Researchers Find Vulnerability That Enables Accounting Fraud, PwC Decides The Best Response Is A Legal Threat

from the you're-not-helping dept

For years now, we've noted that some companies apparently think it's a good idea to punish security researchers that expose vulnerabilities in their products, even when the researchers use the proper channels to report their findings. This kind of absurdity runs hand-in-hand with international attempts to criminalize security research -- or the tools researchers use -- to do their jobs. Obviously, this kind of behavior has one tangible end result: it makes all of us less secure.

The latest chapter in this saga of myopic bumbling comes courtesy of PwC, which for whatever reason decided that the best response to a major security flaw found in one of the company's products was to to fire off a cease and desist letter aimed at the researchers. More specifically, Munich-based ESNC published a security advisory earlier this month documenting how a remotely exploitable bug in a PwC security tool could allow an attacker to gain unauthorized access to an impacted SAP system.

The advisory was quick to point out that the vulnerability could allow a hacker to manipulate accounting documents and financial results and commit fraud, if they were so inclined:
"Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions. This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.
The researchers say they received the cease and desist threat despite meeting with PwC in August to discuss the flaw. ESNC also gave PwC three months to fix the flaw before issuing their public advisory, in line with the firm's responsible disclosure policy. ESNC says this was the first time they'd ever sent their research and findings to PwC. It was also the first time they've ever been legally threatened for doing their job, despite the discovery of over 100 security vulnerabilities to date. Despite two cease and desist letters, ESNC released their findings anyway -- "because it is the right thing to do."

When pressed for comment, PwC read directly from the tone-deaf playbook, first pointing out that ESNC did not have a license to use this software (irrelevant), then trying to downplay the fact that the vulnerability could enable accounting and financial fraud:
"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.

"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.
This kind of behavior has always been, for lack of a more scientific term, blisteringly idiotic. But it's becoming more of a problem with the rise of the internet-of-poorly-secured things, which has amplified exponentially the number of attack vectors and product vulnerabilities in the wild. With security researchers now clearly warning us that the failure to secure these products will inevitably result in human fatalities at scale, this ongoing attempt to criminalize security research needs to be considered a criminal act in and of itself.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, legal threats, research, security, security research, threats
Companies: esnc, pwc


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 13 Dec 2016 @ 10:19am

    "We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."

    "The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.

    That's not just stupid, it's stupid to the point that the person who said it should be fired on the spot as being directly harmful to the company and it's image. Great, it hasn't happened yet, that doesn't mean it's not a good idea to make sure that it can't happen before it does.

    If they're only worried about what has happened rather than what might, unlikely as it may be, then it's pretty clear that people should avoid that company like everyone there has the black plague, as they are demonstrating incredibly poor planning and security skills, and are not a company anyone who values either should want to knowingly have anything to do with.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2016 @ 11:12am

      Re: "We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."

      Great, it hasn't happened yet,

      That they know about.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2016 @ 12:38pm

      Re: "We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."

      It was the standard of Microsoft in the old days.

      The "It is not cost-effective to correct security holes unless they are proven to be used"-mentality.

      In this case PwC has a reputation to uphold and as soon as the words "accounting fraud" is uttered about them or something relating to them, they are in panic mode.

      IRT. availability of the program it seems strange that they didn't present that concern at the meeting with the researchers beforehand and that they are talking up "obscurity as security". They are really pulling the wrong lever in relation to media-handling here. They can only hope that they represent enough major media to keep the story on the down low.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2016 @ 11:07am

    "failure to secure these products will inevitably result in human fatalities at scale"

    Works for me! I grow tired of all the little consumer bitches running around asking for everyone else to keep them safe while contributing nothing to the same.

    If people stopped buying shit in an insane attempt to keep up with the Jonses we could bring this under control.

