Reporting Vulnerabilities Is For The Brave 245
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
Reporting vulnerabilities safely? (Score:4, Interesting)
I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway). Try the following:
1) Get a laptop with wireless.
2) Boot with knoppix, change mac adress.
3) Walk around until you find unsecured AP.
4) Post said vuln everywhere (including
-wmf
Doing the Right Thing (Score:2, Interesting)
* Picking up a hitchhiker
* Peporting evidence of theft from a company (retaliation, backlash if employee is exanerated)
There's more than my limited mind can produce.
Re:Reporting vulnerabilities safely? (Score:5, Interesting)
http://www.nycpba.org/publications/mag-02-fall/sh
I don't get it (Score:2, Interesting)
No really. Why should that be OK? Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted? Should they take a picture from inside and send it to the homeowner as proof that someone could get in? Should you be suprised when someone tries to prosecute such a person? Sorry for the analogy, let's just try to answer the first question about hacking without authorization - why do people think that's OK?
Don't ever report a flaw! Ever! (Score:3, Interesting)
Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don't care what the type of the flaw is or who it is, it is there own problem, they can handle there own infestation.
True story (Score:5, Interesting)
It's easy to spoof email addresses with a very simple PHP script.
I decided one day to trick one of my collegues. I sent him an email 'from' one of our very attractive collegues (in a fairly distant department so I thought it safe at the time) complimenting him on his physique and machismo. I used her real email address as the 'spoof' address, which being the dumbass he is, he replied to. In a manner that would not be considered acceptable in a work enviroment lets say...
Well, I got in trouble for this. (Everyone where I work already knew I was the only one capable of something like this... [lame] So that same afternoon I was called into my bosses office. He was quite frank, and also remember that I value my job here, he said "That email... You had something to do with it didn't you?"
I said that I was the cause of that little incident by way of one of my scripts. I said I was sorry it went as far as it did, and my boss accepted that.
After that my boss said, "Do you have any other things you wish to report?" I decided that I'd come clean with everything I'd found out about the work network. I told them that using the citrux system, I could remotely control anyone on the networks PC. I told them I could spoof emails from anyone... Which resulted in my company rejecting email authorisation for crediting invoices full stop.
OK, through a prank I caused my company a bit of upset... But I, in turn, improved systems indirectly. And all this because I exposed one weakness, and upon my bosses asking me about it - I told all. As I'm sure any loyal employee would do. Through exposing a weakness in my company, I concentrated effort on plugging those holes.
Re:I don't get it (Score:5, Interesting)
Do you think I should have reported this? Should I have ignored the issue? I had access to another person's training records without authorization. No doubt someone could have gained access to mine as well. On the other hand, I'm not interested in being prosecuted for something this silly.
I have some experience with this (Score:5, Interesting)
Let me tell you, it was not easy. Here's the story of the first time because it's the most interesting.
I worked for a community college in its' tech department. Alot of my time was devoted to answering phones and helping faculty with problems, which did leave me idle alot. (high availability requires high idle time as a concequence). As a tinkrer, my idle time is never spent truly idle, but pursuing things that don't require 100% attention.
The community college I worked for had many different systems, and as such had many many translation layers between them. One of these transition layers was a transition from a "Portal" type website to another website that handled student information. (class registration, transcripts, billing, paying, you know all that important personal stuff).
Anyway, I found a flaw in one of the scripts used to authenticate a user session to the second web service. The flaw was that the moron who coded it decided that creating a script that accepted 1 variable (the username) was enough security to authenticate a login.
by closely observing the scripts actions through my web browser, i noticed there were 2 very quick redirects. Focusing my efforts there (and logging my URL requests), i found the call to the script that required only the username.
So, basically, at that point I had access to anyones student account that I had the username for.
I documented it very well in a long email, and demonstrated the flaw to my coworkers. I thought I would be a real hero for finding it; I mean afterall, if I had found it who knows who else might have? surely, disaster averted!
But... my idealism in the situation was met hard with reality. My inexperience led me to not take into account factors I should have.
After reporting the vulnerability, a minor investigation was launched which I was the subject of. I felt more like a crminal than a saint. After demonstrating how I could login to their accounts, my coworkers were suspicious as were my superiors. The thought pattern seemed to go like "Well shit if he can do that, what else has he done? Why was he even poking around there in the first place?".
While never actually accused of any wrong doing, they weren't nearly as impressed with my find as i thought they would be. I was looking for a pat on the back, maybe a bonus, but instead my superiors were troubled and nervous. I'm not sure if I was right in feeling this way, but I never felt quite fully trusted there again after that one.
