PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw

An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.

first

comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!

Re:first

Their job? Their job is to make money. Sometimes fixing large scale problems costs money. I guess threating with a law suit is actually closer to "doing their job" than you think.

Re:first

[geekmux]

Their job? Their job is to make money. Sometimes fixing large scale problems costs money. I guess threating with a law suit is actually closer to "doing their job" than you think.

Reputation have an impact on the job of making money. So does ethics.

Perhaps one day failing companies will pull their head out of their lawyers ass and realize that.

Re:first

Reputation have an impact on the job of making money. So does ethics.

Not in the US they don't. Microsoft, Apple, Verizon, the list goes on.

Re:first

" Reputation have an impact on the job of making money. So does ethics. "

How's the weather in 1954, gramps? Ethics went the way of tailfins...

Re:first

[Shoten]

A larger bit of context here is that this wasn't a business unit that makes hockey pucks. This was a business unit that is involved in cybersecurity. So for them to show ignorance of how things should be done with regard to this...ugh.

On the other hand, PwC is a partnership organization, not a corporation. As such, a lot of control is decentralized; partners are responsible for the business beneath them and while that responsibility does run upwards, with every step up there's an order of magnitude by which detail is removed. So fundamentally this could be one guy getting his panties in a wad over things.

But still...he should know better.

Re:first

[WDubois]

Eh... As it happens, I like tailfins, too.

Re: first

PwC is a corporation formed in Delaware. (Shocker). First they incorporated the associates and senior associates and now they fly under PwC International in the US. SOURCE: used to work in the pen testing core team that developed Pwc's pen testing service offering.

Re: first

Also, fuck pwc. Fuck them all. I got fucking taken advantage of while I was there.

Re:first

Damn straight! The 1959 Caddy was the last time America Was Great

Re:first

And its job of the rest of the world to make damn sure that doing the ethical thing brings in more money than doing the unethical thing.

Re: first

[stealth_finger]

pen as in a pen or is that supposed to be short for something?

Re:first

[K.+S.+Kyosuke]

Their job? Their job is to make money.

One would from this anecdote think that their job is sending legal letters... Which it probably is.

Re: first

Don't suppose there's much money in testing pens ;)

Re: first

Google "pen testing".

Best regards,
Pen Tester

Re: first

[parkinglot777]

pen as in a pen or is that supposed to be short for something?

Or if you are lazy, 'pen' comes from 'penetrate'. If you corporate the word with cyber or Internet, you should now know what kind of testing they do (no pun!).

Re: first

[michelcolman]

So it's pencil pushers vs. pen testers

Re: first

[hawguy]

pen as in a pen or is that supposed to be short for something?

Duh, it should be obvious from the context. PwC is an accounting firm. Accounting firms use a lot of pens. It would be ludicrous to give an accountant a non-functional pen, so they have a pen testing division that runs each pen through a battery of tests before they deploy it to an accountant.

Re:first

[geekmux]

Reputation have an impact on the job of making money. So does ethics.

Not in the US they don't. Microsoft, Apple, Verizon, the list goes on.

Those aren't companies. Those are MegaCorps who lobby in order to ensure they win every time, because they're now Too Big to Fail.

Ain't legal precedent a bitch...

Re:first

[geekmux]

" Reputation have an impact on the job of making money. So does ethics. "

How's the weather in 1954, gramps? Ethics went the way of tailfins...

So, you're saying we need to bring back ethics and tailfins? I'll go with that.

Re: first

Woooooooosh

Re: first

Threatening security researchers like this is going to make themoney a lot less profitable though. The next person who finds a flaw won't bother working with them. They will just release it immediately. The resulting crisis will be repeated multiple times. It will cost a lot more than being professional about it would cost them.

Re: first

It's short for penis testing. You know, like your gym coach used to give you every Wednesday back in middle school.

Re:first

[UnknownSoldier]

Exactly.

When you can't innovate, litigate!

Re: first

[dasgoober]

Penetration + Internet = Porn

Re:first

[Shikaku]

I'm pretty sure that lawyers aren't cheap. Maybe I am wrong in saying that they could use their staff of coders to fix this problem, or if necessary buy a security audit and assistance, but I'm pretty sure either would be cheaper than lawyers. Data breaches are also far more expensive than all of those, pushing millions of dollars in recovery costs.

Re:first

[AutodidactLabrat]

Not really, given the threat now makes this vulnerability known to one and all

Re: first

[stealth_finger]

Makes sense.

Re: first

[abmw]

oh yeah, this world is ready for what-ever comes...."Pen? Testing, click click? squiggle, pass".

Re:first

[lsatenstein]

comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!

I would say that a "They are bothered and concerned and want to fix it but, the author of that module no longer works for them and they can't find the staff with the in-depth knowledge of that particular module. If the analyst person can't understand the module, he will not understand the security flaw. And the search to find the competent individual is at least a three month job. That's my take on this subject.

Re:first

[RockDoctor]

I would say that a "They are bothered and concerned and want to fix it but, the author of that module no longer works for them

R-arrange these words : "shit" and "tough".

Surely the minute that the author of that module handed in their notice, his managers should have started the search process (internally and externally) for someone to grok the departed person's work and get up to speed. Oh, and they could try having a lower staff turnover rate by [insert 50 volumes of standard staff retention advice, which boils down to not treating staff like rancid turds].

Since when...

...are laywers cheaper than developers?

Or is the Higher Management unable to think in any other way because they are only laywers themselves??

Re:Since when...

[Big+Hairy+Ian]

For those of us who remember introducingmonday.co.uk (now sadly no longer there) just remember "We like donkeys"

Re:Since when...

...are laywers cheaper than developers?

Or is the Higher Management unable to think in any other way because they are only laywers themselves??

