Slashdot Mirror
Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway). Try the following:
1) Get a laptop with wireless.
2) Boot with knoppix, change mac adress.
3) Walk around until you find unsecured AP.
4) Post said vuln everywhere (including
-wmf
All things considered, it's a whole lot safer (not to mention more profitable) to notify the black hats about vulnerabilities rather than the vendors or the public.
Lacking <sarcasm> tags,
Open Source projects don't interrogate and try to prosecute you if you find a security problem and report it.
What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.
Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.
Coincidentally the quote on the bottom of the page when this was posted:
I stick my neck out for nobody. -- Humphrey Bogart, "Casablanca"
Ah well, at least we'll always have Paris.
You can't talk about Wikipedia's flaws on Wikipedia
of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.
"It is a greater offense to steal men's labor, than their clothes"
I think a vulnerability can be reported anonymously quite safely
And you can even get paid for doing it! Remember the Zero Day Initiative that was on the news a while back? They guarantee anonymity.
That's all quite true.
At that point, anything serious that happens, say Program causes some other company to lose lots of money, puts Bob's Software as a responsible party for allowing this known flaw to exist.
And, if software were like any other tangible (and most intangible) products/services in the world, you would be correct here as well. Unfortunately it's not, so you're not. Why? Those lovely click-wrap EULA licenses explicitly and specifically disclaim all liability, including even fitness for purpose. Look at almost any EULA out there and you'll see that usually the most you could possibly recover, even if this software somehow manages to kill you, through gross negligence or otherwise, is the price you paid for it.
Of course, Bob's Software doesn't want to part with your money, so your point is still partially valid. However, I think we shouldn't overlook the fact that we're not talking about huge product liability lawsuits, and yet they're treating disclosures as if we were. Basically they're trying to have their cake (EULA dislaimers) and eat it (prevent disclosures) too.
They would, it seems, be doing fairly well at both right now.
"where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem."
Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don't care what the type of the flaw is or who it is, it is there own problem, they can handle there own infestation.
This story is true...
It's easy to spoof email addresses with a very simple PHP script.
I decided one day to trick one of my collegues. I sent him an email 'from' one of our very attractive collegues (in a fairly distant department so I thought it safe at the time) complimenting him on his physique and machismo. I used her real email address as the 'spoof' address, which being the dumbass he is, he replied to. In a manner that would not be considered acceptable in a work enviroment lets say...
Well, I got in trouble for this. (Everyone where I work already knew I was the only one capable of something like this... [lame] So that same afternoon I was called into my bosses office. He was quite frank, and also remember that I value my job here, he said "That email... You had something to do with it didn't you?"
I said that I was the cause of that little incident by way of one of my scripts. I said I was sorry it went as far as it did, and my boss accepted that.
After that my boss said, "Do you have any other things you wish to report?" I decided that I'd come clean with everything I'd found out about the work network. I told them that using the citrux system, I could remotely control anyone on the networks PC. I told them I could spoof emails from anyone... Which resulted in my company rejecting email authorisation for crediting invoices full stop.
OK, through a prank I caused my company a bit of upset... But I, in turn, improved systems indirectly. And all this because I exposed one weakness, and upon my bosses asking me about it - I told all. As I'm sure any loyal employee would do. Through exposing a weakness in my company, I concentrated effort on plugging those holes.
You're assuming someone tried to hack it. It's not impossible to stumble into a bug. I was using a "training" site at work a few years ago (we're required do the same training/test every year) and hit the wrong button accidentally. I then hit the back button so I could click on the button to print a "certificate". As it turns out, I was then logged in as another user.
Do you think I should have reported this? Should I have ignored the issue? I had access to another person's training records without authorization. No doubt someone could have gained access to mine as well. On the other hand, I'm not interested in being prosecuted for something this silly.
GPL: Free as in will
I have two times found and two times reported vulnerabilities I have found in public web based systems.
Let me tell you, it was not easy. Here's the story of the first time because it's the most interesting.
I worked for a community college in its' tech department. Alot of my time was devoted to answering phones and helping faculty with problems, which did leave me idle alot. (high availability requires high idle time as a concequence). As a tinkrer, my idle time is never spent truly idle, but pursuing things that don't require 100% attention.
