Slashdot Mirror
PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw (zdnet.com)
An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.
comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!
...are laywers cheaper than developers?
Or is the Higher Management unable to think in any other way because they are only laywers themselves??
Well this company completely missed the memo regarding the Streisand effect. This company obviously thought that using lawyers and burying the truth was cheaper than fixing the problem. Now, not only will they have to fix the problem, their users will be aware of the fact that the company tried to hide it from the users of the software. Talk about damage of trust. This company may also get hammered in court with anti-SLAPP penalties from the company they were threatening. Hopefully, this ends up being a very costly bout of stupidity making the company think twice about doing it again.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
I believe the timeline in the summary doesn't properly convey the time lapsed between contact. As far as I can tell they released their advisory 6 days ago on the 7th with the id ESNC-2041217.
FTA: The Researchers first met with PwC in August about this vulnerability. The Advisory was released December 7th. September...October...November... yep. That's three full months since the initial meeting with the only correspondence given by PwC is a series of C&Ds. Not even a "Please don't disclose this yet, we need more time to fix."... I only see this as PwC are the assholes in the equation. Also, second link in the summary is the full advisory without the need for contact info.
According to the advisory itself: 19.08.2016 PwC contacted 22.08.2016 Meeting with PwC, informed them about the impact and the details of the vulnerability and responsible disclosure 05.09.2016 Asked PwC about updates and whether a patch is available 13.09.2016 Received a Cease & Desist letter from PwC lawyers 18.11.2016 Informed that 90 days have passed and ESNC is planning to release a security advisory; asked for any details PwC can share about this matter including risk, affected versions, how to obtain a patch 22.11.2016 Received another Cease & Desist letter from PwC lawyers 07.12.2016 Public disclosure
- 2 weeks later, advisory is released - not seeing 3 months in this timeframe?
Looks like both sides are assholes!
It seems that PWC said nothing about actually fixing the flaw. In fact, their immediately adversarial stance could be construed as an indication that they might not fix the problem in good time, and perhaps not at all. In this case, early disclosure by the security researchers could be viewed as a mitigative strategy, since there was a good chance that criminal hackers would have discovered the flaw and taken advantage of it before PWC did anything about it.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Fair question where the authors got the software if they didn't have a license. Just because you're a security researcher doesn't give you carte blanche to pirate.
They should've released it as soon as the C&D came in, and attached the C&D to it while saying "We discovered a security hole and instead of fixing it, they threatened us."
Captcha: Prompt
It is apparently some sort of big accounting firm.
Working as intended.
i doubt i am the only one now heading to rtfa and preping some bank accounts for unexpected influx of funds.
Thanks PwC. you rock.
They don't deserve otherwise. Those parasites (who prefer to invest into the appearance of doing their job instead of actually doing their damned job) should disappear from the market.
Q: "Why didn't you build the hospital to whithstand a mid-sized hurricane?"
A: "Your honor, we sued weather report, if we win, they are going to pay all the patient's relatives"
I was thinking along these lines. It would have been right to release the advisory upon receipt of the second (if not the first) C&D. By responding with that, and ONLY that, they pretty much declare themselves as not having a good faith intent to fix it.
As it turns out though, they still gave them the benefit of the doubt and waited the full three months.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
dates too hard to read; stopped trying
For an accountant firm, they have a lot to learn about accountability.
It doesn't have to be like this. All we need to do is make sure we keep talking.
dates too hard to read; stopped trying
You wouldn't be American by any chance would you? Just to help you out I've provided a translation for you.
8/19/2016 PwC contacted
8/22/2016 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
9/5/2016 Asked PwC about updates and whether a patch is available
9/13/2016 Received a Cease & Desist letter from PwC lawyers
11/18/2016 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
11/22/2016 Received another Cease & Desist letter from PwC lawyers
12/7/12.2016 Public disclosure
I am Slashdot. Are you Slashdot as well?
Yes, I agree, being stupid is hard.
Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.
This will likely going to be very expensive for the security researchers, as PricewaterhouseCoopers have deep pockets and a history of shady litigations.