Lawyers aren't cheaper than developers. However management was likely gambling on lawyers being cheaper than the fallout from the disclosure--though they either missed the potential for public outcry or wrote it off as an externality.

Re: Since when...

They are not cheaper but you have them (and pay them) anyway so why not make them work a bit ?

Re:Since when...

[haruchai]

...are laywers cheaper than developers?

Or is the Higher Management unable to think in any other way because they are only laywers themselves??

I worked for a tech firm that was run by a lawyer; when the shit hit the fan during the dotcom meltdown, we found out the only ass that was covered was his.
While we were scrambling to find new jobs & pay bills, he went off to head up some board filled with other cunts like himself

Re:Since when...

1000 EUR/h or more vs. 100-500 EUR/h is the comparison. Sending a formulaic cease and desist shouldn't take more than 5 - 30 minutes. Fixing a deep vulnerability takes from a day to weeks of works, or more. So the lawyer route is cheaper until a customer sues for damages and liability insurance premiums rise.

Re:Since when...

[Luthair]

Well, for large companies they're already on staff sitting around trying to justify their position...

Re: Since when...

[Izuzan]

But, how much would it cost the company had some hacker waltzed into their system and started stealing information. Lawsuits at the end of the day can be hefty, especislly if they are a classaction suit.

Re: Since when...

I'm sure they don't do proper dogfooding with their products. Would that be the case, they would have a real incentive to fix the bugs instead of complaining about them.

Re: Since when...

But now they will incur a lot of increased developer costs and public relations crisis managment costs when their next vulnerability is not given to them in advance.

Re: Since when...

How much has it really cost any company (I mean the actual figures not the bullshit they use to put people in jail for years)? And how often does it really happen?

Nowadays DDoS extortion seems even more likely. If you take my company's info we'd either grumble or laugh at you or both. If you DDoS our sites or WAN connections we would be a lot more inconvenienced.

Millions of email accounts get leaked every year to the extent that hardly anyone cares anymore. I wouldn't care - those passwords aren't the same, nor do I even bother making them that secure, they're not stupidly obvious like "password" but seriously why bother making them so secure when the site itself is more likely to be pwned by hackers or the Gov?

Re:Since when...

[Frosty+Piss]

I worked for a tech firm that was run by a lawyer; when the shit hit the fan during the dotcom meltdown, we found out the only ass that was covered was his.
While we were scrambling to find new jobs & pay bills, he went off to head up some board filled with other cunts like himself.

In other words while you were looking for a new job, he did the same, and found one.

Re:Since when...

[haruchai]

"In other words while you were looking for a new job, he did the same, and found one"

He had this lined up before we knew the sky was falling. And he had quitely negotiated a nice parting gift for himself while 50 of us lost thousands in unpaid salary & benefits.
That detail only came to light years later when a couple of us finally were able to get our hands on some withheld company documents.

Streisand effect

[TheReaperD]

Well this company completely missed the memo regarding the Streisand effect. This company obviously thought that using lawyers and burying the truth was cheaper than fixing the problem. Now, not only will they have to fix the problem, their users will be aware of the fact that the company tried to hide it from the users of the software. Talk about damage of trust. This company may also get hammered in court with anti-SLAPP penalties from the company they were threatening. Hopefully, this ends up being a very costly bout of stupidity making the company think twice about doing it again.

Re:Streisand effect

[mwvdlee]

Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time.
Many a head must have been scratched in trying to understand why their threats failed. "Did the researchers not understand they were being threatened?". "Why would they do the right thing if it could cost them money?". "It's almost decided to do what would be best for other people instead of themselves.".

Re:Streisand effect

Well this company completely missed the memo regarding the Streisand effect. This company obviously thought that using lawyers and burying the truth was cheaper than fixing the problem. Now, not only will they have to fix the problem, their users will be aware of the fact that the company tried to hide it from the users of the software. Talk about damage of trust. This company may also get hammered in court with anti-SLAPP penalties from the company they were threatening. Hopefully, this ends up being a very costly bout of stupidity making the company think twice about doing it again.

You speak as though you have never heard of "this company". They are one of the largest financial services companies in the world, and if they cared one jot about their reputation they would not be constantly mired in allegations of shady dealings. Have a look at their Wikipedia page, the largest section comes under the heading "Controversies".

Re:Streisand effect

They could not prevent the release of the information, but they will make sure that it won't happen again.

Re:Streisand effect

"Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time."

You're not kidding there. I'd never heard of them but pulled up their wiki page. It's quite long. And a good half of it is dedicated to controversies and scandals. Almost all around financial fraud. How are these clowns not in prison?

Re:Streisand effect

The company's web site has a section on corporate responsibility which says

"Our purpose, to build trust in society and solve important problems...with trust at an all-time low across industries...it is critical that our purpose provides the foundation for our behaviors..."

http://responsible.pwc.com/reporting/index.html

Re:Streisand effect

[TheReaperD]

Actually, I didn't recognize it by the abbreviation they used in the summary. I had to Google the acronym to get the actual name. I thankfully have never had to deal much with the financial services sector so I am not as familiar with this company or its reputation. As far as I'm concerned they're all greedy self-serving bastards with no regards for anything except how much of someone else's money they get to swindle and take home today.

Re:Streisand effect

[TheReaperD]

Because only the plebs go to prison.

Re:Streisand effect

[The-Ixian]

That was quite enlightening. I never would have known about this company had it not been for this story.

These guys run with the big boys, it doesn't surprise me at all that their first response was legal action. As a matter of fact, I wouldn't be surprised if that is their first reaction to any bad news.

Re:Streisand effect

"Why would they do the right thing if it could cost them money?". "It's almost decided to do what would be best for other people instead of themselves.".

