back to article IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report

IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory. IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some …

  1. Shadow Systems Silver badge
    Facepalm

    And thus is why hackers profit...

    You take an honest researcher attempting to Do The Right Thing by telling the company first about security flaws in their product. Company makes oodles & oodles of money but can't be arsed to give any of that dosh to the folks trying to help them help themselves. Honest researcher gets an offer from dishonest hacker to pay money for undisclosed flaws. Now honest researcher has a choice: keep trying to DTRT with a company that snubs them, refuses to pay them, and at best might mention their name in some later patch, or a quick buck right now from someone that is delighted by said researcher's work. It doesn't take a rocket surgeon to figure out where that situation is headed...

    1. rcxb Silver badge

      Re: And thus is why hackers profit...

      Crime is always more profitable in the short-term, but tends to be a bad career choice over the long-term. Until very recently, NOBODY paid bug bounties, and It's still debatable whether they are making things safer or not.

      Ask yourself why blood and organ donations don't net the donor a nice big check.

      1. Blackjack Silver badge

        Re: And thus is why hackers profit...

        I would comment on several people who got away with crime for a long time and either died without being caught or got a slap on the wrist but since this is not not an article about economics I will just name one.

        Julio Humberto Grondona (September 18, 1931 – July 30, 2014) died without getting caught.

      2. Eguro

        Re: And thus is why hackers profit...

        Blood and organ donations usually don't pay, because that creates unwanted incentives.

        "Well Grandma is probably on her way out, and that nice Mr. Edward Vil says he'll pay us $10,000 if we unplug her now."

        Or

        "I need food. Someone buy my kidney!"

        The only comparison I can see would be the developers of these programs purposefully putting in exploits for their mates to "discover" later on. That might be happening, but surely there is some tracking happening. "Herbert, this is the 14th flaw found in your coding", so doesn't seem like it would be a great move.

        You could approach developers of companies to pay them to include vulnerabilities for you to discover, but then you have to figure out how much you'll likely get and I doubt the amount you'll be willing to hand back is enough to get developers to intentionally make bad code.

        1. newspuppy

          Re: And thus is why hackers profit...

          The idea of developers purposefully putting in exploits for their mates to discover later on is nonsense....

          That is why a separate QA department (with source code access) should exist.. With rewards for QA to find bugs... and rewards for developers with no bugs....

          Unfortunately... real QA is one of those areas that on paper is just a cost centre... and .. development (releases) speed up with the reduction of QA.... and the hit on profits is not immediately apparent.... as the company whores its good name and reputation selling shitty software..

          Also... if your mates are from the NSA, FSB, 3PLA or other state sponsored agency,,,, then.. the code shall definitely be there.. albeit in a less discoverable state....

      3. Anonymous Coward
        FAIL

        Re: And thus is why hackers profit...

        While developing an interface to a credit card processing API, I discovered that the security protocols could be bypassed by completely ignoring the encryption key process and connecting directly to the server IP address.

        This meant that I could submit transactions for any known merchant ID - my user ID / passkey pair was irrelevant.

        I notified my tech support contact at the payment processor who said "that's not possible - the system won't let you do that"

        I insisted that I could but he was having none of it.

        If I had an army of smurfs I could have refunded money to debit cards before any of the merchants even realized what had happened.

        Since this was real money and I didn't want to be charged with accessing a system without authorization, I dropped it but I also told the guy that hired me I didn't want to work on the project anymore.

        This was connecting to one of the top five CC payment processors in the world, and this was their legacy Windows desktop application interface, so I dont think it's getting much love compared to the whizzy mobile web stuff.

        I bet it eventually will get some attention - it's such a glaring hole.

        1. Blackjack Silver badge

          Re: And thus is why hackers profit...

          The only thing they update regularly us their webpages and that's only because customers start to complain about Chrome throwing around seguriry warnings. Thankfully even banks nowadays are ditching Flash and Internet Explorer.

          My bank has not updated their mobile app since 2017.

      4. Louis Schreurs Bronze badge

        Re: And thus is why hackers profit...

        Crime pays and it has a colour an id aind green

        The U$A is currently in the process of proving and presenting the facts.

    2. big_D Silver badge
      Facepalm

      Re: And thus is why hackers profit...

      Sort of Ribeiro didn't want money, it is alleged, or rather his main motivation wasn't money. But his bugs were rejected out of hand, because it was a product only for paying customers...

      privately disclosed by security researcher Pedro Ribeiro at no charge.