Assholes like PwC is why most security researchers don't bother with responsbile disclosure. It is by far much safer to anonymously dump it to pastebin.
Nope, they employ a lot of PHBs.
Facts, I thought we voted in the incoming president, so we could choose our own? It is not misinformation, it is carefully crafted fantasy, uh, reality. What did facts do for anyone? I mean, where's the money? ;-)
USA American attention span: 3 lines, 5 words each.
Canadian American attention span: Moose
Now the dates became unreadable.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
You Americnas really should get with the rest of the world.
Feet, inches and pounds, not forgetting your silly Pint and gallon measure should go the way of the Dodo.
As for your backards way of specifying dates.... Sheesh.
There is probably a conscientious developer that wanted to work on this the day it was discovered but the company thought the cheaper track was to bury it, and now he's probably going to be fired and implicated as the reason the bug existed, or worse, wasn't patched.
Is to treat security researchers that are working with you responsibly like shit
Can you try that again in ISO 8601?
Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.
The only thing the original post was missing was being done in all lower case, and omitting punctuation.
Part of communications is communicating, and if someone can't be bothered to make sentences and paragraphs readable without a lot of effort, then some folks might not vother to read them.
Case in point, the original took me about 10 seconds to parse, the cleaned up version, done in proper chronological paragraph order took perhaps a second to read.
Lazy? perhaps the lazy one was the OP.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
It looks like the vulnerability is in a PwC product called ACE, which analyzes SAP security settings.
The flagship product of the security firm that produced the disclosure appears to be "ESNC Security Suite", which from what I could tell appears to be a competing product.
While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.
Sued for telling the truth and giving fair warning...
Fixed it for you:
2016-8-19 PwC contacted
2016-8-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-9-5 Asked PwC about updates and whether a patch is available
2016-9-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-7 Public disclosure
Obligatory: https://xkcd.com/1179/
" an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said."
Then legal threats
Perhaps we could use a little deductive reasoning to conclude that this was not a flaw, but a critical feature of the software that some folks didn't want getting out?
Financial history is full of interesting accounting tricks.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
BTW: "vother" != "bother" :P
Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.
Lazy is the kindest word you can use. A number of others come to mind, all of which are probably closer to the truth, but a little harsh.
Who the fuck is/are PwC?
It should be made a criminal offence, worded such that it can't be offloaded on the shareholders' pockets by means of a fine or settlement, to deter any security firm or white hat hacker that gives proper notification of a security flaw from publishing a security advisory after 90 days have expired from the moment of notification. That means responsible executives (or lawyers) will go to federal prison if this can be proven, whether they "knew about it" or not (to protect "junior staffers"). The public needs to be protected, this will force the provider to fix the issue within 3 months, or else the users will be informed... while also making the provider liable for potential losses (heh, borrowed that from the copyright industry) for as long as no effective fix has been published. Yes, the "potential losses" was no joke, as if an ATM network needs to be brought down for a week, that's a lot of potential losses right there at $2 / transaction. Effective fix means: mitigate the security threat but keep functionality, so a "just turn the damn thing off fix" is not a fix.
When the copyright term is "forever minus a day", live every day like it's the last.
This is why you're better off selling the vulnerabilities to hackers. Doubly true when dealing with sleaze bags like PWC.
> It should be made a criminal offence
100% agreed.
> such that it can't be offloaded on the shareholders' pockets
Oh, no. Shareholders get to suffer part of the risk, that's OK. They should *learn* to invest wisely, and if they are in the market, they should learn by market means. If some CEO psychopath at the helm lied to them it's up to them to sue the ass off said CEO.
I have *no* sympathy for shareholders who just choose by maximizing their speculative profits with no regards to ethics. They should be shredded to pieces by the same maelstrom which they feed in the first place.
Too many self-proclaimed security experts are big time bullshitters. They want high consulting fees and will spend as many hours as they can "analyzing". But in the end they don't do squat and the system is still not properly secured. I've seen them milk a company for months before they get kicked out and drive away in their Mercedes.