Right ...
Because security research is always altruistic ... It's never ever done to get publicity for the security researcher. That would be unthinkable!

Re:Streisand effect

[Hatechall]

PWC isn't really a financial company. Its mostly Audit and Consulting. For the uninitiated with the big [s]five[/s] four, they hire fresh grads and sell their services for $300/hr. This financial backing is how they became one of the largest conglomerates of firms in the world. If you aren't familiar with the fairly large imprint these consulting firms have worldwide, I would recommend you take a peek when you have a chance.

Re: Streisand effect

[Z00L00K]

Oh the irony...

Re:Streisand effect

[avgjoe62]

As far as I'm concerned they're all greedy self-serving bastards with no regards for anything except how much of someone else's money they get to swindle and take home today.

The Slahsdot Editors have announced that they are now looking for a new Financial News Correspondent.

Interestingly, a copy of the Encyclopedia Britanica's web page on Financial Services Companies from the year 2347 that, due to a temporal disturbance caused by the LHC, appeared on the screen of a Mrs. Trumble of Avon-by-the-Sea described those companies as "...all greedy self-serving bastards with no regards for anything except how much of someone else's money they get to swindle and take home today.

Re:Streisand effect

Yeah, they write that for the same reason that it was called the "German democratic republic".
Hint: It wasn't because the GDR was so democratic...

Re:Streisand effect

[gtall]

They know where everyone else's skeletons lie.

Re:Streisand effect

Have a look at their Wikipedia page, the largest section comes under the heading "Controversies".

Not for long. I'm sure some MBA will quickly advance that they need to hire a reputation management firm and all those controversies will be edited for tone by legions of barely-paid editors.

Re:Streisand effect

[NatasRevol]

They've made enough money to buy off the politicians who would create laws, and those who would prosecute them.

Re:Streisand effect

[stealth_finger]

Does it sound good?

Oh it sounds awesome!

Is it true?

Hmm, not really

Fuck it, send to print

Re:Streisand effect

[stealth_finger]

Yeah, they write that for the same reason that it was called the "German democratic republic". Hint: It wasn't because the GDR was so democratic...

So what? You're suggesting the DPRK isn't democratic, a republic or for the people?

Re:Streisand effect

they just didn't know that there are plenty of options e.g. outsource, hire H1B coders, make an offer to Microsoft, then hire their lawyers. Their imagination is rather limited. Today's captcha is 'testing'; how apropos

Re:Streisand effect

[networkBoy]

HA!
It's their first reaction to *any* news including a curious lack of news.

"Good news sir!" -> Lawyers
"Bad news..." -> Lawyers
"Jeeves! I have not seen any news lately." -"I'll dial up the legal dept. sir."

Re: Streisand effect

[jjo]

Madoff went to prison, and will be there for the rest of his life. He was no "pleb".

Re: Streisand effect

THats because he ripped off other rich people.

Moral of the story: rip off the poor...profit. Rip off the rich...go to jail.

Re: Streisand effect

[gnunick]

Madoff went to prison, and will be there for the rest of his life. He was no "pleb".

The exception proves the rule, as they say.

Re: Streisand effect

[HiThere]

The meaning of "prove" in "The exception proves the rule" is tests. Prove has a long history outside of math, and the math meaning is a specialization. You can still consider a "proof" of a conjecture as a test of it, and that meaning works, and that's the origin of the use of proof in that context.

All that said, you can point to two or three rich and powerful people who ended up in jail, but you won't find many, and you'll find many that should have. So as a statistical measure, you can say rich people don't usually end up in jail even if they blatantly should.

Yes, I know I'm being nitpicky, but that phrase always bugs me.

Re:Streisand effect

[MeanE]

Explains some things. The floor before mine is a PwC office...everyone getting off on the floor looks well dressed and under 30. I think I know the two IT guys strictly by age and wardrobe alone.

Re:Streisand effect

The engagement letter that accounting firms have the companies sign before they begin work shields the accounting firm from a lot of liability. So long as the accounting firm uses due diligence and follows generally accepted practices, they are mostly shielded from audit failures.

Re:Streisand effect

The other side of that coin, which is forgotten in these civilized times, is that the kings and queens used to get it from a bladed weapon a lot easier. They die so that their people can live under the new rule.

Wait a second

- Researchers met with PWC, told them they had 3 months before the advisory is released
- 3 days leater, PWC sends cease and desist
- Researchers confirm 3 months
- Some unspecified time later (maybe another 3 days?) a new cease and dsist letter arrives
- 2 weeks later, advisory is released - not seeing 3 months in this timeframe?
- Advisory is on a product security sales page that requires contact info to view

Looks like both sides are assholes!

Re:Wait a second

I believe the timeline in the summary doesn't properly convey the time lapsed between contact. As far as I can tell they released their advisory 6 days ago on the 7th with the id ESNC-2041217.

Re:Wait a second

[RavenLrD20k]

FTA: The Researchers first met with PwC in August about this vulnerability. The Advisory was released December 7th. September...October...November... yep. That's three full months since the initial meeting with the only correspondence given by PwC is a series of C&Ds. Not even a "Please don't disclose this yet, we need more time to fix."... I only see this as PwC are the assholes in the equation. Also, second link in the summary is the full advisory without the need for contact info.

Re:Wait a second

[Hatechall]

According to the advisory itself: 19.08.2016 PwC contacted 22.08.2016 Meeting with PwC, informed them about the impact and the details of the vulnerability and responsible disclosure 05.09.2016 Asked PwC about updates and whether a patch is available 13.09.2016 Received a Cease & Desist letter from PwC lawyers 18.11.2016 Informed that 90 days have passed and ESNC is planning to release a security advisory; asked for any details PwC can share about this matter including risk, affected versions, how to obtain a patch 22.11.2016 Received another Cease & Desist letter from PwC lawyers 07.12.2016 Public disclosure

Re:Wait a second

[jenningsthecat]

- 2 weeks later, advisory is released - not seeing 3 months in this timeframe?

