Reporting Vulnerabilities Is For The Brave

An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"

Depends on who you report to

[overshoot]

All things considered, it's a whole lot safer (not to mention more profitable) to notify the black hats about vulnerabilities rather than the vendors or the public.

And that's why I use open source

[disasm]

Open Source projects don't interrogate and try to prosecute you if you find a security problem and report it.

wierd

[drfrog]

im not proposing one do this.. but it makes one think

'if im gonna get jailed anyways...might as well make some money off of it'

Anonymous reporting

[booch]

Maybe there should be a site to allow anonymous reporting of vulnerabilities. This way people could do the right thing without having to worry about the repurcussions.

You could have some sort of secret key to verify that you were the original submitor, if you later wanted recognition for the report. (I imagine a PGP signature of a secret text would be sufficient to allow validation, without any chance of determining who posted until they came forward.)

/. effect

[joe 155]

well the website has already gone. One thing which I find with all this though is that you should just put it up anonymously on some often checked bbs or newsgroup or something. It is really stupid tha companies think that the danger of hacking comes from people who publically state security hole and not the people who stay very quiet and use them... some mistake?

Anonymous Email

[Anonymous Coward]

You see, it's simple. Even if Bob's Software knows about the flaw in Program, they can atleast say with a straight face that they had no idea it existed. Once you announce in publically, they have been officially notified that the flaw exists. At that point, anything serious that happens, say Program causes some other company to lose lots of money, puts Bob's Software as a responsible party for allowing this known flaw to exist.

What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.

Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.

Re:Depends on who you report to

[Anonymous Coward]

Every time I've reported a bug of any nature to a F/OSS project it's been quite well received - and the one that was (arguably) a security bug saw the patch issued for the benefit of all users that very afternoon.

If reporting a security bug to one of your vendors (OS or other software) or suppliers (ISP / hosted software) is a problem, change your vendor.

If reporting a security bug to one of your employers is a problem, change your employer.

Posting anonymously

[Alien54]

I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway).

of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.

Re:And that's why I use open source

[Rakishi]

Yup. First thing that came to me when I saw this was: "God, this is a great counter when people claim OSS is less secure."

Re:Anonymous reporting

[lord_sarpedon]

...followed by a subpoena to the site, then a subpoena to the ISP of the originating IP, and ultimately your demise. The first poster has a much better idea about how to go about it.

Re:I don't get it

[Anonymous Coward]

Would you prefer a friendly neighbor to advise you to lock your door next time, or a thieve that would remove something without leaving traces of his break in? Either way, your door is unlocked and you probably don't know it...

Re:I don't get it

[Anonymous Coward]

But then again often you are also a user of the service.

Compare it to reporting that the outside door to your apartment that is supposed to require a key, also opens with a little tug.

Unintended consequences

[Todd Knarr]

The people running Web sites, or creating software for that matter, might want to consider some of the consequences of their current crack-down on vulnerability reports. Yes, vulnerability reports are bad PR. However, if this keeps up people who find vulnerabilities will have only two feasible alternatives:

1. Say nothing. This leaves the site or software wide open to exploitation by the unscrupulous. The PR when this comes out will be even worse (and it will come out).
2. Don't report to the creators. Report only to the general public, anonymously, with full details included so nobody has to trust the reputation of the reporter to verify the validity of the report. Of course this makes it impossible for the creators to fix problems before the world gets told about them.

Re:I don't get it

[Anonymous Coward]

Why do people think trying to hack web sites without asking the owners first is somehow acceptable?

I fail to see what any of your comments have to do with TFA. The author explicity does not condone hacking. Your metaphor is wrongheaded, too. Public web sites are not the equivalent of a random private house on the street. If I walk into a store to buy something, go to the checkout, and discover that if I lean against the checkout counter that cash streams out the register, does the store want me to let someone know or not? Obviously they wouldn't want me to take the money, but if they're going to arrest me for telling them that their cash registers are brokent I'm just gonna go. You're not going up to Joe Blow's house and shaking his knobs and checking the windows, knowing full well that it's his private home and you're just gonna check things out. We're talking about an open house where the owner is saying "Come on in and look around! We hope you'll buy something." If I walk around and find an open safe, I haven't broken the law. The owner invited me in. If he's going to leave an open safe around, that's his stupidity.