A really good security consultant is worth what they cost. But unless you're an expert yourself you have no way of knowing if the guy you're hiring knows anything.
Comment removed based on user account deletion
... then exploit the flaw, and release sensitive data to the victims, attached with the Pwc behavior regarding their product's security. Get popcorn and enjoy the mess.
"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
That sounds like carefully worded to discredit the researchers. After pwc releases a patch of course the current version is not what is referenced in the advisory.
1) Discover the magic phrase that makes large corporations destroy their stock value in this way
2) Use it
3) Profit!!!!
Requiem for the American Dream
You Americnas really should get with the rest of the world.
Feet, inches and pounds, not forgetting your silly Pint and gallon measure should go the way of the Dodo.
As for your backards way of specifying dates.... Sheesh.
While you post (poorly!) in Americanized English.
I note you're not posting in German or Russian.
YOU'RE FUCKING WELCOME!
No, we have people that think that the point of a post is to communicate something. There's no "nazi" element here, it's completely practical. Above is right. The original post was hard to read, primarily because of formatting. The new one is far easier.
Thanks OzPeter.
USA American attention span: 3 lines, 5 words each.
Canadian American attention span: Moose
Correction:
Canadian attention span: 4 lines, 3 defensive pairs, 2 goalies
In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.
The spokesperson also said in separate prepared statement: "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
It seems the article does a poor job of being impartial. Despite the above quotes, they continue with:
It's far from the first time that a security firm or its researchers have faced the wrath from a company that fights instead of fixes.
I am not sure what to make of this since there is still too much information being withheld from both PwC and the article and ESNC.
Part of communications is communicating
Wise words, my friend.
/hat tip
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Thanks for correcting the OP, now it makes sense since the month and day were obviously transposed by accident.
At this point having worked on a number of international websites I just always use ISO 8601 for dates everywhere ...
YYYY-MM-DD
pretty unambiguous for everyone and pretty much universally understood.
It stands for penetration testing, like what the Big Bad Wolf was hired to do in the short story "The Three Little Pigs".
makers of turbine engines for helicopters and the AW-609...
FYI, you have the month and day reversed. The correct formatting should be MM/DD/YYYY.
So now we have punctuation nazis that have sprouted from all the grammer nazis?
It's "grammar", not "grammer".
Hi, I'm a "reading the fucking post before you respond Nazi".
The OP was missing punctuation, case, AND NEWLINES.
So I guess he's a "screwed up everything but the spelling" Nazi.
Gamingmuseum.com: Give your 3D accelerator a rest.
Besides ... patching the software is never a permanent solution. Anarchist sympathisers will burrow into the system until they've found another vulnerability. And another. And another.
Best to attack the problem at its root: sue anyone who publishes a leak out of existence. That will also deter malfeasants, right?
The standard should be: 3 months before release. Legal threats means immediate release + a nicely written proof of concept any script kiddy can work with.
It went very smooth.
So they ask for a name and e-mail to receive the advisory, which also puts you on a subscription list for other advisories in the future.. and that's a problem how? Ya know you can always put in a fake name, and even go so far as to create a temporary e-mail for the purpose of registering for it, right? It's not like they're making you create an account with a password or something to access this information. You make it sound like there's a bunch of hoops you have to jump through to receive this information.
Exaggerating much?
It just points out that we are all human and we all can make mistakes.
Yes, I no.
That's a carefully-worded way of saying we've fixed it now and it's our customers' fault if they get hacked because they haven't patched their systems. There might be something in the release notes about this vulnerability but we're not going to make a fuss and draw attention to it.
wait a minute ... does 2016-8-19 come before or after 2016-12-7? I think you are missing a leading 0 somewhere ...
From the tone of PwC's response it's *obvious* they wanted to keep it secret. And use it to bypass any accountability measures, which are really a veneer of legitimacy if this "bug" is what it purports to be.
Actually fixed it for you:
2016-08-19 PwC contacted
2016-08-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-09-05 Asked PwC about updates and whether a patch is available
2016-09-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-07 Public disclosure
Nope, no sig
I love the responses PWC gave.