Looks like both sides are assholes!

It seems that PWC said nothing about actually fixing the flaw. In fact, their immediately adversarial stance could be construed as an indication that they might not fix the problem in good time, and perhaps not at all. In this case, early disclosure by the security researchers could be viewed as a mitigative strategy, since there was a good chance that criminal hackers would have discovered the flaw and taken advantage of it before PWC did anything about it.

Re:Wait a second

i doubt i am the only one now heading to rtfa and preping some bank accounts for unexpected influx of funds.

Thanks PwC. you rock.

Re: Wait a second

[Zero__Kelvin]

I was thinking along these lines. It would have been right to release the advisory upon receipt of the second (if not the first) C&D. By responding with that, and ONLY that, they pretty much declare themselves as not having a good faith intent to fix it.

As it turns out though, they still gave them the benefit of the doubt and waited the full three months.

Re:Wait a second

dates too hard to read; stopped trying

Re:Wait a second

[OzPeter]

dates too hard to read; stopped trying

You wouldn't be American by any chance would you? Just to help you out I've provided a translation for you.

8/19/2016 PwC contacted
8/22/2016 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
9/5/2016 Asked PwC about updates and whether a patch is available
9/13/2016 Received a Cease & Desist letter from PwC lawyers
11/18/2016 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
11/22/2016 Received another Cease & Desist letter from PwC lawyers
12/7/12.2016 Public disclosure

Re:Wait a second

Yes, I agree, being stupid is hard.

Re:Wait a second

[rholtzjr]

Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.

Re: Wait a second

Facts, I thought we voted in the incoming president, so we could choose our own? It is not misinformation, it is carefully crafted fantasy, uh, reality. What did facts do for anyone? I mean, where's the money? ;-)

Re:Wait a second

Just to help you out I've provided a translation for you.

USA American attention span: 3 lines, 5 words each.

Canadian American attention span: Moose

Re:Wait a second

From TFA, the vulnerability has already been patched. The tool in question is used by audit teams to report on access in SAP systems. This is not commercially available software. That said, it's a pretty big flaw and hopefully PwC has actually been reaching out to clients that have it installed.

"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

Re: Wait a second

[Z00L00K]

Now the dates became unreadable.

Re:Wait a second

You Americnas really should get with the rest of the world.
Feet, inches and pounds, not forgetting your silly Pint and gallon measure should go the way of the Dodo.
As for your backards way of specifying dates.... Sheesh.

Re:Wait a second

Can you try that again in ISO 8601?

Re:Wait a second

[Ol+Olsoc]

Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.

The only thing the original post was missing was being done in all lower case, and omitting punctuation.

Part of communications is communicating, and if someone can't be bothered to make sentences and paragraphs readable without a lot of effort, then some folks might not vother to read them.

Case in point, the original took me about 10 seconds to parse, the cleaned up version, done in proper chronological paragraph order took perhaps a second to read.

Lazy? perhaps the lazy one was the OP.

Re:Wait a second

Fixed it for you:

2016-8-19 PwC contacted
2016-8-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-9-5 Asked PwC about updates and whether a patch is available
2016-9-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-7 Public disclosure

Obligatory: https://xkcd.com/1179/

Re:Wait a second

[rholtzjr]

So now we have punctuation nazis that have sprouted from all the grammer nazis?

BTW: "vother" != "bother" :P

Re:Wait a second

Geez, me as an American can read the original posted dates. The one claiming they can't read and then stopped is just plain LAZY.

Lazy is the kindest word you can use. A number of others come to mind, all of which are probably closer to the truth, but a little harsh.

Re:Wait a second

"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

That sounds like carefully worded to discredit the researchers. After pwc releases a patch of course the current version is not what is referenced in the advisory.

Re:Wait a second

You Americnas really should get with the rest of the world.
Feet, inches and pounds, not forgetting your silly Pint and gallon measure should go the way of the Dodo.
As for your backards way of specifying dates.... Sheesh.

While you post (poorly!) in Americanized English.

I note you're not posting in German or Russian.

YOU'RE FUCKING WELCOME!

Re:Wait a second

No, we have people that think that the point of a post is to communicate something. There's no "nazi" element here, it's completely practical. Above is right. The original post was hard to read, primarily because of formatting. The new one is far easier.

Thanks OzPeter.

Re:Wait a second

[Zephyn]

Just to help you out I've provided a translation for you.

USA American attention span: 3 lines, 5 words each.

Canadian American attention span: Moose

Correction:

Canadian attention span: 4 lines, 3 defensive pairs, 2 goalies

Re:Wait a second

Part of communications is communicating

Wise words, my friend.

Re:Wait a second

[networkBoy]

/hat tip

Re:Wait a second

Thanks for correcting the OP, now it makes sense since the month and day were obviously transposed by accident.

Re:Wait a second

At this point having worked on a number of international websites I just always use ISO 8601 for dates everywhere
YYYY-MM-DD ...
pretty unambiguous for everyone and pretty much universally understood.

Re:Wait a second

FYI, you have the month and day reversed. The correct formatting should be MM/DD/YYYY.

Re:Wait a second

So now we have punctuation nazis that have sprouted from all the grammer nazis?

It's "grammar", not "grammer".

Re:Wait a second

[operagost]

Hi, I'm a "reading the fucking post before you respond Nazi".

The OP was missing punctuation, case, AND NEWLINES.

So I guess he's a "screwed up everything but the spelling" Nazi.

Re:Wait a second

[johanw]

The standard should be: 3 months before release. Legal threats means immediate release + a nicely written proof of concept any script kiddy can work with.

