Slashdot Mirror
Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway). Try the following:
1) Get a laptop with wireless.
2) Boot with knoppix, change mac adress.
3) Walk around until you find unsecured AP.
4) Post said vuln everywhere (including
-wmf
This raises a good point. There are many circumstances that exist where "doing the right thing" has potentially negative consequences.
* Picking up a hitchhiker
* Peporting evidence of theft from a company (retaliation, backlash if employee is exanerated)
There's more than my limited mind can produce.
No really. Why should that be OK? Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted? Should they take a picture from inside and send it to the homeowner as proof that someone could get in? Should you be suprised when someone tries to prosecute such a person? Sorry for the analogy, let's just try to answer the first question about hacking without authorization - why do people think that's OK?
"where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem."
Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don't care what the type of the flaw is or who it is, it is there own problem, they can handle there own infestation.
This story is true...
It's easy to spoof email addresses with a very simple PHP script.
I decided one day to trick one of my collegues. I sent him an email 'from' one of our very attractive collegues (in a fairly distant department so I thought it safe at the time) complimenting him on his physique and machismo. I used her real email address as the 'spoof' address, which being the dumbass he is, he replied to. In a manner that would not be considered acceptable in a work enviroment lets say...
Well, I got in trouble for this. (Everyone where I work already knew I was the only one capable of something like this... [lame] So that same afternoon I was called into my bosses office. He was quite frank, and also remember that I value my job here, he said "That email... You had something to do with it didn't you?"
I said that I was the cause of that little incident by way of one of my scripts. I said I was sorry it went as far as it did, and my boss accepted that.
After that my boss said, "Do you have any other things you wish to report?" I decided that I'd come clean with everything I'd found out about the work network. I told them that using the citrux system, I could remotely control anyone on the networks PC. I told them I could spoof emails from anyone... Which resulted in my company rejecting email authorisation for crediting invoices full stop.
OK, through a prank I caused my company a bit of upset... But I, in turn, improved systems indirectly. And all this because I exposed one weakness, and upon my bosses asking me about it - I told all. As I'm sure any loyal employee would do. Through exposing a weakness in my company, I concentrated effort on plugging those holes.
I have two times found and two times reported vulnerabilities I have found in public web based systems.
Let me tell you, it was not easy. Here's the story of the first time because it's the most interesting.
I worked for a community college in its' tech department. Alot of my time was devoted to answering phones and helping faculty with problems, which did leave me idle alot. (high availability requires high idle time as a concequence). As a tinkrer, my idle time is never spent truly idle, but pursuing things that don't require 100% attention.
The community college I worked for had many different systems, and as such had many many translation layers between them. One of these transition layers was a transition from a "Portal" type website to another website that handled student information. (class registration, transcripts, billing, paying, you know all that important personal stuff).
Anyway, I found a flaw in one of the scripts used to authenticate a user session to the second web service. The flaw was that the moron who coded it decided that creating a script that accepted 1 variable (the username) was enough security to authenticate a login.
by closely observing the scripts actions through my web browser, i noticed there were 2 very quick redirects. Focusing my efforts there (and logging my URL requests), i found the call to the script that required only the username.
So, basically, at that point I had access to anyones student account that I had the username for.
I documented it very well in a long email, and demonstrated the flaw to my coworkers. I thought I would be a real hero for finding it; I mean afterall, if I had found it who knows who else might have? surely, disaster averted!
But... my idealism in the situation was met hard with reality. My inexperience led me to not take into account factors I should have.
After reporting the vulnerability, a minor investigation was launched which I was the subject of. I felt more like a crminal than a saint. After demonstrating how I could login to their accounts, my coworkers were suspicious as were my superiors. The thought pattern seemed to go like "Well shit if he can do that, what else has he done? Why was he even poking around there in the first place?".
While never actually accused of any wrong doing, they weren't nearly as impressed with my find as i thought they would be. I was looking for a pat on the back, maybe a bonus, but instead my superiors were troubled and nervous. I'm not sure if I was right in feeling this way, but I never felt quite fully trusted there again after that one.
The other thing I didn't think about was how the existance of the error then impeached the person who wrote it. rightfully so, because it was a FOOLISH error, but the guy who wrote it was a guy who had been employed there far longer than I, and of course having me find it and dismantle it presented quite an embarassment to him.
I ended up leaving the job there 6 months later for a variety of reasons, but reporting the vulnerability was one of the 2 or 3 core reasons that I left. I don't regret it all and would do it the same way again, but going through it taught me alot about how to NOT be someones boss (should I ever become one in the future), and not react in the accusatory manner like my superiors did.
