Slashdot Mirror

← Back to Stories (view on slashdot.org)

PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw (zdnet.com)

Posted by BeauHD on from the cease-and-desist dept.

An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.

35 of 188 comments (clear)

  1. first by Anonymous Coward · · Score: 2, Insightful

    comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!

    1. Re:first by geekmux · · Score: 5, Informative

      Their job? Their job is to make money. Sometimes fixing large scale problems costs money. I guess threating with a law suit is actually closer to "doing their job" than you think.

      Reputation have an impact on the job of making money. So does ethics.

      Perhaps one day failing companies will pull their head out of their lawyers ass and realize that.

    2. Re:first by Shoten · · Score: 4, Insightful

      A larger bit of context here is that this wasn't a business unit that makes hockey pucks. This was a business unit that is involved in cybersecurity. So for them to show ignorance of how things should be done with regard to this...ugh.

      On the other hand, PwC is a partnership organization, not a corporation. As such, a lot of control is decentralized; partners are responsible for the business beneath them and while that responsibility does run upwards, with every step up there's an order of magnitude by which detail is removed. So fundamentally this could be one guy getting his panties in a wad over things.

      But still...he should know better.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    3. Re: first by michelcolman · · Score: 3, Insightful

      So it's pencil pushers vs. pen testers

    4. Re: first by hawguy · · Score: 4, Funny

      pen as in a pen or is that supposed to be short for something?

      Duh, it should be obvious from the context. PwC is an accounting firm. Accounting firms use a lot of pens. It would be ludicrous to give an accountant a non-functional pen, so they have a pen testing division that runs each pen through a battery of tests before they deploy it to an accountant.

  2. Since when... by Anonymous Coward · · Score: 2, Interesting

    ...are laywers cheaper than developers?

    Or is the Higher Management unable to think in any other way because they are only laywers themselves??

    1. Re:Since when... by Big+Hairy+Ian · · Score: 3, Informative

      For those of us who remember introducingmonday.co.uk (now sadly no longer there) just remember "We like donkeys"

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:Since when... by haruchai · · Score: 4, Interesting

      ...are laywers cheaper than developers?

      Or is the Higher Management unable to think in any other way because they are only laywers themselves??

      I worked for a tech firm that was run by a lawyer; when the shit hit the fan during the dotcom meltdown, we found out the only ass that was covered was his.
      While we were scrambling to find new jobs & pay bills, he went off to head up some board filled with other cunts like himself

      --
      Pain is merely failure leaving the body
    3. Re:Since when... by haruchai · · Score: 2

      "In other words while you were looking for a new job, he did the same, and found one"

      He had this lined up before we knew the sky was falling. And he had quitely negotiated a nice parting gift for himself while 50 of us lost thousands in unpaid salary & benefits.
      That detail only came to light years later when a couple of us finally were able to get our hands on some withheld company documents.

      --
      Pain is merely failure leaving the body
  3. Streisand effect by TheReaperD · · Score: 5, Interesting

    Well this company completely missed the memo regarding the Streisand effect. This company obviously thought that using lawyers and burying the truth was cheaper than fixing the problem. Now, not only will they have to fix the problem, their users will be aware of the fact that the company tried to hide it from the users of the software. Talk about damage of trust. This company may also get hammered in court with anti-SLAPP penalties from the company they were threatening. Hopefully, this ends up being a very costly bout of stupidity making the company think twice about doing it again.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
    1. Re:Streisand effect by mwvdlee · · Score: 4, Insightful

      Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time.
      Many a head must have been scratched in trying to understand why their threats failed. "Did the researchers not understand they were being threatened?". "Why would they do the right thing if it could cost them money?". "It's almost decided to do what would be best for other people instead of themselves.".

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Streisand effect by Anonymous Coward · · Score: 3, Informative

      "Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time."

      You're not kidding there. I'd never heard of them but pulled up their wiki page. It's quite long. And a good half of it is dedicated to controversies and scandals. Almost all around financial fraud. How are these clowns not in prison?

    3. Re:Streisand effect by TheReaperD · · Score: 5, Insightful

      Because only the plebs go to prison.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    4. Re:Streisand effect by Hatechall · · Score: 2

      PWC isn't really a financial company. Its mostly Audit and Consulting. For the uninitiated with the big [s]five[/s] four, they hire fresh grads and sell their services for $300/hr. This financial backing is how they became one of the largest conglomerates of firms in the world. If you aren't familiar with the fairly large imprint these consulting firms have worldwide, I would recommend you take a peek when you have a chance.