Re:Wait a second

[rholtzjr]

Yes, you are correct. However, when critiquing someone else, it is always a good thing to check our own. Right?

It just points out that we are all human and we all can make mistakes.

Re:Wait a second

[rholtzjr]

Yes, I no.

Re: Wait a second

That's a carefully-worded way of saying we've fixed it now and it's our customers' fault if they get hacked because they haven't patched their systems. There might be something in the release notes about this vulnerability but we're not going to make a fuss and draw attention to it.

Re:Wait a second

wait a minute ... does 2016-8-19 come before or after 2016-12-7? I think you are missing a leading 0 somewhere ...

Re:Wait a second

[drew_kime]

Actually fixed it for you:

2016-08-19 PwC contacted
2016-08-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-09-05 Asked PwC about updates and whether a patch is available
2016-09-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-07 Public disclosure

Re:Wait a second

[HiThere]

No the correct formatting is YYYY/MM/DD. That's the only one that sorts correctly.

Re:Wait a second

[thegarbz]

This is Slashdot. Really fixed it for you.

1471593600 PwC contacted
1471852800 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
1473062400 Asked PwC about updates and whether a patch is available
1473753600 Received a Cease & Desist letter from PwC lawyers
1479456000 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
1479801600 Received another Cease & Desist letter from PwC lawyers
1481097600 Public disclosure

Re:Wait a second

[Ol+Olsoc]

So now we have punctuation nazis that have sprouted from all the grammer nazis?

BTW: "vother" != "bother" :P

Don't be a dumbass. My comments are that possibly the guy had something interesting to say, so putting his thoughts down as something that is easily readable and digestible is a great way to get your point across.

Spelling errors? I don't really care about those.

But when I look at something, and have to consider if it was worth reading or not, It doesn't get read as often

I thought it might have been good advice, as I do doubt that many of us type out posts that we don't want to bet read. Especially in a list form.

An example is what I posted done in the same manner as what he did:

Don't be a dumbass. My comments are that possibly the guy had something interesting to say, so putting his thoughts down as something that is easily readable and digestible is a great way to get your point across. Spelling errors? I don't really care about those. But when I look at something, and have to consider if it was worth reading or not, It doesn't get read as often.I thought it migh have been good advice, as I do doubt that many of us type out posts that we don't want to be read. Especially in a list form.

Re:Wait a second

[Ol+Olsoc]

Yes, you are correct. However, when critiquing someone else, it is always a good thing to check our own. Right?

It just points out that we are all human and we all can make mistakes.

Cthulu on a skateboard!

So what you are saying is that my spelling error completely made my post incorrect, but my pointing out that the guy wrote a paragraph of what should hve been several paragraphs was improper and incorrect as well? Which made my post not only incorrect, but made your post pointing out that my post was incorrect, made yours proper and correct?

You can't have if both ways, and when calling other people Nazis, perhaps you are simply seeing a reflection of your own face in a mirror.

Now let old Uncle Ol give ya a little schooling. Because although I think your heart is in the right place, but your ideas of spelling and grammer Nazis are a-makin ya look like a severe dumfuk.

You called me a Nazi after I offered some constructive criticism. Yeah, I wasn't calling the guy stupid or names, just that maybe more people would read what he had to write is he formatted it differently.

Kinda as if I though maybe he had something to say, and I was being helpful, so more people would read it. I certainly wasn't the only person who had issues. Indeed, most of us use new lines especially for numbered lists.

Next up, you come in like Underdog saving Pretty Polly from Simon Bar Sinister, calling me a Nazi, and ridiculing my mispelling of "Bother', substituting the B with a V. And using that typo as some sort of accusation of not only being a nazi, but of engaging in hypocricy as well.

There is a subtle difference there, between constructive criticism and you conforming to the very definition of a person who tries to negate someone's argument by drawing attention to what they typed.

Just some constructive criticism for you, with a bit more forcefulness, since you seem to be hung up a little on dis mattah, and not takin' telling like a big boy should.

Now go forth, and sin no more.

Re:Wait a second

I thought it was hat trick.

Question

Do PwC employ a lot of H1Bs?

Re: Question

[Entrope]

Nope, they employ a lot of PHBs.

License is a fair question

[Luthair]

Fair question where the authors got the software if they didn't have a license. Just because you're a security researcher doesn't give you carte blanche to pirate.

Re:License is a fair question

They need a license to *use* it. Research is fair use, so go suck Walt Disney's mummified cock.

Re:License is a fair question

Like the hackers who would be really exploiting this would give a shit about a valid license.

Re: License is a fair question

[Zero__Kelvin]

So we gather you have zero experience in the field.

Re:License is a fair question

[Zak3056]

Fair question where the authors got the software if they didn't have a license. Just because you're a security researcher doesn't give you carte blanche to pirate.

The publishers appear to be focused on SAP environments, and the PWC software appears to be implemented as a module in SAP. If I had to guess, I'd say they were auditing one of their customers and found the vulnerability that way. If so, there are no license issues here.

Re:License is a fair question

Walt Disney's mummified cock.

I thought they injected it with formaldehyde?

Re:License is a fair question

[SecurityGuy]

Research is fair use

Citation needed. I'm pretty sure this is not true.

Re: License is a fair question

[Luthair]

I'm not a security researcher but I've been reviewing open source CVEs for 5-years.

Re:License is a fair question

[Luthair]

That was my guess also, but the fact they don't seem to immediately respond with it makes me question whether that is the case.

Re:License is a fair question

U.S. Code: Title 17, chapter 1, section 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.

Determination of fair use does take into account "the effect of the use upon the potential market for or value of the copyrighted work," but I doubt any argument to the effect that it isn't fair use to discover if something is an insecure, bug-ridden POS will get much of a hearing.