It's like a crook reporting a drug stash...

[i am kman]

Hmmmm, of course the article focuses on the big evil website administrators for attacking the small defenseless students who tried to (probably) illegally break into his system. The article carefully avoids any discussion of what these students actually did to 'discover' the vulnerabilities.

I'd venture to say that most hackers 'smart' enough to hack into a website is probably smart enough to send an anonymous email reporting the hack. If the administrator ignores the emails or warnings, then the burden falls upon them.

This is similar to a crook breaking into a house and then reporting the secret stash of drugs or child porn they found. Ok, it would be nice if they could report it anonymously, but it certainly doesn't justify the initial illegal behavior. And, like most crooks, they probably break into hundreds of places before they either get caught or find stuff worth reporting (like being able to access student grades or SSN).

That said, I agree it's in the website's best interest to allow folks to anonomously post vulnerabilities. Duh.

Re:True story

[Anonymous Coward]

You are lucky that she didn't claim sexual harrasment.

Re:Depends on who you report to

[quanticle]

That's fine for application software, where the code is running on your machine. However, this article is talking about security testing on 3rd party web pages. In this case, I think the article's opinion is correct. Unless there's a signed statement explicitly allowing you to do penetration testing, you shouldn't go prying into other peoples web sites even if you do think there is a vulnerability. And, should you (inadvertently) find a vulnerability, you ought to keep it to yourself and delete all evidence of the vulnerability from your computer.

To revert to the overused house analogy, you don't tell a stranger that their front door is unlocked. To do so is to invite speculation about how you arrived at that knowledge. And if there's a burglary at that residence, your admitted knowledge automatically makes you a suspect.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not so different

[OpenSourced]

Well, that's not so different as the situation in physical security systems. Go and tell a bank manager that they have an unsecured entry point in the air ducts, and that their alarms can be blocked by a XT42 bypass (or whatever), and the guards always have lunch at the same time leaving the screens unattended for ten minutes.

You are probably making them a big favour, but the fact remains that they will be suspicious about you, and may call the police. How do you know about those things? What are your intentions? It's quite a natural reaction. We only perceive the situation to be different because we happen to be experts not in alarms but in computers.

Re:Don't ever report a flaw! Ever!

[jonfr]

Learn to speak my language (Icelandic), then I am going to take you serius.

Re:While searching for a job, I found a bug...

[Anonymous Coward]

You did well to refuse... you don't want to be the only real tech guy in a such company. If you find problems even before you have a job there, imagine when working there.

Re:True story

[merreborn]

"It's easy to spoof email addresses with a very simple PHP script."

It's easy to spoof email addresses with a very simple telnet client.

telnet mail.example.com 25
HELO local.domain.name
MAIL FROM: billg@microsoft.com
RCPT TO: pranked@yourdomain.com
DATA
Subject:

.

QUIT

Hell, you can usually just set an arbitrary 'from' address in your email client. I learned that trick on Netscape 3.0 in gradeschool.

Another good example

[Beryllium Sphere(tm)]

For a long time, the Aviation Safety Reporting System [nasa.gov] has made it possible for people to report a dangerous situation without risking getting stomped. There's no way to tell how many lives it has saved but everyone uses it as a prime example of first-rate systems safety engineering.

Advice goes for Physical Security Too

[Anonymous Coward]

I'm in the security field as an analyst. I notice vulnerabilities (or suscpetibilities) in physical security all the time. The problem.....I notice these things in areas that are not any of my business....or not even part of my company (it could be another company or even a government facility). I can't help it. I just notice it. It's how I protect what I'm charged with protecting. Always analyzing all the ways someone can screw my protection and then I do what it take to plug the holes.