    "my people are destroyed from lack of knowledge"

    I even have friends that just laugh my tin foil hat off my head when I tell ahead of time about things like this, but later I have to tell them to stop bitching because they perpetuated their own pain.

    link to this | view in chronology ]

    • identicon
      Thad, 13 Dec 2016 @ 4:02pm

      Re:

      Not sure if trolling or just stupid.

      I grow tired of all the little consumer bitches running around asking for everyone else to keep them safe while contributing nothing to the same.

      I've already pointed this out once today, but to reiterate: this attitude assumes that the only people affected by insecure computing devices are the purchasers of said devices.

      Check a calendar; you'll find it's not 1994, and this "Internet" thing has really taken off.

      The people who are being harmed by malware installed on unsecure devices are not the same people who created, bought, or sold the devices, they are innocent third parties.

      You think Brian Krebs's website was DDoSed because he is, quote, a "little consumer bitch[] running around asking for everyone else to keep [him] safe while contributing nothing to the same"?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Dec 2016 @ 5:47am

        Re: Re:

        Well, then people who created, sold or bought the devices should be kept accountable. I would financially incetivise the buyer/user.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2016 @ 11:08am

    i have worked several times on classified projects, and many among us got the very vivid impression that security is basically a confidence game aimed at making people believe that some semblance of security is in place. that the people involved here want to criminalize exposure of their lack of diligence and caution simply shows what a con-job they, too, are trying to swoosh past us.

    we are a playing card castle just begging for the right breeze with many a blame-finger locked and loaded.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2016 @ 11:20am

      Re:

      "many among us got the very vivid impression that security is basically a confidence game aimed at making people believe that some semblance of security is in place."

      This is called security theater. Visit an Air Port in America... you can get a good lengthy dose of it.

      Same goes in corporate America. I will watch mega expensive things happen to secure something that cannot be really secured by its nature... but it sure does make people FEEL secure... like the badge locks and security checkpoints in your building. put on some makeup, get a fake ID and no one knows who you are. wait by the door until an employee unlocks it for you and you are in. No employee will seriously challenge people walking in behind them.

      Real security means that all egress and ingress are secured in a fashion that does not easily allow the things I just mentioned.

      Lets not even get into software security... which is a big big joke anyways.

      link to this | view in chronology ]

    • icon
      art guerrilla (profile), 13 Dec 2016 @ 12:43pm

      Re:

      at a non cow 11:08
      yep, worked for engrng firm where had to undergo backgnd chk and get cllearance to wotk on 'top secret' projects, which were mostly repurposing old army bases and bombing ranges for civlian use...
      firstly, 'security' clearance for these projects was w-a-y overkill... secondly, they had ALL KINDS of supposed security systems in place, secured faraday room, blah blah blah, NONE of whivh was ever used or security protocols followed once we started the actual projects... it wss ALL just ecpensive bullshit which was never used...
      not to mention, the clearance process itself was BS...

      link to this | view in chronology ]

      • icon
        art guerrilla (profile), 13 Dec 2016 @ 12:47pm

        Re: Re:

        oh, as an aside, one reason the security protocols were not followed, is they were so onerous and over-the-top, there was NO WAY to make the process work effectively while getting rreal work done...
        i would bet dollars to donut holes that is what happens 90% of the time: the process is so stilted, NO ONE follows them... sure, on paper, they are super-secure, in reality, all that bullshit is ignored...

        link to this | view in chronology ]

  • icon
    Roger Strong (profile), 13 Dec 2016 @ 11:21am

    The "Rebel Alliance" did not receive authorized access or a license to use the Death Star plans. The plans are not publicly available and are only properly accessed by those with licenses, such as Empire military staff working with trained Empire engineers," said the spokesperson.

