|
Föderation EN Fr 25.04.2025 16:54:40 Sooo say you’d found a vulnerability with a protocol used by the majority of OT devices of a particular kind… How might you disclose that given there’s potentially billions of devices currently use it across thousands of vendors? |
|
Föderation EN Fr 25.04.2025 16:56:37 @SecurityWriter I would literally post it here at this point. I learned my lesson with OT vendors. Fuck them. |
|
Föderation EN Fr 25.04.2025 17:02:25 @cR0w this feels like a very good way to get very sued, very fast given the scale of this. |
|
Föderation EN Fr 25.04.2025 17:07:22 @SecurityWriter Maybe. But I also wouldn't be surprised if it's something already known. There seems to be a lot hush hush denial about them but they're out there. |
|
Föderation EN Fr 25.04.2025 17:15:02 @cR0w @SecurityWriter make a nominally useful mobile app that leverages the vuln and sell it to integrators. |
|
Föderation EN Fr 25.04.2025 17:22:21 @h2onolan @SecurityWriter What's funny about that is back before smartphone apps, an integrator / engineer complained to me about having to go to sites with password-protected PLCs and ladder logic files but the previous engineer had been fired or quit so no one had the passwords. I found an auth bypass and shared it and a large PLC manufacturer threatened to sue me over it. |
|
Föderation EN Fr 25.04.2025 17:33:41 @cR0w @h2onolan @SecurityWriter one option is to contact a CERT. depends on what the vuln is and who it effects etc. at one point, dhs/cert here in the US was acting as kinda like a micro-cisa before cisa was around and would actually pick up the phone to call system owners to get them to shape up. but even then it was still a struggle |
|
Föderation · Fr 25.04.2025 17:39:21 Make an anonymous throwaway account? |
|
Föderation DE Fr 25.04.2025 17:45:45 @cR0w @SecurityWriter OT? |
|
Föderation EN Fr 25.04.2025 18:09:02 @cR0w @SecurityWriter ...what does "OT" stand for? |
|
Föderation EN Fr 25.04.2025 18:10:51 @ryanc @SecurityWriter Operations or Operational Technology. It's mostly used as a way to keep IT's hands off gear they have no business touching. |
|
Föderation EN Fr 25.04.2025 16:58:24 @SecurityWriter Personally I'd have the devices all start playing a sound clip of the giggle from the Doctor Who 60th Anniversary special and then shout "ALL YOUR BASE ARE BELONG TO US!" but there may be other, less well measured, ways to disclose this vulnerability. |
|
Föderation EN Fr 25.04.2025 17:06:09 @SecurityWriter If there's no single maintainer of the protocol, I might attempt to reach out to any big vendors who contribute to it/maintain implementations of it (assuming open source or some kind of industry standard). We come across this in healthcare frequently, and my position is usually that disclosure before an attempt at remediation/mitigation favors the bad guys. |
|
Föderation EN Fr 25.04.2025 17:08:56 @mttaggart @SecurityWriter I can see that in healthcare, but in OT, there tends to be a response of "can't patch, won't patch" unless something forces their hand. I hate it but I do think that disclosure in the long run can be the better route. But I admit, it's also hard to know beforehand which will be more effective. |
|
Föderation EN Fr 25.04.2025 17:14:41 @cR0w @SecurityWriter I assure you, "can't patch, won't patch" is the norm here too. But a good faith effort is a solid CYA move before disclosure. I have CVEs that I've requested after attempting other channels, but at least that attempt is on record. |
|
Föderation EN Fr 25.04.2025 17:23:04 @mttaggart @SecurityWriter That's fair as long as you don't enter a non-disclosure or any kind of ridiculous embargo. |
|
Föderation EN Fr 25.04.2025 17:10:56 @mttaggart this is my approach too. But 100% this won’t be mitigated by all but the most twitchy vendors. It would go against the RFC, too. |
|
Föderation EN Fr 25.04.2025 21:45:34 If it's an RFC level protocol problem, you might try contacting the RFC authors. If there's a common library or two that everyone uses to implement the protocol, you might talk with those maintainers as well. |
|
Föderation EN Fr 25.04.2025 17:08:48 @SecurityWriter I would create a Signal group and write it in there. |
|
Föderation CA Fr 25.04.2025 17:35:55 @SecurityWriter any authority you may trust, or any CERT you think deserves your trust. |
|
Föderation EN Fr 25.04.2025 17:37:44 @SecurityWriter approach your national CSIRT. They can help you. A European national CSIRT can also help you remain anonymous (maybe not so relevant in this case?): "Member States shall ensure that natural or legal persons are able to report, anonymously where they so request, a vulnerability to the CSIRT designated as coordinator."1 Another approach would be to contact an organisation like the OT ISAC, and ask them to direct you to the right party to help you along (which is not them).2 1 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555 |
|
Föderation EN Fr 25.04.2025 17:41:31 @SecurityWriter drop it like it's hot. |
|
Föderation EN Fr 25.04.2025 17:54:46 @SecurityWriter I've worked through multiple disclosures through VINCE and would recommend them for this sort of vulnerability coordination. They are well suited for large multivendor coordination. |
|
Föderation EN Fr 25.04.2025 17:55:29 @SecurityWriter mail ds@ccc.de - they know who can help you |
|
Föderation EN Fr 25.04.2025 20:46:25 @wonka @SecurityWriter No, disclosure@ccc.de it is. |
|
Föderation EN Sa 26.04.2025 00:32:06 |
|
Föderation EN Fr 25.04.2025 18:05:29 @SecurityWriter There are disclosure services that protect your identity and know the legalese. There is the @CCC that does this, for example. While they are located in Germany, they'll probably also help out citizens of other nations (if you wanna reach out to them: disclosure@ccc.de) - but there's probably organizations like that offer similar services in other countries as well, I'm just not aware of them. Maybe other fedizens can help out with that |
|
Föderation EN Fr 25.04.2025 18:42:42 @SecurityWriter |
|
Föderation EN Fr 25.04.2025 19:07:43 @SecurityWriter sounds like modbus / ethercat 🍿 |