What to do when I see these things at other facilities? Keep my damn mouth shut, that's what I do.

The really sad part is I also have to follow asinine rules that provide ZERO additional security (and in some cases actually make things less secure) because the regulations say to do it. I ask for waivers. But then I'm just seen as making waves. It's sad.

Live in a free country

[EmbeddedJanitor]

For all the talk of freedom's, you're insane if you put them to the test in USA.

One way to safely pulicise the info is to live in a free country or get a friend in a free country to do it.

Re:Not so different

[Anonymous Coward]

This really comes under the heading of most people are ignorant and don't really understand how anything works. It is all magic, and the persons who understand the magic are the most dangerous.

For the most part, problems are a result of bad design or an irrational desire to protect property or force users to go through hoops. In the physical world this manifests itself as HEB or Ikea to travel a maze to purchase product. On a website it is excessive redirects so that 500 tracking cookies can be set and the users actions log by every major click handler in the world. Even competent designers force users from one page to another in the name of security, but are really just leaving themselves open for attack.

In reality none of this stuff is that hard. Just because one thinks about the penetration points does not mean that one is a villain. Thinking about the points of failure is a key part of good design, and by terrorizing those who do society is insuring that we have no good engineers.

Does anyone remember the Amazon hack where anyone could set thier own price? The people who exploited it may have been criminals, but it was the fault of the designers, and the lack of imigination, that allowed such a silly mistiake. Sometimes it is not even a matter of penetration testing, but just a need to get by bad code. For instance, I must use a certain site for work. This site has a bunch of mean looking validation, most of which only occasionaly works in IE, and never works in anything else. The interesting thing is that the content itself is not secured at all, and is all stored in the same place. A simple perl script can easily be written to download all the protected IP before anyone new what was going on. Really it is sad. All that work and fustration for nothing.

Re:Simpler than unsecured Wi-Fi

[Anonymous Coward]

"Include screen shots, printouts, whatever, if necessary. Every transaction on the internet leaves some form of trail. Walking to the nearest post-box doesn't"

You must have missed all that rucus about those "yellow dots" printed by every HP-color-printer (and probably by other manufacturers as well), identifying the machine on anything that is printed by/with it.

No trail ? Forget it. Maybe paper is nowerdays more easily tracked as an e-mail send thru an anonimizer.

Focus on the real issue

[Saggi]

A lot of posts go into how to report a flaw anonymously. But this is curing the symptom. The disease is the fact that you get to be a suspect if you report a bug - and might even be incriminated by it.

Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.

So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.

The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn't really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign... bang.

Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.

Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It's a part of human nature. But the bug never gets fixed... and then the really bad guy comes...

Re:Reporting vulnerabilities safely?

[IngramJames]

Also remember not to lick the envelope or the stamp (if you're from a place where those aren't self-adhesive).

Also, remember to burn the clothes you were wearing - but only in a forest at least 10 miles from any residence, so the smoke is not seen.

You should also wear gloves and sunglasses while typing the actual note and wear a false moustache for at least a week afterwards,

who cares about non open source projects

[Anonymous Coward]

actually i only report problems to open source project developers. if other software/tools/sites have exploits i am sure someone with ill intention will exploit em at some point anyways... so why even bother looking for/reporting problems for non free software? I would have to pay for the next update anyways... and its the companys job to get their crap working and properly audited/tested.

It helps alot more to write articales about hacked and defaced sites in my eyes. thats a plain businesscase for the company to invest less in marketing and more in auditing/software quality.

I also think that the current restriction of "freedom of speech" in that case is totally inappropriate. The following laws will probably prohibit to talk about bad politics... :)

Re:Reporting vulnerabilities safely?

[renoX]

What makes you think its safe?

Sure, the report is safe, but admins will try to use their logs to find the IP address of those who exploited the vulnerability before.
If you didn't take precautions when you tested the website and normally you didn't as you were not trying to crack the website, you were just checking that it is safe), if the logs are detailed enough, they will find the IP address of the one who did it and will come knocking at your door.