (Score:2)
From Wikipedia:
Examples of fair use in United States copyright law include commentary, search engines, criticism, parody, news reporting, research, and scholarship.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Huh. Well, ok, then. I stand corrected.
Re: (Score:2)
The owner of a lawfully made copy of a computer program has the right to load it into RAM as an essential step of using it. (17 USC 117(a)(1))
Re: (Score:1)
Re: License is a fair question (Score:1)
Re: (Score:2)
Re: (Score:2)
Think of it this way, do art critics need to buy a licensed copy for their work? Film critics?
How about confidential financial document critics? Can they just grab anything they want?
Re: (Score:3)
Fair question where the authors got the software if they didn't have a license. Just because you're a security researcher doesn't give you carte blanche to pirate.
The publishers appear to be focused on SAP environments, and the PWC software appears to be implemented as a module in SAP. If I had to guess, I'd say they were auditing one of their customers and found the vulnerability that way. If so, there are no license issues here.
Re: (Score:2)
Re: (Score:2)
It could be that their customers require NDAs (up to and including who they are working for). Of course, it could also be that they have a giant honking vsphere cluster that they run all manner of SAP instances on that are totally unlicensed. :)
"PwC" is Price Waterhouse Coopers (Score:5, Informative)
It is apparently some sort of big accounting firm.
Re: (Score:2)
Accountability (Score:3)
Re: (Score:2)
This isn't the first, or worst, time Price-Waterhouse have featured in the news. I thought (and hoped) they had gone out of business after the time they hit national news for fraudulent work. I just wasn't aware the PwC was Price-Waterhouse or I wouldn't have been at all surprised ... and would have suspected that the bug was intentional.
The cost of doing the right thing (Score:5, Insightful)
Assholes like PwC is why most security researchers don't bother with responsbile disclosure. It is by far much safer to anonymously dump it to pastebin.
Re: (Score:2)
How would it be expensive when PwC doesn't have a legal leg to stand on?
Because that does not stop them from suing you. And just the hearings to determine that they don't have a valid case will be enough to bury a mortal in legal bills that are impossible to pay off.
Re: (Score:2)
There's a solution to that: loser pays.
The downside is that it's a bit cormanust.
What really sucks is... (Score:5, Interesting)
The security firm provides a competing product (Score:3)
It looks like the vulnerability is in a PwC product called ACE, which analyzes SAP security settings.
The flagship product of the security firm that produced the disclosure appears to be "ESNC Security Suite", which from what I could tell appears to be a competing product.
While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.
Re:The security firm provides a competing product (Score:4, Insightful)
Re: (Score:2)
This is standard in any competitive market - the competitors ALWAYS purchase and evaluate their competitor's products. Ford, GM and Chevy all buy each other's cars and trucks to evaluate and figure out what works, what doesn't work, what can be improved and that
Re: (Score:2)
Re: (Score:2)
Sigh... (Score:2)
Sued for telling the truth and giving fair warning...
Hmmmmm (Score:2)
" an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said."
Then legal threats
Perhaps we could use a little deductive reasoning to conclude that this was not a f
Criminal offence (Score:2)
Based on the article, PwC was in the right (Score:2)
In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.
The spokesperson also said in separate prepared statement: "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
It seems the article does a poor job of being impartial. Despite the above quotes, they continue with:
It's far from the first time that a security firm or its researchers have faced the wrath from a company that fights instead of fixes.
I am not sure what to make of this since there is still too much information being withheld from both PwC and the article and ESNC.
I love PwC's responses (Score:4, Insightful)
I love the responses PWC gave.
"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,"
In other words trying t discredit them. There is nothing in that about the flaw not being real.
But the one that had me laughing at the spin was:
"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
Makes it sounds like it's an old version that wasn't in use much anymore. But it was announced AFTER the fix. So publish the fix, which is now the "current version of the software" and since it's published "is available to all of our clients.". But really, that doesn't mean that most of your clients are running the patch, it silently sidesteps the whole thing.
And the final one:
"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized,"
Yes, I would expect access to an admin account not to be listed on the main menu, I can believe it's an unlikely scenario. It's not actually hypothetical if it's been done by the security firm, so that part is a lie. The "we are not aware of any situation in which it has materialized" just means "we didn't catch it".
Ummm... wrong response (Score:2)
You know, a simple "Thank you for finding this flaw in our product. Here is a $check as our thank you for finding this and reporting it before the $BadGuys exploited it."
Re:Wait a second (Score:5, Informative)
therein lies the problem with "security tools" (Score:3)
Too many self-proclaimed security experts are big time bullshitters. They want high consulting fees and will spend as many hours as they can "analyzing". But in the end they don't do squat and the system is still not properly secured. I've seen them milk a company for months before they get kicked out and drive away in their Mercedes.