Re:License is a fair question

[parkinglot777]

Citation needed. I'm pretty sure this is not true.

It is not easy to determine fair use; however, for most part research is fallen into fair use category. However, most of the time, fair use is a case-by-case basis, so the issue may be tested in court. You can go here.

Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:

1. The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
2. The nature of the copyrighted work;
3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
4. The effect upon the potential market for or value of the copyrighted work.The fact that a work is unpublished shall not by itself bar a finding of fair use if such finding is made upon consideration of all the above factors.

Re:License is a fair question

[Bratch]

I agree they must have been doing work for a client that has a license. If they had their own license, wouldn't the EULA prevent them from performing vulnerability research (hacking) on their software? Wouldn't their EULA prevent customers from allowing contractors to hack on the software? Sounds like a lot of lawyers are going to be involved.

Re: License is a fair question

Why is that relevant? Why is your original comment relevant. Even if they pirated the software and even if that can be proven, research done on the software is still not owned by PwC. They have no legal recourse to stop it.

Think of it this way, do art critics need to buy a licensed copy for their work? Film critics? You? Zero__Kelvin's post is owned by himself alone. Do you have a license that allows you to read it?

Hopefully that analogy will enlighten you as to how silly the idea of licensed research would be.

Re:License is a fair question

[SecurityGuy]

Huh. Well, ok, then. I stand corrected.

Re:License is a fair question

[tepples]

The owner of a lawfully made copy of a computer program has the right to load it into RAM as an essential step of using it. (17 USC 117(a)(1))

Re: License is a fair question

[PCM2]

Think of it this way, do art critics need to buy a licensed copy for their work? Film critics?

How about confidential financial document critics? Can they just grab anything they want?

Re: License is a fair question

[D00MSlayer]

You mean IRS Tax Auditors? Yes.

The research company in question wasn't looking at confidential documents if that's what you're hinting at. They were researching the program used for looking at financial information.

Re:License is a fair question

EULAs are not legal anywhere in the world. They are there to scare the little people that cannot afford a legal team.

Re:License is a fair question

[Zak3056]

It could be that their customers require NDAs (up to and including who they are working for). Of course, it could also be that they have a giant honking vsphere cluster that they run all manner of SAP instances on that are totally unlicensed. :)

Re:License is a fair question

[colinrichardday]

From Wikipedia:

Examples of fair use in United States copyright law include commentary, search engines, criticism, parody, news reporting, research, and scholarship.

https://en.wikipedia.org/wiki/...

Re:License is a fair question

Research is fair use in the US, but unfortunately it's only a defense in court and can't keep you from being sued.
Source: Am not a lawyer

No sympathy

They should've released it as soon as the C&D came in, and attached the C&D to it while saying "We discovered a security hole and instead of fixing it, they threatened us."

Captcha: Prompt

"PwC" is Price Waterhouse Coopers

[0xdeadbeef]

It is apparently some sort of big accounting firm.

Re:"PwC" is Price Waterhouse Coopers

PWC stands for Personal Water Craft aka JetSki. Everyone knows they are dangerous and easy to steal. I don't see what the big deal is.

Re:"PwC" is Price Waterhouse Coopers

It is apparently some sort of big accounting firm.

More like some sort of big unaccountable firm...

Re:"PwC" is Price Waterhouse Coopers

[uvajed_ekil]

Thank you. I know of PricewaterhouseCoopers and figured this wasn't about jetskis, but I was unaware of what PwC meant and the summary never actually spelled out the company's name. I don't trade companies like this (their symbol is PwC) and their logo is stylized as pwc, not PwC.

Re:"PwC" is Price Waterhouse Coopers

This, seriously. Won't someone think of poor Waterhouse here? He was a founding partner for Christ's sake!

Feature not bug.

Working as intended.

Hope some black hats eviscerate PwC

They don't deserve otherwise. Those parasites (who prefer to invest into the appearance of doing their job instead of actually doing their damned job) should disappear from the market.

Q: "Why didn't you build the hospital to whithstand a mid-sized hurricane?"
A: "Your honor, we sued weather report, if we win, they are going to pay all the patient's relatives"

Accountability

[Aethedor]

For an accountant firm, they have a lot to learn about accountability.

Re:Accountability

[HiThere]

This isn't the first, or worst, time Price-Waterhouse have featured in the news. I thought (and hoped) they had gone out of business after the time they hit national news for fraudulent work. I just wasn't aware the PwC was Price-Waterhouse or I wouldn't have been at all surprised ... and would have suspected that the bug was intentional.

The cost of doing the right thing

[sinij]

This will likely going to be very expensive for the security researchers, as PricewaterhouseCoopers have deep pockets and a history of shady litigations.

Assholes like PwC is why most security researchers don't bother with responsbile disclosure. It is by far much safer to anonymously dump it to pastebin.

Re:The cost of doing the right thing

How would it be expensive when PwC doesn't have a legal leg to stand on? Also while PwC may have a lot of money, so do their clients* and as these vulnerabilities start cutting deep and deeper into their pocketbooks, they'll fight back against any efforts by PwC and others to hide the truth.

*To paraphrase, your right to make money ends where my wallet begins.

Re:The cost of doing the right thing

[networkBoy]

How would it be expensive when PwC doesn't have a legal leg to stand on?

Because that does not stop them from suing you. And just the hearings to determine that they don't have a valid case will be enough to bury a mortal in legal bills that are impossible to pay off.

Re:The cost of doing the right thing

This will likely going to be very expensive for the security researchers, as PricewaterhouseCoopers have deep pockets and a history of shady litigations [wikipedia.org].

The right to ethical practice of law is an universal and inalienable right in any society based on the rule of law.

The right to ethics in business is an universal and inalienable right in any capitalist society.

