Researchers Find Vulnerability That Enables Accounting Fraud, PwC Decides The Best Response Is A Legal Threat

from the you're-not-helping dept

For years now, we’ve noted that some companies apparently think it’s a good idea to punish security researchers that expose vulnerabilities in their products, even when the researchers use the proper channels to report their findings. This kind of absurdity runs hand-in-hand with international attempts to criminalize security research — or the tools researchers use — to do their jobs. Obviously, this kind of behavior has one tangible end result: it makes all of us less secure.

The latest chapter in this saga of myopic bumbling comes courtesy of PwC, which for whatever reason decided that the best response to a major security flaw found in one of the company’s products was to to fire off a cease and desist letter aimed at the researchers. More specifically, Munich-based ESNC published a security advisory earlier this month documenting how a remotely exploitable bug in a PwC security tool could allow an attacker to gain unauthorized access to an impacted SAP system.

The advisory was quick to point out that the vulnerability could allow a hacker to manipulate accounting documents and financial results and commit fraud, if they were so inclined:

“Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions. This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.

The researchers say they received the cease and desist threat despite meeting with PwC in August to discuss the flaw. ESNC also gave PwC three months to fix the flaw before issuing their public advisory, in line with the firm’s responsible disclosure policy. ESNC says this was the first time they’d ever sent their research and findings to PwC. It was also the first time they’ve ever been legally threatened for doing their job, despite the discovery of over 100 security vulnerabilities to date. Despite two cease and desist letters, ESNC released their findings anyway — “because it is the right thing to do.”

When pressed for comment, PwC read directly from the tone-deaf playbook, first pointing out that ESNC did not have a license to use this software (irrelevant), then trying to downplay the fact that the vulnerability could enable accounting and financial fraud:

“ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,” said the spokesperson.

“The bulletin describes a hypothetical and unlikely scenario — we are not aware of any situation in which it has materialized,” the spokespersons said.

This kind of behavior has always been, for lack of a more scientific term, blisteringly idiotic. But it’s becoming more of a problem with the rise of the internet-of-poorly-secured things, which has amplified exponentially the number of attack vectors and product vulnerabilities in the wild. With security researchers now clearly warning us that the failure to secure these products will inevitably result in human fatalities at scale, this ongoing attempt to criminalize security research needs to be considered a criminal act in and of itself.

Filed Under: , , , , ,
Companies: esnc, pwc

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Researchers Find Vulnerability That Enables Accounting Fraud, PwC Decides The Best Response Is A Legal Threat”

Subscribe: RSS Leave a comment
26 Comments
That One Guy (profile) says:

"We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."

"The bulletin describes a hypothetical and unlikely scenario — we are not aware of any situation in which it has materialized," the spokespersons said.

That’s not just stupid, it’s stupid to the point that the person who said it should be fired on the spot as being directly harmful to the company and it’s image. Great, it hasn’t happened yet, that doesn’t mean it’s not a good idea to make sure that it can’t happen before it does.

If they’re only worried about what has happened rather than what might, unlikely as it may be, then it’s pretty clear that people should avoid that company like everyone there has the black plague, as they are demonstrating incredibly poor planning and security skills, and are not a company anyone who values either should want to knowingly have anything to do with.

Anonymous Coward says:

Re: "We're not aware of anyone killed by the lack of airbags in our cars to date, so I'm sure it's not a problem."

It was the standard of Microsoft in the old days.

The “It is not cost-effective to correct security holes unless they are proven to be used”-mentality.

In this case PwC has a reputation to uphold and as soon as the words “accounting fraud” is uttered about them or something relating to them, they are in panic mode.

IRT. availability of the program it seems strange that they didn’t present that concern at the meeting with the researchers beforehand and that they are talking up “obscurity as security”. They are really pulling the wrong lever in relation to media-handling here. They can only hope that they represent enough major media to keep the story on the down low.

Anonymous Coward says:

“failure to secure these products will inevitably result in human fatalities at scale”

Works for me! I grow tired of all the little consumer bitches running around asking for everyone else to keep them safe while contributing nothing to the same.

If people stopped buying shit in an insane attempt to keep up with the Jonses we could bring this under control.

“my people are destroyed from lack of knowledge”

I even have friends that just laugh my tin foil hat off my head when I tell ahead of time about things like this, but later I have to tell them to stop bitching because they perpetuated their own pain.