A really good security consultant is worth what they cost. But unless you're an expert yourself you have no way of knowing if the guy you're hiring knows anything.
Re:Wait a second (Score:5, Informative)
Re:Wait a second (Score:4, Informative)
dates too hard to read; stopped trying
You wouldn't be American by any chance would you? Just to help you out I've provided a translation for you.
8/19/2016 PwC contacted
8/22/2016 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
9/5/2016 Asked PwC about updates and whether a patch is available
9/13/2016 Received a Cease & Desist letter from PwC lawyers
11/18/2016 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
11/22/2016 Received another Cease & Desist letter from PwC lawyers
12/7/12.2016 Public disclosure
Re: (Score:2)
Re: (Score:2)
Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.
The only thing the original post was missing was being done in all lower case, and omitting punctuation.
Part of communications is communicating, and if someone can't be bothered to make sentences and paragraphs readable without a lot of effort, then some folks might not vother to read them.
Case in point, the original took me about 10 seconds to parse, the cleaned up version, done in proper chronological paragraph order took perhaps a second to read.
Lazy? perhaps the lazy one was the OP.
Re: (Score:2)
BTW: "vother" != "bother" :P
Re: (Score:2)
So now we have punctuation nazis that have sprouted from all the grammer nazis?
BTW: "vother" != "bother" :P
Don't be a dumbass. My comments are that possibly the guy had something interesting to say, so putting his thoughts down as something that is easily readable and digestible is a great way to get your point across.
Spelling errors? I don't really care about those.
But when I look at something, and have to consider if it was worth reading or not, It doesn't get read as often
I thought it might have been good advice, as I do doubt that many of us type out posts that we don't want to bet read. Especially in a
Re: (Score:2)
It just points out that we are all human and we all can make mistakes.
Re: (Score:2)
Yes, you are correct. However, when critiquing someone else, it is always a good thing to check our own. Right?
It just points out that we are all human and we all can make mistakes.
Cthulu on a skateboard!
So what you are saying is that my spelling error completely made my post incorrect, but my pointing out that the guy wrote a paragraph of what should hve been several paragraphs was improper and incorrect as well? Which made my post not only incorrect, but made your post pointing out that my post was incorrect, made yours proper and correct?
You can't have if both ways, and when calling other people Nazis, perhaps you are simply seeing a reflection of your own face in a mirror.
Re: (Score:2)
Re: Wait a second (Score:2)
Now the dates became unreadable.
Re:Wait a second (Score:5, Informative)
Fixed it for you:
2016-8-19 PwC contacted
2016-8-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-9-5 Asked PwC about updates and whether a patch is available
2016-9-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-7 Public disclosure
Obligatory: https://xkcd.com/1179/
Re:Wait a second (Score:4)
Actually fixed it for you:
2016-08-19 PwC contacted
2016-08-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-09-05 Asked PwC about updates and whether a patch is available
2016-09-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-07 Public disclosure
Re:Wait a second (Score:4, Informative)
This is Slashdot. Really fixed it for you.
1471593600 PwC contacted
1471852800 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
1473062400 Asked PwC about updates and whether a patch is available
1473753600 Received a Cease & Desist letter from PwC lawyers
1479456000 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
1479801600 Received another Cease & Desist letter from PwC lawyers
1481097600 Public disclosure
Re:Wait a second (Score:5, Funny)
USA American attention span: 3 lines, 5 words each.
Canadian American attention span: Moose
Correction:
Canadian attention span: 4 lines, 3 defensive pairs, 2 goalies
Re: (Score:2)
/hat tip
Re: (Score:2)
No the correct formatting is YYYY/MM/DD. That's the only one that sorts correctly.
Re: (Score:3)
- 2 weeks later, advisory is released - not seeing 3 months in this timeframe?
Looks like both sides are assholes!
It seems that PWC said nothing about actually fixing the flaw. In fact, their immediately adversarial stance could be construed as an indication that they might not fix the problem in good time, and perhaps not at all. In this case, early disclosure by the security researchers could be viewed as a mitigative strategy, since there was a good chance that criminal hackers would have discovered the flaw and taken advantage of it before PWC did anything about it.
Re: Wait a second (Score:1)
As it turns out though, they still gave them the benefit of the doubt and waited the full three months.
Re: (Score:2)
The standard should be: 3 months before release. Legal threats means immediate release + a nicely written proof of concept any script kiddy can work with.
Re: Question (Score:3)
Nope, they employ a lot of PHBs.
Re: (Score:2)
The firm that counts the votes for the Academy Awards.