  4. Re:Wait a second by RavenLrD20k · · Score: 4, Informative

    FTA: The Researchers first met with PwC in August about this vulnerability. The Advisory was released December 7th. September...October...November... yep. That's three full months since the initial meeting with the only correspondence given by PwC is a series of C&Ds. Not even a "Please don't disclose this yet, we need more time to fix."... I only see this as PwC are the assholes in the equation. Also, second link in the summary is the full advisory without the need for contact info.

  5. Re:Wait a second by Hatechall · · Score: 4, Informative

    According to the advisory itself: 19.08.2016 PwC contacted 22.08.2016 Meeting with PwC, informed them about the impact and the details of the vulnerability and responsible disclosure 05.09.2016 Asked PwC about updates and whether a patch is available 13.09.2016 Received a Cease & Desist letter from PwC lawyers 18.11.2016 Informed that 90 days have passed and ESNC is planning to release a security advisory; asked for any details PwC can share about this matter including risk, affected versions, how to obtain a patch 22.11.2016 Received another Cease & Desist letter from PwC lawyers 07.12.2016 Public disclosure

  6. Re:Wait a second by jenningsthecat · · Score: 2

    - 2 weeks later, advisory is released - not seeing 3 months in this timeframe?

    Looks like both sides are assholes!

    It seems that PWC said nothing about actually fixing the flaw. In fact, their immediately adversarial stance could be construed as an indication that they might not fix the problem in good time, and perhaps not at all. In this case, early disclosure by the security researchers could be viewed as a mitigative strategy, since there was a good chance that criminal hackers would have discovered the flaw and taken advantage of it before PWC did anything about it.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  7. "PwC" is Price Waterhouse Coopers by 0xdeadbeef · · Score: 4, Informative

    It is apparently some sort of big accounting firm.

  8. Re:License is a fair question by Anonymous Coward · · Score: 3, Insightful

    They need a license to *use* it. Research is fair use, so go suck Walt Disney's mummified cock.

  9. Accountability by Aethedor · · Score: 2

    For an accountant firm, they have a lot to learn about accountability.

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
  10. Re:Wait a second by OzPeter · · Score: 3, Informative

    dates too hard to read; stopped trying

    You wouldn't be American by any chance would you? Just to help you out I've provided a translation for you.

    8/19/2016 PwC contacted
    8/22/2016 Meeting with PwC, informed them about the impact and the details
    of the vulnerability and responsible disclosure
    9/5/2016 Asked PwC about updates and whether a patch is available
    9/13/2016 Received a Cease & Desist letter from PwC lawyers
    11/18/2016 Informed that 90 days have passed and ESNC is planning to
    release a security advisory; asked for any details PwC can share about this
    matter including risk, affected versions, how to obtain a patch
    11/22/2016 Received another Cease & Desist letter from PwC lawyers
    12/7/12.2016 Public disclosure

    --
    I am Slashdot. Are you Slashdot as well?
  11. Re:License is a fair question by Zak3056 · · Score: 2

    Fair question where the authors got the software if they didn't have a license. Just because you're a security researcher doesn't give you carte blanche to pirate.

    The publishers appear to be focused on SAP environments, and the PWC software appears to be implemented as a module in SAP. If I had to guess, I'd say they were auditing one of their customers and found the vulnerability that way. If so, there are no license issues here.

    --
    What part of "shall not be infringed" is so hard to understand?
  12. The cost of doing the right thing by sinij · · Score: 5, Insightful

    This will likely going to be very expensive for the security researchers, as PricewaterhouseCoopers have deep pockets and a history of shady litigations.

    Assholes like PwC is why most security researchers don't bother with responsbile disclosure. It is by far much safer to anonymously dump it to pastebin.

  13. Re: Question by Entrope · · Score: 2

    Nope, they employ a lot of PHBs.

  14. What really sucks is... by Last_Available_Usern · · Score: 4, Interesting

    There is probably a conscientious developer that wanted to work on this the day it was discovered but the company thought the cheaper track was to bury it, and now he's probably going to be fired and implicated as the reason the bug existed, or worse, wasn't patched.

  15. The security firm provides a competing product by bongk · · Score: 2

    It looks like the vulnerability is in a PwC product called ACE, which analyzes SAP security settings.
    The flagship product of the security firm that produced the disclosure appears to be "ESNC Security Suite", which from what I could tell appears to be a competing product.

    While I definitely support security research and responsible disclosure, it makes me a little uncomfortable that it appears this security firm could have chosen to target and test the PwC software because it is a competitor to software they produce.

    1. Re:The security firm provides a competing product by edtice1559 · · Score: 3, Insightful

      There's a strong motivation to test a competing security company's products and find defects. Certainly something great to point out in a sales call. But I don't see why this is bad. If you're a security company, you should expect this. It's not just your competitors who are going to be looking hard. It's everybody. In this case a competitor disclosed responsibly. I don't think you can get a better outcome. Don't like it? Well first fix your flaw and then return the favor by helping audit your competitor's product!