Threatening somebody for finding a flaw in a product violates both rights. Any laws or precedents to the contrary are thus null and void.

Sooner or later, the kind of unethical scum that do this kind of thing will end up in a court that feels responsibility with respect to ethics issues, and will be savaged. Certainly a minimum penalty would include both disbarring the legal professionals involved, and preventing both the legal professionals and the executives from ever holding a position of public trust or responsibility again - including any executive positions with any business - and such a ruling would disallow the operation of any "golden parachutes".

Of course, any defendant might have trouble finding such a court in places like the USA, where unethical practice of law riddles the legal system, and associations of lawyers are allowed to make campaign contributions to the politicians that select judges ...

Re:The cost of doing the right thing

[Hognoxious]

There's a solution to that: loser pays.

The downside is that it's a bit cormanust.

What really sucks is...

[Last_Available_Usern]

There is probably a conscientious developer that wanted to work on this the day it was discovered but the company thought the cheaper track was to bury it, and now he's probably going to be fired and implicated as the reason the bug existed, or worse, wasn't patched.

One good way to get hacked

[oldcarsmell]

Is to treat security researchers that are working with you responsibly like shit

The security firm provides a competing product

[bongk]

It looks like the vulnerability is in a PwC product called ACE, which analyzes SAP security settings.
The flagship product of the security firm that produced the disclosure appears to be "ESNC Security Suite", which from what I could tell appears to be a competing product.

While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.

Re:The security firm provides a competing product

Article says they were publicly credited for discovery of more than 100 vulnerabilities by SAP and others to date. I think you don't get the mindset of the security researchers at all. But I'd say you definitely have the pwc consultant material.

Re:The security firm provides a competing product

[rs1n]

They could have been credited with all known vulnerabilities but if they waited 3 months for all the other cases and not this one, then they are still suspect in my eyes. The lawsuit doesn't mean jack until they release the security advisory, so there was no reason not to sit on the 3 months waiting period.

Re:The security firm provides a competing product

[edtice1559]

There's a strong motivation to test a competing security company's products and find defects. Certainly something great to point out in a sales call. But I don't see why this is bad. If you're a security company, you should expect this. It's not just your competitors who are going to be looking hard. It's everybody. In this case a competitor disclosed responsibly. I don't think you can get a better outcome. Don't like it? Well first fix your flaw and then return the favor by helping audit your competitor's product!

Re:The security firm provides a competing product

[Aristos+Mazer]

They did sit on it for 3 months. Check the filing dates. First contact in August, release in December. Sept, Oct, Nov are the 3 months. There's a post up above from user OzPeter that extracted all the dates and laid them out in order.

Re:The security firm provides a competing product

Gag orders exist. They are given out to people with expensive lawyers pending future litigation. All PwC would have to argue is that there is a question of the legality of the information that must be ruled on and release of the information would do harm to PwC's reputation or finances. They could have sealed this up for a year or two filing additional briefs that would have to be reviewed by the court and pushed back the first date in court.

This scenario plays out in lawyers' offices every day.

Re:The security firm provides a competing product

The lawsuit doesn't mean jack until they release the security advisory,

I don't know what you mean. The cease and desist letter is text that transmits meaning as soon as it's received.

so there was no reason not to sit on the 3 months waiting period.

I think retaliating for lawsuits is fine, so long as the retaliation is legal. Maybe it's not the greatest pattern, but it's the one that allows big companies to survive within the software patent quagmire so there's precedent it can do good.

It's also a reasonable self-interested strategy because dealing with legal process may be unaffordable or outside their core expertise. If you wait, you will be internally compelled to do something during that waiting period: pay for legal advice, or distract yourself with "discussion."

Finally, IANAL, but it feels like having a "policy" often gets exploited for legal advantage because an agent following a "policy" has no intent, and proles are often sympathetic or resigned toward the original intent of the policies themselves more so than the deliberate actions of a leader. This is not entirely unfair because the policy being published in advance makes it more clear what can and can't be an input to the policy. Instead of trying to micro-intuit motives and discover a bunch of internal emails to reverse-engineer "intent" or play embarrassing words to the jury box peanut gallery, there is no intent just a policy. Evaluate if the policy is legal, end of story. A bunch of other potential courtroom discussion points fall away. It is like a sandbox-ish strategy for defending against legal exploits and sophistry.

seems their policy is "wait 3 months." But I'd be fine with a policy, "disclose immediately on the first legal threat," too.

Re:The security firm provides a competing product

[tlhIngan]

While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.

This is standard in any competitive market - the competitors ALWAYS purchase and evaluate their competitor's products. Ford, GM and Chevy all buy each other's cars and trucks to evaluate and figure out what works, what doesn't work, what can be improved and that feedback goes into next year's model. Microsoft and other companies all buy Apple's products (and Apple probably has a huge collection of Android phones and PCs) for the same reason.

Everyone is constantly evaluating everyone else's product. And it's perfectly legal - if it's available for sale, one of the first customers in the lineup will be your competitor purchasing it.

Sigh...

[ledow]

Sued for telling the truth and giving fair warning...

Hmmmmm

[Ol+Olsoc]

From the article:

" an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said."

Then legal threats

Perhaps we could use a little deductive reasoning to conclude that this was not a flaw, but a critical feature of the software that some folks didn't want getting out?

Financial history is full of interesting accounting tricks.

Who?

Who the fuck is/are PwC?

Re:Who?

Consultants that sell you dreams...

Re:Who?

[colinrichardday]

The firm that counts the votes for the Academy Awards.

