The talk by security researcher Barnaby Jack has been pulled by his employer Juniper Networks from the Blackhat conference later this month.
The exploit Jack was presenting was titled “Jackpotting Automated Teller Machines”.
“Juniper believes that Jack’s research is important to be presented in a public forum in order to advance the state of security,” the company said in a statement late last month, however today Juniper Networks have done a backflip and released the following media statement.
“The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and–ultimately–the public,” wrote Brendan Lewis, director of corporate social media relations for Juniper in a statement posted to the company’s official blog last week. “To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don’t want to see happen.”
The dissapointing aspect of this story is that Juniper were initially happy with full disclosure and now through pressure from the ATM vendor have decided to pull Jack’s presentation.
This is just another gleaming example of security through obscurity, if we hide the problem no one will know it exists and more to the point if we ignore it long enough it will go away.
Full disclosure is the only method some companies respond to, and given how critically important this vulnerability is it should be addressed immediately and stop making excuses, rather than the time and effort wasted getting Jacks talk pulled by his employer the ATM vendor should have invested that time and money into fixing the vulnerability.