10

This issue is more political than technical.

The organization has a lot of computers that connect via web browser to a central database. Customers are regularly left unattended with physical access to the terminals for over 15 minutes at a time. I reported that they are vulnerable to hardware keyloggers. The official IT response was, "We are aware of that possibility, and have a solution. Getting passwords would not do an attacker any good." But the higher-ups wouldn't let him say anything more -- security through obscurity.

The point is: I think they are bluffing. I don't know what their solution is, but there are hundreds of attack vectors open when you have physical access. Are they really just not worried about it because the risk (probability of attack) is low enough to trump the cost of improving physical security? How do I get them to listen? Is it even worth the effort?

Terrel Shumway
  • 320
  • 1
  • 8
  • 1
    "Is it even worth the effort?" Doesn't sound like it. Are you involved with the company in some way? – Abe Miessler Aug 28 '13 at 21:56
  • 2
    @Abe I am a customer. They are holding my data. I am not as paranoid about it as the authors of HIPPA. – Terrel Shumway Aug 28 '13 at 23:02
  • If they don't care about what you say they might as well not care about your data anyway. Can you switch to a more caring organization? – Marcel Aug 29 '13 at 11:57
  • 1
    @Marcel: I wish I could. It is rare for a de facto monopolist to care very much about what it's customers think. – Terrel Shumway Aug 29 '13 at 13:11
  • The HD Moore method is to notify the company, wait 15 days, notify CERT, wait 45 days, if CERT releases anything then call the press, even if CERT doesn't release anything (and even if they do) then start building a module for Metasploit, commit it to unstable, and make sure it gets committed to master within 30 days – atdre Mar 10 '15 at 18:30

2 Answers2

10

Since you are a customer of the company it might give you some more options. A few things worth considering:

  • Write a letter to the CEO of the company. Make a copy of the letter and send it to the person you spoke with as well as their manager.
  • Notify the press if you think you can find anyone who would be interested in the story.
  • File a complaint with the Better Business Bureau (if you are in the US) and send it to the CEO
  • Take your business somewhere else and tell them why you are doing it.

Honestly I think there is very little chance any of these will work, but it sounds like they are shining you on right now so your options are limited.

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
2

You DID report it. It is not your responsibility to make them listen. In the end, it is their company, their risks, their costs to solve the problem.

You have made the appropriate effort - you have no leverage to apply any further effort.

schroeder
  • 123,438
  • 55
  • 284
  • 319