    "The bulletin describes a hypothetical and unlikely scenario regarding a two-meter thermal exhaust port -- we are not aware of any situation in which it has materialized," the spokespersons said.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 14 Dec 2016 @ 2:22am

      Re:

      We have yet to hear from the spokesperson after it was confirmed a Rebel Alliance rookie shoot the exhaust port blowing the entire thing to pieces. Rumors say he was forced.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2016 @ 11:23am

    Maybe the researcher will be hired when PWC cleans house

    I honestly can't imagine how PWC can come out of this without some external 3rd parties certifying that the vulnerability is not only corrected, but any accounts that may have been modified(Hint, without one, you have to assume they all were) match all expected results including backups.

    link to this | view in chronology ]

  • icon
    Arthur Moore (profile), 13 Dec 2016 @ 11:25am

    PwC Screaming "Hack Me"

    If I were a company using one of these products I'd be rather unhappy.

    Businesses, especially ones large enough to have this software, tend like stability and abhor risk. Especially in core infrastructure.

    It's why they're willing to pay so much money to Oracle for something that free products do just as well. Corporate inertia means they're not willing to face the possibility of breakage when moving to a new back end.

    PwC is relying on their products being so complicated and integral to companies that no one will switch. Unfortunately, they're probably correct. However, this may prevent new businesses from using their software. Plus, companies will implement stopgap measures, like stopping using the fancy features of the software that requires extra connectivity. Not a good way to keep customers in the long run.

    The trick is to explain to the CFO that hacks to such a system don't just mean theft. If they understand that an SAP system hack means potential securities fraud they start paying attention.

    link to this | view in chronology ]

    • identicon
      Tin-Foil-Hat, 13 Dec 2016 @ 10:27pm

      Re: PwC Screaming

      If anything is risky it's hiring Oracle. I wouldn't even drink a cup of coffee made by them.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2016 @ 11:06pm

        Re: Re: PwC Screaming

        Considering the quality of their software and the way they handle bugs, the coffee may be the only thing that is safe (if they have got take-a-way, that is).

        link to this | view in chronology ]

        • identicon
          Trumpkintin, 14 Dec 2016 @ 4:19am

          Re: Re: Re: PwC Screaming

          "the way they handle bugs"

          I wouldn't trust their kitchen/coffee shop to be bug free either...

          link to this | view in chronology ]

  • icon
    Mat (profile), 13 Dec 2016 @ 11:54am

    Odd wording...

    _and was only properly accessed by those with licenses_

    Yes, but what about improper access? Or are you going to just pretend that it wasn't just proven that 'improper' access can happen?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2016 @ 4:33pm

    ha

    well that clears it all up!

    hackers will have to buy a license and then if they want to use the exploit they will have to work with the consultants, who obviously will tell them that's against the TOS. hands washed people, hands washed!!

    /s

    link to this | view in chronology ]

  • identicon
    Kronomex, 13 Dec 2016 @ 7:24pm

    Could it be that P.W.C. didn't want the vulnerability uncovered? Nah, it can't be true, they're as pure as the driven snow.

    link to this | view in chronology ]

  • identicon
    Lazlo Toth, 13 Dec 2016 @ 7:52pm

    Amazing

    This is pretty nutty for a firm that does SOC 2 and SOC 3 trust principles security-related reviews and opinion letters for its customers.

    link to this | view in chronology ]

  • identicon
    Tin-Foil-Hat, 13 Dec 2016 @ 10:24pm

    Tor or 4 Chan?

    I'm sure there are some Tor sites where these vulnerabilities can be reported if they would prefer.

    link to this | view in chronology ]

  • identicon
    Isaac Kotlicky, 15 Dec 2016 @ 4:11am

    Excuse me...

    But I have to download some accounting software for my "multibillion dollar business..."

    >_

    link to this | view in chronology ]

  • identicon
    saiba mais, 20 Feb 2017 @ 10:43am

    Accounting fraud

    I believe that security always comes first, we can not allow accounting fraud in any way.

    link to this | view in chronology ]

  • identicon
    everton, 6 Dec 2017 @ 6:55am

    well that clears it all up!

    link to this | view in chronology ]

  • identicon
    Importador, 3 Oct 2018 @ 4:50pm

    Nice article

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.