Researchers Find Vulnerability That Enables Accounting Fraud, PwC Decides The Best Response Is A Legal Threat
from the you're-not-helping dept
For years now, we've noted that some companies apparently think it's a good idea to punish security researchers that expose vulnerabilities in their products, even when the researchers use the proper channels to report their findings. This kind of absurdity runs hand-in-hand with international attempts to criminalize security research -- or the tools researchers use -- to do their jobs. Obviously, this kind of behavior has one tangible end result: it makes all of us less secure.The latest chapter in this saga of myopic bumbling comes courtesy of PwC, which for whatever reason decided that the best response to a major security flaw found in one of the company's products was to to fire off a cease and desist letter aimed at the researchers. More specifically, Munich-based ESNC published a security advisory earlier this month documenting how a remotely exploitable bug in a PwC security tool could allow an attacker to gain unauthorized access to an impacted SAP system.
The advisory was quick to point out that the vulnerability could allow a hacker to manipulate accounting documents and financial results and commit fraud, if they were so inclined:
"Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions. This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.The researchers say they received the cease and desist threat despite meeting with PwC in August to discuss the flaw. ESNC also gave PwC three months to fix the flaw before issuing their public advisory, in line with the firm's responsible disclosure policy. ESNC says this was the first time they'd ever sent their research and findings to PwC. It was also the first time they've ever been legally threatened for doing their job, despite the discovery of over 100 security vulnerabilities to date. Despite two cease and desist letters, ESNC released their findings anyway -- "because it is the right thing to do."
When pressed for comment, PwC read directly from the tone-deaf playbook, first pointing out that ESNC did not have a license to use this software (irrelevant), then trying to downplay the fact that the vulnerability could enable accounting and financial fraud:
"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.This kind of behavior has always been, for lack of a more scientific term, blisteringly idiotic. But it's becoming more of a problem with the rise of the internet-of-poorly-secured things, which has amplified exponentially the number of attack vectors and product vulnerabilities in the wild. With security researchers now clearly warning us that the failure to secure these products will inevitably result in human fatalities at scale, this ongoing attempt to criminalize security research needs to be considered a criminal act in and of itself.
"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, legal threats, research, security, security research, threats
Companies: esnc, pwc
Reader Comments
Subscribe: RSS
View by: Time | Thread
"We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."
"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.
That's not just stupid, it's stupid to the point that the person who said it should be fired on the spot as being directly harmful to the company and it's image. Great, it hasn't happened yet, that doesn't mean it's not a good idea to make sure that it can't happen before it does.
If they're only worried about what has happened rather than what might, unlikely as it may be, then it's pretty clear that people should avoid that company like everyone there has the black plague, as they are demonstrating incredibly poor planning and security skills, and are not a company anyone who values either should want to knowingly have anything to do with.
[ link to this | view in thread ]
Works for me! I grow tired of all the little consumer bitches running around asking for everyone else to keep them safe while contributing nothing to the same.
If people stopped buying shit in an insane attempt to keep up with the Jonses we could bring this under control.
"my people are destroyed from lack of knowledge"
I even have friends that just laugh my tin foil hat off my head when I tell ahead of time about things like this, but later I have to tell them to stop bitching because they perpetuated their own pain.
[ link to this | view in thread ]
we are a playing card castle just begging for the right breeze with many a blame-finger locked and loaded.
[ link to this | view in thread ]
Re: "We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."
That they know about.
[ link to this | view in thread ]
Re:
This is called security theater. Visit an Air Port in America... you can get a good lengthy dose of it.
Same goes in corporate America. I will watch mega expensive things happen to secure something that cannot be really secured by its nature... but it sure does make people FEEL secure... like the badge locks and security checkpoints in your building. put on some makeup, get a fake ID and no one knows who you are. wait by the door until an employee unlocks it for you and you are in. No employee will seriously challenge people walking in behind them.
Real security means that all egress and ingress are secured in a fashion that does not easily allow the things I just mentioned.
Lets not even get into software security... which is a big big joke anyways.
