[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for FinTech



My concern is less about this specific incident, and more about bringing them and others "into the fold" of CVE as it were. Apparently my bathroom scale also needs a CVE https://help.fitbit.com/articles/en_US/Help_article/How-do-I-update-my-Aria-scale/ 

On Sun, May 1, 2016 at 9:32 PM, Art Manion <amanion@cert.org> wrote:
On 2016-05-01 10:15, Scott Lawler wrote:
> I do.   I'll reach out to them to find the right person to talk to.
>
> Something to think about is whether or not CVE should be tracking vuls
> is systems-of-systems (like SWIFT) or do we stay at the lower level of
> operating systems, application software, etc.
>
> There are thousands of larger systems made up of an infinite set of
> vulnerable sub components--with common vuls.
>
> Thoughts?

Can't say I'm read up on the SWFIT attack(s), but I didn't see any
evidence of a vulnerability (technical vulnerability, not
general/dictionary vulnerability).  SWIFT is a protocol?  Are there
security problems with the protocol design?  Implementation defects in
software that implements SWIFT?  Insider + malware?

 - Art


> On May 1, 2016, at 12:37 AM, Kurt Seifried <kseifried@redhat.com
> <mailto:kseifried@redhat.com>> wrote:
>
>> http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/
>>
>>
>> seems like SWIFT security vulns would be worth CVE, does anyone have
>> contacts at SWIFT they can reach out to?
>>
>> --
>>
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> Red Hat Product Security contact: secalert@redhat.com
>> <mailto:secalert@redhat.com>



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: May 04, 2016