CVEs for FinTech

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CVEs for FinTech

Kurt Seifried
http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/

seems like SWIFT security vulns would be worth CVE, does anyone have contacts at SWIFT they can reach out to?

--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVEs for FinTech

Scott Lawler
I do.   I'll reach out to them to find the right person to talk to.  

Something to think about is whether or not CVE should be tracking vuls is systems-of-systems (like SWIFT) or do we stay at the lower level of operating systems, application software, etc.  

There are thousands of larger systems made up of an infinite set of vulnerable sub components--with common vuls.  

Thoughts?

Scott 

On May 1, 2016, at 12:37 AM, Kurt Seifried <[hidden email]> wrote:

http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/

seems like SWIFT security vulns would be worth CVE, does anyone have contacts at SWIFT they can reach out to?

--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVEs for FinTech

jericho
On Sun, 1 May 2016, Scott Lawler wrote:

: Something to think about is whether or not CVE should be tracking vuls
: is systems-of-systems (like SWIFT) or do we stay at the lower level of
: operating systems, application software, etc.
:
: There are thousands of larger systems made up of an infinite set of
: vulnerable sub components--with common vuls.

Vulns should be assigned base on 'where the flaw is'. If that is in a
third-party component, that should be tracked ideally. Failing to have
that information, we can only assign for the larger software package that
bundles the rest.

I've found it is helpful when approaching companies to explain the benefit
of them 'blaming the third-party code' so to speak, that in the long run,
vulnerability stats don't reflect as poorly on them. A bit of motivation
for them to come clean, at least enough to confirm the issue isn't in
their code.

I also had an offlist discussion with Kurt on this last night, and so far
the articles available do not positively show there is a vuln in SWIFT.
Rather, the articles talk about the attackers obtaining legitimate
credentials to the system, where they had access to manipulate the SWIFT
software (e.g. phishing -> malware). If so, that wouldn't warrant a CVE
ID.
Reply | Threaded
Open this post in threaded view
|

Re: CVEs for FinTech

Art Manion
In reply to this post by Scott Lawler
On 2016-05-01 10:15, Scott Lawler wrote:

> I do.   I'll reach out to them to find the right person to talk to.  
>
> Something to think about is whether or not CVE should be tracking vuls
> is systems-of-systems (like SWIFT) or do we stay at the lower level of
> operating systems, application software, etc.  
>
> There are thousands of larger systems made up of an infinite set of
> vulnerable sub components--with common vuls.  
>
> Thoughts?

Can't say I'm read up on the SWFIT attack(s), but I didn't see any
evidence of a vulnerability (technical vulnerability, not
general/dictionary vulnerability).  SWIFT is a protocol?  Are there
security problems with the protocol design?  Implementation defects in
software that implements SWIFT?  Insider + malware?

 - Art


> On May 1, 2016, at 12:37 AM, Kurt Seifried <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/
>>
>>
>> seems like SWIFT security vulns would be worth CVE, does anyone have
>> contacts at SWIFT they can reach out to?
>>
>> --
>>
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> Red Hat Product Security contact: [hidden email]
>> <mailto:[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: CVEs for FinTech

Kurt Seifried
My concern is less about this specific incident, and more about bringing them and others "into the fold" of CVE as it were. Apparently my bathroom scale also needs a CVE https://help.fitbit.com/articles/en_US/Help_article/How-do-I-update-my-Aria-scale/ 

On Sun, May 1, 2016 at 9:32 PM, Art Manion <[hidden email]> wrote:
On 2016-05-01 10:15, Scott Lawler wrote:
> I do.   I'll reach out to them to find the right person to talk to.
>
> Something to think about is whether or not CVE should be tracking vuls
> is systems-of-systems (like SWIFT) or do we stay at the lower level of
> operating systems, application software, etc.
>
> There are thousands of larger systems made up of an infinite set of
> vulnerable sub components--with common vuls.
>
> Thoughts?

Can't say I'm read up on the SWFIT attack(s), but I didn't see any
evidence of a vulnerability (technical vulnerability, not
general/dictionary vulnerability).  SWIFT is a protocol?  Are there
security problems with the protocol design?  Implementation defects in
software that implements SWIFT?  Insider + malware?

 - Art


> On May 1, 2016, at 12:37 AM, Kurt Seifried <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/
>>
>>
>> seems like SWIFT security vulns would be worth CVE, does anyone have
>> contacts at SWIFT they can reach out to?
>>
>> --
>>
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> Red Hat Product Security contact: [hidden email]
>> <mailto:[hidden email]>



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]