[ link to this | view in thread ]
The "Rebel Alliance" did not receive authorized access or a license to use the Death Star plans. The plans are not publicly available and are only properly accessed by those with licenses, such as Empire military staff working with trained Empire engineers," said the spokesperson.
"The bulletin describes a hypothetical and unlikely scenario regarding a two-meter thermal exhaust port -- we are not aware of any situation in which it has materialized," the spokespersons said.
[ link to this | view in thread ]
Maybe the researcher will be hired when PWC cleans house
[ link to this | view in thread ]
PwC Screaming "Hack Me"
If I were a company using one of these products I'd be rather unhappy.
Businesses, especially ones large enough to have this software, tend like stability and abhor risk. Especially in core infrastructure.
It's why they're willing to pay so much money to Oracle for something that free products do just as well. Corporate inertia means they're not willing to face the possibility of breakage when moving to a new back end.
PwC is relying on their products being so complicated and integral to companies that no one will switch. Unfortunately, they're probably correct. However, this may prevent new businesses from using their software. Plus, companies will implement stopgap measures, like stopping using the fancy features of the software that requires extra connectivity. Not a good way to keep customers in the long run.
The trick is to explain to the CFO that hacks to such a system don't just mean theft. If they understand that an SAP system hack means potential securities fraud they start paying attention.
[ link to this | view in thread ]
Odd wording...
Yes, but what about improper access? Or are you going to just pretend that it wasn't just proven that 'improper' access can happen?
[ link to this | view in thread ]
Re: "We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."
The "It is not cost-effective to correct security holes unless they are proven to be used"-mentality.
In this case PwC has a reputation to uphold and as soon as the words "accounting fraud" is uttered about them or something relating to them, they are in panic mode.
IRT. availability of the program it seems strange that they didn't present that concern at the meeting with the researchers beforehand and that they are talking up "obscurity as security". They are really pulling the wrong lever in relation to media-handling here. They can only hope that they represent enough major media to keep the story on the down low.
[ link to this | view in thread ]
Re:
yep, worked for engrng firm where had to undergo backgnd chk and get cllearance to wotk on 'top secret' projects, which were mostly repurposing old army bases and bombing ranges for civlian use...
firstly, 'security' clearance for these projects was w-a-y overkill... secondly, they had ALL KINDS of supposed security systems in place, secured faraday room, blah blah blah, NONE of whivh was ever used or security protocols followed once we started the actual projects... it wss ALL just ecpensive bullshit which was never used...
not to mention, the clearance process itself was BS...
[ link to this | view in thread ]
Re: Re:
i would bet dollars to donut holes that is what happens 90% of the time: the process is so stilted, NO ONE follows them... sure, on paper, they are super-secure, in reality, all that bullshit is ignored...
[ link to this | view in thread ]
Re:
Not sure if trolling or just stupid.
I've already pointed this out once today, but to reiterate: this attitude assumes that the only people affected by insecure computing devices are the purchasers of said devices.
Check a calendar; you'll find it's not 1994, and this "Internet" thing has really taken off.
The people who are being harmed by malware installed on unsecure devices are not the same people who created, bought, or sold the devices, they are innocent third parties.
You think Brian Krebs's website was DDoSed because he is, quote, a "little consumer bitch[] running around asking for everyone else to keep [him] safe while contributing nothing to the same"?
[ link to this | view in thread ]
ha
hackers will have to buy a license and then if they want to use the exploit they will have to work with the consultants, who obviously will tell them that's against the TOS. hands washed people, hands washed!!
/s
[ link to this | view in thread ]
[ link to this | view in thread ]
Amazing
[ link to this | view in thread ]
Tor or 4 Chan?
[ link to this | view in thread ]
Re: PwC Screaming
[ link to this | view in thread ]
Re: Re: PwC Screaming
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: PwC Screaming
I wouldn't trust their kitchen/coffee shop to be bug free either...
[ link to this | view in thread ]
Re: Re:
Well, then people who created, sold or bought the devices should be kept accountable. I would financially incetivise the buyer/user.
[ link to this | view in thread ]
Excuse me...
>_
[ link to this | view in thread ]
Accounting fraud
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]