Thad (user link) says:

Re: Re:

Not sure if trolling or just stupid.

I grow tired of all the little consumer bitches running around asking for everyone else to keep them safe while contributing nothing to the same.

I’ve already pointed this out once today, but to reiterate: this attitude assumes that the only people affected by insecure computing devices are the purchasers of said devices.

Check a calendar; you’ll find it’s not 1994, and this "Internet" thing has really taken off.

The people who are being harmed by malware installed on unsecure devices are not the same people who created, bought, or sold the devices, they are innocent third parties.

You think Brian Krebs’s website was DDoSed because he is, quote, a "little consumer bitch[] running around asking for everyone else to keep [him] safe while contributing nothing to the same"?

Anonymous Coward says:

i have worked several times on classified projects, and many among us got the very vivid impression that security is basically a confidence game aimed at making people believe that some semblance of security is in place. that the people involved here want to criminalize exposure of their lack of diligence and caution simply shows what a con-job they, too, are trying to swoosh past us.

we are a playing card castle just begging for the right breeze with many a blame-finger locked and loaded.

Anonymous Coward says:

Re: Re:

“many among us got the very vivid impression that security is basically a confidence game aimed at making people believe that some semblance of security is in place.”

This is called security theater. Visit an Air Port in America… you can get a good lengthy dose of it.

Same goes in corporate America. I will watch mega expensive things happen to secure something that cannot be really secured by its nature… but it sure does make people FEEL secure… like the badge locks and security checkpoints in your building. put on some makeup, get a fake ID and no one knows who you are. wait by the door until an employee unlocks it for you and you are in. No employee will seriously challenge people walking in behind them.

Real security means that all egress and ingress are secured in a fashion that does not easily allow the things I just mentioned.

Lets not even get into software security… which is a big big joke anyways.

art guerrilla (profile) says:

Re: Re:

at a non cow 11:08
yep, worked for engrng firm where had to undergo backgnd chk and get cllearance to wotk on ‘top secret’ projects, which were mostly repurposing old army bases and bombing ranges for civlian use…
firstly, ‘security’ clearance for these projects was w-a-y overkill… secondly, they had ALL KINDS of supposed security systems in place, secured faraday room, blah blah blah, NONE of whivh was ever used or security protocols followed once we started the actual projects… it wss ALL just ecpensive bullshit which was never used…
not to mention, the clearance process itself was BS…

art guerrilla (profile) says:

Re: Re: Re:

oh, as an aside, one reason the security protocols were not followed, is they were so onerous and over-the-top, there was NO WAY to make the process work effectively while getting rreal work done…
i would bet dollars to donut holes that is what happens 90% of the time: the process is so stilted, NO ONE follows them… sure, on paper, they are super-secure, in reality, all that bullshit is ignored…

Roger Strong (profile) says:

The "Rebel Alliance" did not receive authorized access or a license to use the Death Star plans. The plans are not publicly available and are only properly accessed by those with licenses, such as Empire military staff working with trained Empire engineers," said the spokesperson.

"The bulletin describes a hypothetical and unlikely scenario regarding a two-meter thermal exhaust port — we are not aware of any situation in which it has materialized," the spokespersons said.

Anonymous Coward says:

Maybe the researcher will be hired when PWC cleans house

I honestly can’t imagine how PWC can come out of this without some external 3rd parties certifying that the vulnerability is not only corrected, but any accounts that may have been modified(Hint, without one, you have to assume they all were) match all expected results including backups.

Arthur Moore (profile) says:

PwC Screaming "Hack Me"

If I were a company using one of these products I’d be rather unhappy.

Businesses, especially ones large enough to have this software, tend like stability and abhor risk. Especially in core infrastructure.

It’s why they’re willing to pay so much money to Oracle for something that free products do just as well. Corporate inertia means they’re not willing to face the possibility of breakage when moving to a new back end.

PwC is relying on their products being so complicated and integral to companies that no one will switch. Unfortunately, they’re probably correct. However, this may prevent new businesses from using their software. Plus, companies will implement stopgap measures, like stopping using the fancy features of the software that requires extra connectivity. Not a good way to keep customers in the long run.

The trick is to explain to the CFO that hacks to such a system don’t just mean theft. If they understand that an SAP system hack means potential securities fraud they start paying attention.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...