[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for FinTech

To: Scott Lawler <scott.lawler@lp3.com>, Kurt Seifried <kseifried@redhat.com>
Subject: Re: CVEs for FinTech
From: Art Manion <amanion@cert.org>
Date: Sun, 1 May 2016 23:32:20 -0400
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Mon May 2 07:46:43 2016
In-reply-to: <6983DD09-2547-4943-A6F6-E4B49B792ADB@lp3.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty2s0dfKNTvg-cwes-BsWNdwDvXW9ZvrXd7iX-u88LWooA@mail.gmail.com> <6983DD09-2547-4943-A6F6-E4B49B792ADB@lp3.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.0

On 2016-05-01 10:15, Scott Lawler wrote:
> I do.   I'll reach out to them to find the right person to talk to.  
> 
> Something to think about is whether or not CVE should be tracking vuls
> is systems-of-systems (like SWIFT) or do we stay at the lower level of
> operating systems, application software, etc.  
> 
> There are thousands of larger systems made up of an infinite set of
> vulnerable sub components--with common vuls.  
> 
> Thoughts?

Can't say I'm read up on the SWFIT attack(s), but I didn't see any
evidence of a vulnerability (technical vulnerability, not
general/dictionary vulnerability).  SWIFT is a protocol?  Are there
security problems with the protocol design?  Implementation defects in
software that implements SWIFT?  Insider + malware?

 - Art


> On May 1, 2016, at 12:37 AM, Kurt Seifried <kseifried@redhat.com
> <mailto:kseifried@redhat.com>> wrote:
> 
>> http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/
>>
>>
>> seems like SWIFT security vulns would be worth CVE, does anyone have
>> contacts at SWIFT they can reach out to?
>>
>> -- 
>>
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> Red Hat Product Security contact: secalert@redhat.com
>> <mailto:secalert@redhat.com>

Follow-Ups:
- Re: CVEs for FinTech
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- Re: CVEs for FinTech
  - From: Scott Lawler <scott.lawler@lp3.com>

Prev by Date: Re: CVEs for FinTech
Next by Date: Re: CVEs for FinTech
Previous by thread: Re: CVEs for FinTech
Next by thread: Re: CVEs for FinTech
Index(es):
- Date
- Thread