      I'm guessing a process snafu, where he is not a paying customer, therefore he doesn't get support on those products, so he can't report a bug on those products. A pretty silly chain of failure, but I would guess typical in many companies.

      Researcher: "I have found a bug in xyz."

      Helldesk: "What is your customer ID?"

      Researcher: "I'm an independent researcher, I don't have a customer ID."

      Helldesk: "Without a customer ID, I can't process your request."

      Researcher: "It isn't a request, I'm trying to inform you that you have a serious problem with your product!"

      Helldesk: "But without a customer ID, I can't log a call for you. Are you using a pirated version of our program? Shall I put you through to legal?"

      >click<

      1. Michael Wojcik Silver badge

        Re: And thus is why hackers profit...

        This is why mature organizations have Product Security Incident Response Teams (PSIRTs), which exist precisely to accept reports from researchers through de facto standard channels such as a security@ email address (for which they've published an OpenPGP public key), a "report a vulnerability" web page, and clearinghouses like CERT/CC and ZDI; and then to negotiate with researchers to ensure they're heard and their information is acted upon.

        A process failure like this one indicates a serious failure at the CISO level. A clearinghouse like CERT/CC should have no trouble contacting a company's PSIRT, assuming there is a PSIRT; and if there isn't a PSIRT, that's the failure right there.

        This has all been standard stuff since not long after responsible disclosure was popularized by RainForestPuppy and other researchers.

      2. Anonymous Coward
        Anonymous Coward

        Re: And thus is why hackers profit...

        In the same vein, try reporting a problem with AWS without being an AWS customer... eventually I stopped trying so it may be that they've fixed this problem.

  2. Detective Emil
    Meh

    Hackerone is part of the problem

    Search "hackerone perverse incentive" or similar.

    1. sitta_europea Bronze badge

      Re: Hackerone is part of the problem

      No repetition of this sentiment is too much for me.

      I gave up trying to get any sense out of anyone at hackerone a couple of years ago.

      Me: "I've found this problem and it affects three hundred sites that I looked at."

      Hackerone: "Thank you for the report, please open three hundred tickets."

  3. Doctor Syntax Silver badge

    It might be an unbelievable response from a multi-billion dollar company but it's a totally believable one form a company that has been systemically hollowed out by getting rid of its experienced, expensive staff.

  4. Anonymous Coward
    Anonymous Coward

    "Having said that, I also think it's pretty sad that a multi-billion dollar company like IBM can't scrounge a few dollars to pay security researchers despite being part of HackerOne."

    Meh. They won't scrounge enough dollars to retain experienced staff either. But if you're one of those at the top, they always seem to find some money somewhere.....

  5. Anonymous Coward
    Anonymous Coward

    fair suck of the sav, how can Ginni get her golden parachute, if staff actually have to fix bugs in IBMs software.

  6. Mike 137 Silver badge

    "No-auth remote root exec exploit in Data Risk Manager"

    Oh the irony!

    Unless our security tools become vastly safer than what they're supposed to be managing the security of, we're utterly doomed.

  7. big_D Silver badge

    IBM == ?

    Back in the 80s, I always equated IBM == Incredible Bloody Mindedness.

    Looks like things haven't really changed all that much.

  8. amanfromMars 1 Silver badge

    The IBM Client Dilemma ....... Now sucking on a dry teat ?

    This scenario says it all most succinctly whenever flash cash is both king and no longer king.

  9. Will Godfrey Silver badge
    FAIL

    Does not compute

    Stranger: "Hey! You left your door and a couple of windows open."

    Home Owner: "Fuck off."

    1. James Anderson Silver badge

      Re: Does not compute

      Stranger:

      Hey those locks you installed in a 1000 house can be opened with a paper clip.

      LockMaker:

      Sorry can’t hear you, lah lah lah

  10. disgruntled yank Silver badge

    Enhanced support

    Regular support: vulnerability scanning.

    Enhanced support: vulnerability scanning plus vulnerabilities.

  11. Anonymous Coward
    Anonymous Coward

    IBM duh.

    I had one of their security hardening tools foisted on me. One of the "errors" highlighted was:

    "File '/dev/null' owned by root has global write access"

    The recommended solution:

    "Remove user write permisions from '/dev/null'"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021