The other thing I didn't think about was how the existance of the error then impeached the person who wrote it. rightfully so, because it was a FOOLISH error, but the guy who wrote it was a guy who had been employed there far longer than I, and of course having me find it and dismantle it presented quite an embarassment to him.
I ended up leaving the job there 6 months later for a variety of reasons, but reporting the vulnerability was one of the 2 or 3 core reasons that I left. I don't regret it all and would do it the same way again, but going through it taught me alot about how to NOT be someones boss (should I ever become one in the future), and not react in the accusatory manner like my superiors did.
Almost got me in trouble (Score:2, Interesting)
--
Free Linux Shells!
NicoNet 2000 [niconet2k.com]
Re:/. effect (Score:2, Interesting)
Re:Posting anonymously (Score:4, Interesting)
Re:I have some experience with this (Score:3, Interesting)
I demonstrated for the proctor, the fact that ANYONE could use the start menu, run item to open calc.exe, and therefore, access the windows calculator program, and that they really ought to do a better job securing these machines, seeing as how they spent so much money on the hired muscle.
I was immediately accused of cheating on the test.
I had to contact the professor to get the calculator-restriction lifted (the test was not on arithmatic, but rather on polynomial equations - involving nothing that a calculator would help anyone on anyway).
While searching for a job, I found a bug... (Score:3, Interesting)
Re:Not so different (Score:3, Interesting)
BTW, where is your sig from? I like it. I'm still trying to learn those virtues, though...
My first and last time (Score:3, Interesting)
So of course I learned my lesson, and I never reported any vulnerability to anyone, ever again. Found them, though.
Here's my favorite: On my first ISP (shell account), files in
Re:I don't get it (Score:2, Interesting)
Their logic is that you accessed someone else's account. Whether you intentionally did it or not, the fact remains that you did it. Therefore, 9 out of 10 courts are going to assume you are guilty.
Just like if they saw you carrying a bag of cash right after someone robbed the 7-11. Nevermind the fact that you just cashed your paycheck at the local bank. You were found carrying money in a bag right after a store was robbed. No one is going to listen to you.
Add in the fact that you are talking technobabble speak to judges who have still haven't masterd the "double click" and you get a recipe for disaster.
Re:I have some experience with this (Score:3, Interesting)
In my case it was a very simple SQL injection bug in the login page, being the person I am I do test for these things out of curiosity and an almost compelling need to re-assure myself that the systems I'm working with or using are relatively secure.
I landed up in the middle of an 'investigation' after an e-mail with a couple of screenshots and a quick description of the bug was sent over to the department which was developing the web application.
It is very true that if you raise these issues, their now considered your responsibility to fix, not because the developer was incompetant or just nieve of these types of security problems, but because before you discovered them they simply 'didn't exist'!
To this day I still do web app auditing and report vulnerabilities to the developers when their found, but always in sandbox or test environments rather than live sites; as in future I may end up in court simply for reporting these things (which implies I was 'hacking' or doing generally illegal things in the eyes of the mis-informed).
There are already procedures that most security professionals follow, for example disclosing only to the developers and allowing a 30 day lea-way for them to patch it. In the case when the developers don't respond and you consider it to be a risk to the public, publishing the bug along with a patch so users can fix it themselfs.
It's just a shame there's this big grey area (and often completely black) in the law.
Just my two cents...
Re:Depends on who you report to (Score:2, Interesting)
But the instant that anyone discovers, say, an account with username "user" and password "user" or a server vulnerable to putting ".." in the URL, suddenly the 'house' analogy gets whipped out: "OMG, this is like you just walked into my bedroom when I'm having sex with my wife and you started taking pictures and singing Old Lang Syne! How violated I am, you cad! My website is like my house
But they can't have it both ways. This shows the serious schism in the averge site owner's understanding of just what a web site is -- what it means that millions of people can read the pages you are serving up, and often can affect things on your server. Both analogies are kind of weak, but the second is a lot weaker.
Vulns on uni networks (Score:3, Interesting)
It turned out that for a number of the windows labs, available to all students, you were always logged in as administrator. When I reported this issue (along with a list of actions I could perform that would be cause damage to the University or its students), I got the brush off. At the time I considered exploiting this to demonstrate the problem. I'm glad I didn't.
This is a few years ago but it was interesting that there was a total disregard for any security concerns with that particlular section of IT support.