The difficulty of disclosure and how to do it right

A couple of days ago I learnt from IDG about the disclosure of 100 e-mail accounts from parlaments and other high profile targets world-wide. The incident is also covered in international zines like the Register and Vnunet.

Whats interesting about this is the decision made by the consultant to disclose the information, and his reasoning,

“Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies.

Leaving the ethical and moral discussion aside, which in fact is to obvious to warrant discussion, and instead focusing on the difficulty of disclosing this kind of information. Lets identify the difficulties of informing 100+ victims having their e-mail accounts compromised:

1. Who do we inform of the compromised accounts? We can try the accounts themselves, but we can’t be sure that someone using the credentials removes the e-mail. Does all parlaments have a website? Do they have a technical contact? Just searching for a e-mail adress to target the information with might be very time consuming.
2. Who would understand what we were saying? Even though saying “I have login credentials to your e-mail and can read your e-mail” would likely catch anyones attention, few would understand the extent and seriousness of this. Just getting the attention might be time consuming.
3. Who would believe what you were saying? Prove it, they would say. Yeah, on 100+ accounts.

So what should you do?

• Contact and inform your national incident response team of the situation. Hand them the information and let them own the case. The have the time and resources, and will likely be very keen to help , especially in this case since it is of national interest. I, for instance, would contact SITIC.
• Another possibility is to work with a security partner who have contacts, experience and resources to notify the customers.

This is an example of why we need the security industry.

This entry was posted on September 06th, 2007 and is filed under disclosure, incident, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.