I had worked for the Cuyahoga Falls School District in IT. I had noticed that on NeoNet's (Our Internet Provider) FTP server that anonymous was able to download, upload, and delete any file on the server. I reported this in October 2000 to NeoNet, they did nothing about it. In March of 2001 I was laid-off due to financial issues in the school district. Weeks later, the schools web site was replaced with a porn site using the anonymous login. They immediately assumed it was me. Luckily they were able to track it down to a student at the school. They then immediately fixed the FTP problem.
--
Free Linux Shells!
NicoNet 2000
We should be back up now. Here's a tip: unless you have a huge amount of RAM so you can up your MaxClients, Apache is much happier with persistent connections "Off" when dealing with Slashdot visits.
Its called the Law of Unintended Consequences. Too bad so many people in positions of authority are not aware of this.
...Basically, I was job hunting and a friend directed me to a website of his company who was hiring. Now, instead of typing "www.company.com" i typed in "company.com". Boom, I'm presented with a database login. Hmm, I thought this was maybe for the job search, and didnt see a register button, so I just hit login. I was then presented with what I THOUGHT was a fake database...kind of like the example php websites you can "login" to to get a taste for the app. I wasn't 100% sure, but eventually decided to try running a sql command...I changed all the company descriptions (it was a hiring agency) to "Change your admin password!" I then realized (late I know), that this was a REAL database after more poking around and finding real names/phone #'s/emails. I found the head of the company's email and politely told her there is a SERIOUS hole in her system. She (VERY) quickly responded with her phone number that I already knew and asked me to call. So, being the good citizen that I was, I called. Ha! She immediately asked my personal information which I was hesitant to give, and resorted to only giving my first name. Then she connected me with the "IT guy" if you could call him that, and I explained what I had did and how I did it. Throughout this whole conversation I was very nervous and got the feeling that I was being criminalized. After the whole ordeal was over (luckily they had backups), she offered me the job that I was initially seeking, but I politely refused stating I didn't feel comfortable working for a company that was as insecure as hers.
A friend of mine once noticed a mains power anomaly being reported on a regular basis by his APC SmartUPS. He reported it and provided the info from the power supply's automated report to power company. Later that day, he got a call from the police wanting to know why he knew so much about the power system - the power company had "turned him in". The police accepted his explanation, but he (and I) were a bit taken aback by the incident.
BTW, where is your sig from? I like it. I'm still trying to learn those virtues, though...
In 1988, on the first BBS I ever called, I found a vulnerability one day. It was a configuration error that allowed any user to elevate themselves to sysop status. Thinking I was being helpful, I reported it to the sysop. The next call, I was shocked to find myself locked out. Eventually the co-sysop persuaded the sysop to let me back on, but I was "on probation".
/var/spool/mail/ were set readable and writable by the "mail" group. Also, "pine" was setgid mail. I could start pine, Compose a new message, and then ^R anybody's inbox right into it. One of the sysadmins had three megs of messages in his inbox, and some of them included credit card numbers. But like I say, I'd learned my lesson; I reported nothing. (Don't worry, that ISP later got assimilated by a bigger one, and that particular email system is long gone.)
So of course I learned my lesson, and I never reported any vulnerability to anyone, ever again. Found them, though.
Here's my favorite: On my first ISP (shell account), files in
Share and Enjoy: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
You are right, and this highlights a critical factor. As long as the website is working fine (commercial nor otherwise) the owner's attitude is usually, "Step right up and join in the fun" or "Get em while they're hot" or "Read my wisdom" and basically acts like he is standing in the center of the marketplace.
."
But the instant that anyone discovers, say, an account with username "user" and password "user" or a server vulnerable to putting ".." in the URL, suddenly the 'house' analogy gets whipped out: "OMG, this is like you just walked into my bedroom when I'm having sex with my wife and you started taking pictures and singing Old Lang Syne! How violated I am, you cad! My website is like my house
But they can't have it both ways. This shows the serious schism in the averge site owner's understanding of just what a web site is -- what it means that millions of people can read the pages you are serving up, and often can affect things on your server. Both analogies are kind of weak, but the second is a lot weaker.
$META_SIG_JOKE
I once found an issue on a university network.
It turned out that for a number of the windows labs, available to all students, you were always logged in as administrator. When I reported this issue (along with a list of actions I could perform that would be cause damage to the University or its students), I got the brush off. At the time I considered exploiting this to demonstrate the problem. I'm glad I didn't.
This is a few years ago but it was interesting that there was a total disregard for any security concerns with that particlular section of IT support.
meh