  16. Re:Wait a second by Anonymous Coward · · Score: 5, Informative

    Fixed it for you:

    2016-8-19 PwC contacted
    2016-8-22 Meeting with PwC, informed them about the impact and the details
    of the vulnerability and responsible disclosure
    2016-9-5 Asked PwC about updates and whether a patch is available
    2016-9-13 Received a Cease & Desist letter from PwC lawyers
    2016-11-18 Informed that 90 days have passed and ESNC is planning to
    release a security advisory; asked for any details PwC can share about this
    matter including risk, affected versions, how to obtain a patch
    2016-11-22 Received another Cease & Desist letter from PwC lawyers
    2016-12-7 Public disclosure

    Obligatory: https://xkcd.com/1179/

  17. therein lies the problem with "security tools" by tomhath · · Score: 2

    Too many self-proclaimed security experts are big time bullshitters. They want high consulting fees and will spend as many hours as they can "analyzing". But in the end they don't do squat and the system is still not properly secured. I've seen them milk a company for months before they get kicked out and drive away in their Mercedes.

    A really good security consultant is worth what they cost. But unless you're an expert yourself you have no way of knowing if the guy you're hiring knows anything.

  18. Re:Wait a second by Zephyn · · Score: 4, Funny

    Just to help you out I've provided a translation for you.

    USA American attention span: 3 lines, 5 words each.

    Canadian American attention span: Moose

    Correction:

    Canadian attention span: 4 lines, 3 defensive pairs, 2 goalies

  19. Re:License is a fair question by parkinglot777 · · Score: 2

    Citation needed. I'm pretty sure this is not true.

    It is not easy to determine fair use; however, for most part research is fallen into fair use category. However, most of the time, fair use is a case-by-case basis, so the issue may be tested in court. You can go here.

    Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:

    1. The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
    2. The nature of the copyrighted work;
    3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
    4. The effect upon the potential market for or value of the copyrighted work.The fact that a work is unpublished shall not by itself bar a finding of fair use if such finding is made upon consideration of all the above factors.

  20. Re:[SOLVED] Eternal Slashdot conundrum by Calydor · · Score: 2

    No.

    1) Inform PwC.
    2) Receive C&D letter.
    3) Use exploit on PwC's customers.
    4) Take nothing, just leave the C&D letter behind.
    5) Buy popcorn.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  21. Re:Wait a second by drew_kime · · Score: 3

    Actually fixed it for you:

    2016-08-19 PwC contacted
    2016-08-22 Meeting with PwC, informed them about the impact and the details
    of the vulnerability and responsible disclosure
    2016-09-05 Asked PwC about updates and whether a patch is available
    2016-09-13 Received a Cease & Desist letter from PwC lawyers
    2016-11-18 Informed that 90 days have passed and ESNC is planning to
    release a security advisory; asked for any details PwC can share about this
    matter including risk, affected versions, how to obtain a patch
    2016-11-22 Received another Cease & Desist letter from PwC lawyers
    2016-12-07 Public disclosure

    --
    Nope, no sig
  22. I love PwC's responses by Blue23 · · Score: 3, Insightful

    I love the responses PWC gave.

    "ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,"

    In other words trying t discredit them. There is nothing in that about the flaw not being real.

    But the one that had me laughing at the spin was:

    "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

    Makes it sounds like it's an old version that wasn't in use much anymore. But it was announced AFTER the fix. So publish the fix, which is now the "current version of the software" and since it's published "is available to all of our clients.". But really, that doesn't mean that most of your clients are running the patch, it silently sidesteps the whole thing.

    And the final one:

    "The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized,"

    Yes, I would expect access to an admin account not to be listed on the main menu, I can believe it's an unlikely scenario. It's not actually hypothetical if it's been done by the security firm, so that part is a lie. The "we are not aware of any situation in which it has materialized" just means "we didn't catch it".

    --
    LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
  23. Re:Wait a second by thegarbz · · Score: 3, Informative

    This is Slashdot. Really fixed it for you.

    1471593600 PwC contacted
    1471852800 Meeting with PwC, informed them about the impact and the details
    of the vulnerability and responsible disclosure
    1473062400 Asked PwC about updates and whether a patch is available
    1473753600 Received a Cease & Desist letter from PwC lawyers
    1479456000 Informed that 90 days have passed and ESNC is planning to
    release a security advisory; asked for any details PwC can share about this
    matter including risk, affected versions, how to obtain a patch
    1479801600 Received another Cease & Desist letter from PwC lawyers
    1481097600 Public disclosure