Criminal offence

[CanEHdian]

It should be made a criminal offence, worded such that it can't be offloaded on the shareholders' pockets by means of a fine or settlement, to deter any security firm or white hat hacker that gives proper notification of a security flaw from publishing a security advisory after 90 days have expired from the moment of notification. That means responsible executives (or lawyers) will go to federal prison if this can be proven, whether they "knew about it" or not (to protect "junior staffers"). The public needs to be protected, this will force the provider to fix the issue within 3 months, or else the users will be informed... while also making the provider liable for potential losses (heh, borrowed that from the copyright industry) for as long as no effective fix has been published. Yes, the "potential losses" was no joke, as if an ATM network needs to be brought down for a week, that's a lot of potential losses right there at $2 / transaction. Effective fix means: mitigate the security threat but keep functionality, so a "just turn the damn thing off fix" is not a fix.

Sell to the highest bidder next time

[entropy01]

This is why you're better off selling the vulnerabilities to hackers. Doubly true when dealing with sleaze bags like PWC.

Shareholders?

> It should be made a criminal offence
100% agreed.

> such that it can't be offloaded on the shareholders' pockets
Oh, no. Shareholders get to suffer part of the risk, that's OK. They should *learn* to invest wisely, and if they are in the market, they should learn by market means. If some CEO psychopath at the helm lied to them it's up to them to sue the ass off said CEO.

I have *no* sympathy for shareholders who just choose by maximizing their speculative profits with no regards to ethics. They should be shredded to pieces by the same maelstrom which they feed in the first place.

therein lies the problem with "security tools"

[tomhath]

Too many self-proclaimed security experts are big time bullshitters. They want high consulting fees and will spend as many hours as they can "analyzing". But in the end they don't do squat and the system is still not properly secured. I've seen them milk a company for months before they get kicked out and drive away in their Mercedes.

A really good security consultant is worth what they cost. But unless you're an expert yourself you have no way of knowing if the guy you're hiring knows anything.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Now this is public knowledge ...

[Negatho]

... then exploit the flaw, and release sensitive data to the victims, attached with the Pwc behavior regarding their product's security. Get popcorn and enjoy the mess.

[SOLVED] Eternal Slashdot conundrum

[easyTree]

1) Discover the magic phrase that makes large corporations destroy their stock value in this way
2) Use it
3) Profit!!!!

Re:[SOLVED] Eternal Slashdot conundrum

[networkBoy]

I can tell you that based on this if I now found a flaw in PwC's system I would not inform them, nor would I warn them. I would just release the info as AC.

Re:[SOLVED] Eternal Slashdot conundrum

[Calydor]

No.

1) Inform PwC.
2) Receive C&D letter.
3) Use exploit on PwC's customers.
4) Take nothing, just leave the C&D letter behind.
5) Buy popcorn.

Re:[SOLVED] Eternal Slashdot conundrum

No.

1) Inform PwC.
2) Receive C&D letter.
3) Use exploit on PwC's customers.
4) Take nothing, just leave the C&D letter behind.
5) Buy popcorn.

6)Go to jail for breaching PwC's system and leaving identifying information.. meet Bubba and all of his friends who don't like nerds.

Based on the article, PwC was in the right

[rs1n]

In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.

The spokesperson also said in separate prepared statement: "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

It seems the article does a poor job of being impartial. Despite the above quotes, they continue with:

It's far from the first time that a security firm or its researchers have faced the wrath from a company that fights instead of fixes.

I am not sure what to make of this since there is still too much information being withheld from both PwC and the article and ESNC.

Big Bad Wolf

[tepples]

It stands for penetration testing, like what the Big Bad Wolf was hired to do in the short story "The Three Little Pigs".

Re:"PwC" not pwc.ca (Pratt & Whitney Canada)

makers of turbine engines for helicopters and the AW-609...

Cheaper to shoot the messenger

[golodh]

It's a lot cheaper to shoot the messenger than it is to shore up a leaky piece of software.

Besides ... patching the software is never a permanent solution. Anarchist sympathisers will burrow into the system until they've found another vulnerability. And another. And another.

Best to attack the problem at its root: sue anyone who publishes a leak out of existence. That will also deter malfeasants, right?

I once did a major computer roll out for them.

It went very smooth.

Re:ESNC no better than PwC

[D00MSlayer]

So they ask for a name and e-mail to receive the advisory, which also puts you on a subscription list for other advisories in the future.. and that's a problem how? Ya know you can always put in a fake name, and even go so far as to create a temporary e-mail for the purpose of registering for it, right? It's not like they're making you create an account with a password or something to access this information. You make it sound like there's a bunch of hoops you have to jump through to receive this information.

Exaggerating much?

Sounds like a flaw, looks like a feature

From the tone of PwC's response it's *obvious* they wanted to keep it secret. And use it to bypass any accountability measures, which are really a veneer of legitimacy if this "bug" is what it purports to be.

I love PwC's responses

[Blue23]

I love the responses PWC gave.

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,"

In other words trying t discredit them. There is nothing in that about the flaw not being real.

But the one that had me laughing at the spin was:

"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

Makes it sounds like it's an old version that wasn't in use much anymore. But it was announced AFTER the fix. So publish the fix, which is now the "current version of the software" and since it's published "is available to all of our clients.". But really, that doesn't mean that most of your clients are running the patch, it silently sidesteps the whole thing.

And the final one:

"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized,"

Yes, I would expect access to an admin account not to be listed on the main menu, I can believe it's an unlikely scenario. It's not actually hypothetical if it's been done by the security firm, so that part is a lie. The "we are not aware of any situation in which it has materialized" just means "we didn't catch it".

researchers should just pastebin it anonymously

and named security companies should simply report what they see on pastebin. fuck all this legality bullshit.

Ummm... wrong response

[kimvette]

You know, a simple "Thank you for finding this flaw in our product. Here is a $check as our thank you for finding this and reporting it before the $BadGuys exploited it."