Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Diverse White Hat Community Leads To Diverse Vuln Disclosures
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/26/2015 | 9:40:26 AM
Re: Alas...
The key to the success of these bug-bounty programs relies on the credibility and legitimacy of the white-hat hackers. Not sure that a platform like Wooyun is the right model of the U.S. , especially under the existing and possible expansion of the CFAA, as @Joe Stanganelli points out.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/25/2015 | 8:04:39 PM
Alas...
Unfortunately, it would seem that if the current administration gets its way (as Jeff Williams wrote for Dark Reading recently), the CFAA will be expanded significantly -- which is harmful to and disincentivizes white-hat hackers and independent bug-hunters because it penalizes their security hole-finding activities.

I recently saw Katie Moussouris, HackerOne's Chief Policy Officer, speak at a cybersecurity conference, and she was insistent on this point, calling hackers "a giant pool of untapped resources" and advising attendees to "be prepared to receive a notification from a friendly hacker[.]"  (In particular, she pointed to the example of Polish hacker group the Last Stage of Delirium (LSOD) IDing the vulnerability that led to the Blaster worm, and Microsoft's response: sending employees to Poland to recruit the hackers.)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/23/2015 | 1:44:16 PM
Re: Looking for vulnerabilities
I really hope that we can come up with something that serves to protect IT infrastructures while at the same time, not detract from the efforts to assess the same infrastructures we try to protect.


I hope so too, @gonz. I don't have a lot of confidence in our legislators (state or federal) in getting it right. But doing nothing is worse...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/23/2015 | 1:11:26 PM
Re: Looking for vulnerabilities
@Sara Peters: The legislation issue is definitely huge, as noted in the recent posts by Ericka Chikowski and Jeff Williams among others, here on Dark Reading. I'm sure several security pros are keenly aware and keeping abreast of the current state of legislations regarding this topic. I really hope that we can come up with something that serves to protect IT infrastructures while at the same time, not detract from the efforts to assess the same infrastructures we try to protect. As I see it, the federal and state legislative environments regarding this issue are quite a mess, with overlapping and conflicting scopes, confusing and unclear laws, etc. I am really surprised that someone has not yet formed an official umbrella group that brings all the players together to hammer out a definitive and comprehensive solution on a national scale. Time is getting uncomfortably short; just look at the recent Sony attack, which I believe to be just a precursor to more sinister and devastating attacks in the future.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
1/23/2015 | 12:26:51 PM
Re: Looking for vulnerabilities
@GonzSTL  It's a dilemma, but my biggest problem is the huge disparity between how software vulnerability research is legislated and how web vulnerability research is legislated. A lot of security people don't even know that they could get in trouble for the gentlest knock on the door.

The key example for me is Daniel Cuthbert, who was convicted under the Computer Misuse Act several years ago. He had donated money to a tsunami relief charity, then gotten no confirmation page or any indication that his donation had gone through. As a security professional, he started wondering if maybe this was a fraudulent charity set up by cybercriminals. So he did a little shell code command just to see if the site had any security on it (assuming that a legitimate site would).

Then he decided it was probably legit, and thought nothing of it. Until the police came to his office and took him off in handcuffs.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/23/2015 | 11:40:46 AM
Looking for vulnerabilities
"... seeking vulnerabilities on another person's website without explicit authorization to do so, is technically a felony under the Computer Fraud and Abuse Act."

This sounds like a huge moral dilemma. It isn't right to be scanning a website just to see if there is a vulnerability in it. I get that. Now if I was the website owner, I would rather have a white hat tell me that there is a vulnerability in my website which was uncovered while "scanning", than find out that the vulnerability was exploited by seeing my customers' PII or PHI or financial data being traded in the black market. How would I feel, though, about someone scanning my website without my permission, just to see if there is a vulnerability? I would not be happy about it at all, but at the same time, I really would like to know if I have a potential problem. I do not think that I would not report it to the authorities as a violation of the CFAA unless they broke the website and I lose revenue as a result. Regardless, I would probably let the white hat know that the action they took wasn't entirely legit ... then thank them for finding it, of course! Almost sounds like a love/hate relationship, doesn't it? I'm sure there are many others who think that way. Any thoughts?


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.