Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/12/2015
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Vulnerability Disclosure Deja Vu: Prosecute Crime Not Research

There is a lesson to be learned from a locksmith living 150 years ago: Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The recent example of a software vendor leveraging laws like the Digital Millennium Copyright Act (DMCA) to intimidate a security researcher is counterproductive. The researcher and team at the security consulting firm IOActive took a risk by attempting to report security flaws in a digital lock, and the company that makes the lock didn't exactly welcome the news.

While we don’t know all the details, according to multiple press reports, IOActive tried to contact the vendor privately before public disclosure, and that vendor responded through its lawyers, who mentioned the DMCA. As Chris Sogohian, staff technologist for the ACLU, tweeted about this incident, "Having a lawyer respond to security researchers is like asking your neighbor to turn down the music w/ a gun in your hand. It won't end well"

This phenomenon is sadly all too common when we look at the history of security research, and results in a chilling effect on security research. Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The year 1853 called. They want their disclosure debate back.

A locksmith living over 150 years ago named Alfred Charles Hobbs said it beautifully when discussing whether revealing lock-picking techniques publicly was acceptable: "Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery."

The irony that the modern lock manufacturers have not learned the lessons of their industrial-age forebears indicates that we haven't sufficiently shifted the norms of vendor behavior in over a century and a half or more.

Hackers gonna hack.
When vendors lack a process and ability to receive, investigate, remediate, and communicate about security vulnerabilities, often the first reaction is to call in the lawyers. However, software bugs are not usually fixed by lawyers, threats, or intimidation. They simply distract all parties from the only route that ensures our collective security.

Back when I founded Symantec Vulnerability Research, I made t-shirts for the team that said simply:

All software contains bugs. The maturity of a vendor's product security is measured in part by how it handles vulnerability reports. Those who are unable to gracefully deal with external parties who are trying to warn them of security holes are putting their users, and possibly the Internet as a whole, at risk.

Recently, I worked with MIT Sloan School of Management and Harvard Kennedy School on relevant research, sponsored  by Facebook, on system dynamics modeling of the 0day market. The result of the research concluded, among other things, that defenders should try to increase the rate of finding vulnerabilities through incentives for bugs. Responding to friendly hackers with legal intimidation runs counter to this research and all recommended best practices.

5 Stages of Vulnerability Response Grief: A Standard Approach
Denial. Anger. Bargaining. These are all emotional reactions to a technical problem. The cure? Acceptance. This short video offers a humorous look at this serious issue. Unfortunately this is still an ongoing phenomenon, and organizations will benefit from quickly understanding the pitfalls of these activities that don't ultimately work to improve their security posture.

As I write this from the 25-year anniversary meeting of the ISO SC27 working group in Malaysia, I am happy to report that we already have standard guidelines in the form of ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes. These are available to help organizations adopt a vulnerability handling, coordination, and public disclosure process. Will a set of standards end the disclosure debate once and for all? Not entirely, but it is an important first step.

Hackers can help prevent attacks if they can come forward without fear of prosecution. Encourage research, offer proper incentives, and have a safe and transparent way to receive potential security issue reports.

Prosecute crime, not research. The result is a safer Internet for everyone.

Katie Moussouris is the founder and CEO of Luta Security, a company offering unparalleled expertise to create robust vulnerability coordination programs. Luta Security specializes in governments and multi-party supply chain vulnerability coordination. Moussouris recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
5/19/2015 | 10:27:36 AM
Re: Defender's point of view
Imagine the PHP code that you write\wrote\sell or provide is being used all over the Internet for whatever reasons people use it for... now imagine it's weak and vulnerble and you missed it during your "code review".... now, wouldn't you want someone to point that out to you no matter how arrogant they were or would you rather some attorney for Company X contact you with a law suit?

Don't take it personal, it's a mistake that someone found, hopefully before it was exploited for ill.
JBauerofPrivacy
50%
50%
JBauerofPrivacy,
User Rank: Apprentice
5/15/2015 | 3:22:42 PM
An example of a different approach
United Airlines is offering up to a million air miles to hackers who can find security bugs in its network. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/15/2015 | 8:18:31 AM
Re: Defender's point of view
@Thomas Claburn, love how you expanded on the metaphor of the lock picker at the front door. Perfect! 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/13/2015 | 12:50:14 PM
Re: Defender's point of view
@AnonymousMan  I see your points, but it's a bit more complicated than that when you're dealing with a public Website, because the safety of that site affects all the people who use it, not just the people who own the domain. And the trouble is that the way the laws are written right now, simply looking for a vulnerability in a website -- not disclosing it or testing it -- is technically a felony crime under U.S. and U.K. law, punishable by fines and even jail time.

Although it doesn't usually turn out that way, there have been cases when good samaritan security researchers have been convicted of cybercrimes under these laws -- like when Daniel Cuthbert got convicted in the UK for executing a single shellcode command after he thought he might have just given his credit card information to a phishing site.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/13/2015 | 11:28:33 AM
Re: I Need that T-Shirt!
The T-shirt is defnitely cool, @ChristianBryant. But your point about the value of vulnerability research -- and the need for lawmakers to protect it -- is critical. Hopefully Katie's message will reach beyond the world of Dark Reading to TPTB in Washington. What we need is intellegient cyber crime legislation. Not a dragnet.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/13/2015 | 5:16:58 AM
I Need that T-Shirt!
OK, so that was a terrible label for my comment (I've been too serious on some of these) but, really, awesome message on the T!

I spend hours a day reading sites like DR, Exploit-DB and PacketStorm.  The imagination that goes into vulnerability research can't be stressed enough.  Without these individuals, teams and organizations (most of whom are either anonymous or feel some security in their visibility and numbers), we would not only be less safe but also our software would be buggier and less enjoyable to use.

The law must catch up, must address cyber-crime intelligently and recognize the value of folks like vulnerability researchers and not simply see them as part of the problem.  Even for those on the "right" side of the law who do recognize this, they then need to fight for them, for they too often get swept up in the nets.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
5/12/2015 | 6:01:27 PM
Re: Defender's point of view
>Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks. 

This metaphor doesn't quite capture the Internet since there's no real sense of physical location. It would be more accurate to imagine someone opening his or her front door to find the entire population of the Internet outside, with a subset of this group running automated door-hacking attacks.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
5/12/2015 | 5:18:00 PM
Re: Defender's point of view
That is not just a different storyteller, it's a different story.  Not invalid mind you, but not the same situation. I wrote a PHP application and put it on the Internet.  Does anyone have the right to test it for vulnerabilities, as long as their heart is pure?  And my specific point...how does the defender discern intent from the packets.
dritchie
100%
0%
dritchie,
User Rank: Strategist
5/12/2015 | 4:58:17 PM
Re: Defender's point of view
On the other hand:


You come home from the store, Your neighbor tells  you that he just found out that his front door can be opened by banging on the lock 3 times and since you have the same lock, maybe you should change it.


Do you:

1.  Thank him and go buy a new lock kit

2. Kick him in the soft parts since he was looking at your lock for specifics.

 

Many different ways of looking at it and it depends on who is telling the story.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
5/12/2015 | 3:30:55 PM
Defender's point of view
Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks.  Do you:

a) assume they are a security researcher, and politely ask them to let you know if they successfully pick the lock?

b) assume they are a criminal and swing a grocery bag full of avacados into their soft parts?

I generally agree with the idea of not prosecuting security researchers, there is no question IMHO that researchers are often egocentric ideologues who could care less about actual users. Some have a sense of entitlement that is simply dumbfounding....as if putting something on the Internet gives them free reign because, well, it's on the Internet and stuff.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.