"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,"
In other words trying t discredit them. There is nothing in that about the flaw not being real.
But the one that had me laughing at the spin was:
"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
Makes it sounds like it's an old version that wasn't in use much anymore. But it was announced AFTER the fix. So publish the fix, which is now the "current version of the software" and since it's published "is available to all of our clients.". But really, that doesn't mean that most of your clients are running the patch, it silently sidesteps the whole thing.
And the final one:
"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized,"
Yes, I would expect access to an admin account not to be listed on the main menu, I can believe it's an unlikely scenario. It's not actually hypothetical if it's been done by the security firm, so that part is a lie. The "we are not aware of any situation in which it has materialized" just means "we didn't catch it".
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
No the correct formatting is YYYY/MM/DD. That's the only one that sorts correctly.
I think we've pushed this "anyone can grow up to be president" thing too far.
and named security companies should simply report what they see on pastebin. fuck all this legality bullshit.
This is Slashdot. Really fixed it for you.
1471593600 PwC contacted
1471852800 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
1473062400 Asked PwC about updates and whether a patch is available
1473753600 Received a Cease & Desist letter from PwC lawyers
1479456000 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
1479801600 Received another Cease & Desist letter from PwC lawyers
1481097600 Public disclosure
You know, a simple "Thank you for finding this flaw in our product. Here is a $check as our thank you for finding this and reporting it before the $BadGuys exploited it."
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
So now we have punctuation nazis that have sprouted from all the grammer nazis?
BTW: "vother" != "bother" :P
Don't be a dumbass. My comments are that possibly the guy had something interesting to say, so putting his thoughts down as something that is easily readable and digestible is a great way to get your point across.
Spelling errors? I don't really care about those.
But when I look at something, and have to consider if it was worth reading or not, It doesn't get read as often
I thought it might have been good advice, as I do doubt that many of us type out posts that we don't want to bet read. Especially in a list form.
An example is what I posted done in the same manner as what he did:
Don't be a dumbass. My comments are that possibly the guy had something interesting to say, so putting his thoughts down as something that is easily readable and digestible is a great way to get your point across. Spelling errors? I don't really care about those. But when I look at something, and have to consider if it was worth reading or not, It doesn't get read as often.I thought it migh have been good advice, as I do doubt that many of us type out posts that we don't want to be read. Especially in a list form.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Yes, you are correct. However, when critiquing someone else, it is always a good thing to check our own. Right?
It just points out that we are all human and we all can make mistakes.
Cthulu on a skateboard!
So what you are saying is that my spelling error completely made my post incorrect, but my pointing out that the guy wrote a paragraph of what should hve been several paragraphs was improper and incorrect as well? Which made my post not only incorrect, but made your post pointing out that my post was incorrect, made yours proper and correct?
You can't have if both ways, and when calling other people Nazis, perhaps you are simply seeing a reflection of your own face in a mirror.
Now let old Uncle Ol give ya a little schooling. Because although I think your heart is in the right place, but your ideas of spelling and grammer Nazis are a-makin ya look like a severe dumfuk.
You called me a Nazi after I offered some constructive criticism. Yeah, I wasn't calling the guy stupid or names, just that maybe more people would read what he had to write is he formatted it differently.
Kinda as if I though maybe he had something to say, and I was being helpful, so more people would read it. I certainly wasn't the only person who had issues. Indeed, most of us use new lines especially for numbered lists.
Next up, you come in like Underdog saving Pretty Polly from Simon Bar Sinister, calling me a Nazi, and ridiculing my mispelling of "Bother', substituting the B with a V. And using that typo as some sort of accusation of not only being a nazi, but of engaging in hypocricy as well.
There is a subtle difference there, between constructive criticism and you conforming to the very definition of a person who tries to negate someone's argument by drawing attention to what they typed.
Just some constructive criticism for you, with a bit more forcefulness, since you seem to be hung up a little on dis mattah, and not takin' telling like a big boy should.
Now go forth, and sin no more.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I thought it was hat trick.