The community college I worked for had many different systems, and as such had many many translation layers between them. One of these transition layers was a transition from a "Portal" type website to another website that handled student information. (class registration, transcripts, billing, paying, you know all that important personal stuff).
Anyway, I found a flaw in one of the scripts used to authenticate a user session to the second web service. The flaw was that the moron who coded it decided that creating a script that accepted 1 variable (the username) was enough security to authenticate a login.
by closely observing the scripts actions through my web browser, i noticed there were 2 very quick redirects. Focusing my efforts there (and logging my URL requests), i found the call to the script that required only the username.
So, basically, at that point I had access to anyones student account that I had the username for.
I documented it very well in a long email, and demonstrated the flaw to my coworkers. I thought I would be a real hero for finding it; I mean afterall, if I had found it who knows who else might have? surely, disaster averted!
But... my idealism in the situation was met hard with reality. My inexperience led me to not take into account factors I should have.
After reporting the vulnerability, a minor investigation was launched which I was the subject of. I felt more like a crminal than a saint. After demonstrating how I could login to their accounts, my coworkers were suspicious as were my superiors. The thought pattern seemed to go like "Well shit if he can do that, what else has he done? Why was he even poking around there in the first place?".
While never actually accused of any wrong doing, they weren't nearly as impressed with my find as i thought they would be. I was looking for a pat on the back, maybe a bonus, but instead my superiors were troubled and nervous. I'm not sure if I was right in feeling this way, but I never felt quite fully trusted there again after that one.
The other thing I didn't think about was how the existance of the error then impeached the person who wrote it. rightfully so, because it was a FOOLISH error, but the guy who wrote it was a guy who had been employed there far longer than I, and of course having me find it and dismantle it presented quite an embarassment to him.
I ended up leaving the job there 6 months later for a variety of reasons, but reporting the vulnerability was one of the 2 or 3 core reasons that I left. I don't regret it all and would do it the same way again, but going through it taught me alot about how to NOT be someones boss (should I ever become one in the future), and not react in the accusatory manner like my superiors did.
In the article, it's talking about students noticing security issues in web applications that they are using. If you accept the physical property analogy at all, this is more "seeing that a door that should be secured was left open".
-- The act of censorship is always worse than whatever is being censored. Always.
CERIAS Weblogs Reporting Vulnerabilities is for the Brave
I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn't have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons.
The first reason is that whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn't have? It's normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.
A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble -- the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it...). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects.
The second reason that bad things could have happened to me is that I'm stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it's a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don't yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities.
So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation.
As a consequence of that experience, I in
When vulnerabilities are outlawed, only outlaws will use vulnerabilities.
I recently figured out a fairly anonymous method of reporting vulnerabilities for a cost of only $0.39. Send SASE for details.
Intron: the portion of DNA which expresses nothing useful.
...Basically, I was job hunting and a friend directed me to a website of his company who was hiring. Now, instead of typing "www.company.com" i typed in "company.com". Boom, I'm presented with a database login. Hmm, I thought this was maybe for the job search, and didnt see a register button, so I just hit login. I was then presented with what I THOUGHT was a fake database...kind of like the example php websites you can "login" to to get a taste for the app. I wasn't 100% sure, but eventually decided to try running a sql command...I changed all the company descriptions (it was a hiring agency) to "Change your admin password!" I then realized (late I know), that this was a REAL database after more poking around and finding real names/phone #'s/emails. I found the head of the company's email and politely told her there is a SERIOUS hole in her system. She (VERY) quickly responded with her phone number that I already knew and asked me to call. So, being the good citizen that I was, I called. Ha! She immediately asked my personal information which I was hesitant to give, and resorted to only giving my first name. Then she connected me with the "IT guy" if you could call him that, and I explained what I had did and how I did it. Throughout this whole conversation I was very nervous and got the feeling that I was being criminalized. After the whole ordeal was over (luckily they had backups), she offered me the job that I was initially seeking, but I politely refused stating I didn't feel comfortable working for a company that was as insecure as hers.