Vulnerabilities / Threats

5/12/2015
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Vulnerability Disclosure Deja Vu: Prosecute Crime Not Research

There is a lesson to be learned from a locksmith living 150 years ago: Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The recent example of a software vendor leveraging laws like the Digital Millennium Copyright Act (DMCA) to intimidate a security researcher is counterproductive. The researcher and team at the security consulting firm IOActive took a risk by attempting to report security flaws in a digital lock, and the company that makes the lock didn't exactly welcome the news.

While we don’t know all the details, according to multiple press reports, IOActive tried to contact the vendor privately before public disclosure, and that vendor responded through its lawyers, who mentioned the DMCA. As Chris Sogohian, staff technologist for the ACLU, tweeted about this incident, "Having a lawyer respond to security researchers is like asking your neighbor to turn down the music w/ a gun in your hand. It won't end well"

This phenomenon is sadly all too common when we look at the history of security research, and results in a chilling effect on security research. Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The year 1853 called. They want their disclosure debate back.

A locksmith living over 150 years ago named Alfred Charles Hobbs said it beautifully when discussing whether revealing lock-picking techniques publicly was acceptable: "Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery."

The irony that the modern lock manufacturers have not learned the lessons of their industrial-age forebears indicates that we haven't sufficiently shifted the norms of vendor behavior in over a century and a half or more.

Hackers gonna hack.
When vendors lack a process and ability to receive, investigate, remediate, and communicate about security vulnerabilities, often the first reaction is to call in the lawyers. However, software bugs are not usually fixed by lawyers, threats, or intimidation. They simply distract all parties from the only route that ensures our collective security.

Back when I founded Symantec Vulnerability Research, I made t-shirts for the team that said simply:

All software contains bugs. The maturity of a vendor's product security is measured in part by how it handles vulnerability reports. Those who are unable to gracefully deal with external parties who are trying to warn them of security holes are putting their users, and possibly the Internet as a whole, at risk.

Recently, I worked with MIT Sloan School of Management and Harvard Kennedy School on relevant research, sponsored  by Facebook, on system dynamics modeling of the 0day market. The result of the research concluded, among other things, that defenders should try to increase the rate of finding vulnerabilities through incentives for bugs. Responding to friendly hackers with legal intimidation runs counter to this research and all recommended best practices.

5 Stages of Vulnerability Response Grief: A Standard Approach
Denial. Anger. Bargaining. These are all emotional reactions to a technical problem. The cure? Acceptance. This short video offers a humorous look at this serious issue. Unfortunately this is still an ongoing phenomenon, and organizations will benefit from quickly understanding the pitfalls of these activities that don't ultimately work to improve their security posture.

As I write this from the 25-year anniversary meeting of the ISO SC27 working group in Malaysia, I am happy to report that we already have standard guidelines in the form of ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes. These are available to help organizations adopt a vulnerability handling, coordination, and public disclosure process. Will a set of standards end the disclosure debate once and for all? Not entirely, but it is an important first step.

Hackers can help prevent attacks if they can come forward without fear of prosecution. Encourage research, offer proper incentives, and have a safe and transparent way to receive potential security issue reports.

Prosecute crime, not research. The result is a safer Internet for everyone.

Katie Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response & structured bounty programs. She is a noted authority on vuln disclosure & advises lawmakers, customers, & researchers to legitimize & promote security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
5/19/2015 | 10:27:36 AM
Re: Defender's point of view
Imagine the PHP code that you write\wrote\sell or provide is being used all over the Internet for whatever reasons people use it for... now imagine it's weak and vulnerble and you missed it during your "code review".... now, wouldn't you want someone to point that out to you no matter how arrogant they were or would you rather some attorney for Company X contact you with a law suit?

Don't take it personal, it's a mistake that someone found, hopefully before it was exploited for ill.
JBauerofPrivacy
50%
50%
JBauerofPrivacy,
User Rank: Apprentice
5/15/2015 | 3:22:42 PM
An example of a different approach
United Airlines is offering up to a million air miles to hackers who can find security bugs in its network. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/15/2015 | 8:18:31 AM
Re: Defender's point of view
@Thomas Claburn, love how you expanded on the metaphor of the lock picker at the front door. Perfect! 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/13/2015 | 12:50:14 PM
Re: Defender's point of view
@AnonymousMan  I see your points, but it's a bit more complicated than that when you're dealing with a public Website, because the safety of that site affects all the people who use it, not just the people who own the domain. And the trouble is that the way the laws are written right now, simply looking for a vulnerability in a website -- not disclosing it or testing it -- is technically a felony crime under U.S. and U.K. law, punishable by fines and even jail time.

Although it doesn't usually turn out that way, there have been cases when good samaritan security researchers have been convicted of cybercrimes under these laws -- like when Daniel Cuthbert got convicted in the UK for executing a single shellcode command after he thought he might have just given his credit card information to a phishing site.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/13/2015 | 11:28:33 AM
Re: I Need that T-Shirt!
The T-shirt is defnitely cool, @ChristianBryant. But your point about the value of vulnerability research -- and the need for lawmakers to protect it -- is critical. Hopefully Katie's message will reach beyond the world of Dark Reading to TPTB in Washington. What we need is intellegient cyber crime legislation. Not a dragnet.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/13/2015 | 5:16:58 AM
I Need that T-Shirt!
OK, so that was a terrible label for my comment (I've been too serious on some of these) but, really, awesome message on the T!

I spend hours a day reading sites like DR, Exploit-DB and PacketStorm.  The imagination that goes into vulnerability research can't be stressed enough.  Without these individuals, teams and organizations (most of whom are either anonymous or feel some security in their visibility and numbers), we would not only be less safe but also our software would be buggier and less enjoyable to use.

The law must catch up, must address cyber-crime intelligently and recognize the value of folks like vulnerability researchers and not simply see them as part of the problem.  Even for those on the "right" side of the law who do recognize this, they then need to fight for them, for they too often get swept up in the nets.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
5/12/2015 | 6:01:27 PM
Re: Defender's point of view
>Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks. 

This metaphor doesn't quite capture the Internet since there's no real sense of physical location. It would be more accurate to imagine someone opening his or her front door to find the entire population of the Internet outside, with a subset of this group running automated door-hacking attacks.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
5/12/2015 | 5:18:00 PM
Re: Defender's point of view
That is not just a different storyteller, it's a different story.  Not invalid mind you, but not the same situation. I wrote a PHP application and put it on the Internet.  Does anyone have the right to test it for vulnerabilities, as long as their heart is pure?  And my specific point...how does the defender discern intent from the packets.
dritchie
100%
0%
dritchie,
User Rank: Strategist
5/12/2015 | 4:58:17 PM
Re: Defender's point of view
On the other hand:


You come home from the store, Your neighbor tells  you that he just found out that his front door can be opened by banging on the lock 3 times and since you have the same lock, maybe you should change it.


Do you:

1.  Thank him and go buy a new lock kit

2. Kick him in the soft parts since he was looking at your lock for specifics.

 

Many different ways of looking at it and it depends on who is telling the story.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
5/12/2015 | 3:30:55 PM
Defender's point of view
Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks.  Do you:

a) assume they are a security researcher, and politely ask them to let you know if they successfully pick the lock?

b) assume they are a criminal and swing a grocery bag full of avacados into their soft parts?

I generally agree with the idea of not prosecuting security researchers, there is no question IMHO that researchers are often egocentric ideologues who could care less about actual users. Some have a sense of entitlement that is simply dumbfounding....as if putting something on the Internet gives them free reign because, well, it's on the Internet and stuff.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.