Reporting Vulnerabilities Is For The Brave

An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"

Reporting vulnerabilities safely?

[Anonymous Coward]

I agree with the article for the most part - the advice he gives students is probably the correct advice from a teacher. However, the conclusion he reaches:

I agree with HD Moore, as far as production web sites are concerned: "There is no way to report a vulnerability safely" [securityfocus.com].

I cannot agree with.

I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway). Try the following:

1) Get a laptop with wireless.
2) Boot with knoppix, change mac adress.
3) Walk around until you find unsecured AP.
4) Post said vuln everywhere (including /.)

-wmf

Doing the Right Thing

[buck-yar]

This raises a good point. There are many circumstances that exist where "doing the right thing" has potentially negative consequences.

* Picking up a hitchhiker

* Peporting evidence of theft from a company (retaliation, backlash if employee is exanerated)

There's more than my limited mind can produce.

Re:Reporting vulnerabilities safely?

[Original Replica]

Perhaps it would be in the best interest of some of the larger online businesses to form a reporting service that gives amnesty to those who do the reporting. Many major cities have anonymous services for providing tips to solve violent crimes.The same basic idea could work well here.
http://www.nycpba.org/publications/mag-02-fall/sho t.htm [nycpba.org]

I don't get it

[gr8_phk]

Why do people think trying to hack web sites without asking the owners first is somehow acceptable?

No really. Why should that be OK? Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted? Should they take a picture from inside and send it to the homeowner as proof that someone could get in? Should you be suprised when someone tries to prosecute such a person? Sorry for the analogy, let's just try to answer the first question about hacking without authorization - why do people think that's OK?

Don't ever report a flaw! Ever!

[jonfr]

"where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem."

Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don't care what the type of the flaw is or who it is, it is there own problem, they can handle there own infestation.

True story

[celardore]

This story is true...

It's easy to spoof email addresses with a very simple PHP script.
I decided one day to trick one of my collegues. I sent him an email 'from' one of our very attractive collegues (in a fairly distant department so I thought it safe at the time) complimenting him on his physique and machismo. I used her real email address as the 'spoof' address, which being the dumbass he is, he replied to. In a manner that would not be considered acceptable in a work enviroment lets say...

Well, I got in trouble for this. (Everyone where I work already knew I was the only one capable of something like this... [lame] So that same afternoon I was called into my bosses office. He was quite frank, and also remember that I value my job here, he said "That email... You had something to do with it didn't you?"

I said that I was the cause of that little incident by way of one of my scripts. I said I was sorry it went as far as it did, and my boss accepted that.
After that my boss said, "Do you have any other things you wish to report?" I decided that I'd come clean with everything I'd found out about the work network. I told them that using the citrux system, I could remotely control anyone on the networks PC. I told them I could spoof emails from anyone... Which resulted in my company rejecting email authorisation for crediting invoices full stop.

OK, through a prank I caused my company a bit of upset... But I, in turn, improved systems indirectly. And all this because I exposed one weakness, and upon my bosses asking me about it - I told all. As I'm sure any loyal employee would do. Through exposing a weakness in my company, I concentrated effort on plugging those holes.

Re:I don't get it

[Mr. Hankey]

You're assuming someone tried to hack it. It's not impossible to stumble into a bug. I was using a "training" site at work a few years ago (we're required do the same training/test every year) and hit the wrong button accidentally. I then hit the back button so I could click on the button to print a "certificate". As it turns out, I was then logged in as another user.

Do you think I should have reported this? Should I have ignored the issue? I had access to another person's training records without authorization. No doubt someone could have gained access to mine as well. On the other hand, I'm not interested in being prosecuted for something this silly.

I have some experience with this

[JeffSh]

I have two times found and two times reported vulnerabilities I have found in public web based systems.

Let me tell you, it was not easy. Here's the story of the first time because it's the most interesting.

I worked for a community college in its' tech department. Alot of my time was devoted to answering phones and helping faculty with problems, which did leave me idle alot. (high availability requires high idle time as a concequence). As a tinkrer, my idle time is never spent truly idle, but pursuing things that don't require 100% attention.

The community college I worked for had many different systems, and as such had many many translation layers between them. One of these transition layers was a transition from a "Portal" type website to another website that handled student information. (class registration, transcripts, billing, paying, you know all that important personal stuff).

Anyway, I found a flaw in one of the scripts used to authenticate a user session to the second web service. The flaw was that the moron who coded it decided that creating a script that accepted 1 variable (the username) was enough security to authenticate a login.

by closely observing the scripts actions through my web browser, i noticed there were 2 very quick redirects. Focusing my efforts there (and logging my URL requests), i found the call to the script that required only the username.

So, basically, at that point I had access to anyones student account that I had the username for.

I documented it very well in a long email, and demonstrated the flaw to my coworkers. I thought I would be a real hero for finding it; I mean afterall, if I had found it who knows who else might have? surely, disaster averted!

But... my idealism in the situation was met hard with reality. My inexperience led me to not take into account factors I should have.

After reporting the vulnerability, a minor investigation was launched which I was the subject of. I felt more like a crminal than a saint. After demonstrating how I could login to their accounts, my coworkers were suspicious as were my superiors. The thought pattern seemed to go like "Well shit if he can do that, what else has he done? Why was he even poking around there in the first place?".

While never actually accused of any wrong doing, they weren't nearly as impressed with my find as i thought they would be. I was looking for a pat on the back, maybe a bonus, but instead my superiors were troubled and nervous. I'm not sure if I was right in feeling this way, but I never felt quite fully trusted there again after that one.

The other thing I didn't think about was how the existance of the error then impeached the person who wrote it. rightfully so, because it was a FOOLISH error, but the guy who wrote it was a guy who had been employed there far longer than I, and of course having me find it and dismantle it presented quite an embarassment to him.

I ended up leaving the job there 6 months later for a variety of reasons, but reporting the vulnerability was one of the 2 or 3 core reasons that I left. I don't regret it all and would do it the same way again, but going through it taught me alot about how to NOT be someones boss (should I ever become one in the future), and not react in the accusatory manner like my superiors did.

Almost got me in trouble

[NicoNet]

I had worked for the Cuyahoga Falls School District in IT. I had noticed that on NeoNet's (Our Internet Provider) FTP server that anonymous was able to download, upload, and delete any file on the server. I reported this in October 2000 to NeoNet, they did nothing about it. In March of 2001 I was laid-off due to financial issues in the school district. Weeks later, the schools web site was replaced with a porn site using the anonymous login. They immediately assumed it was me. Luckily they were able to track it down to a student at the school. They then immediately fixed the FTP problem.

--
Free Linux Shells!
NicoNet 2000 [niconet2k.com]

Re:/. effect

[coj]

We should be back up now. Here's a tip: unless you have a huge amount of RAM so you can up your MaxClients, Apache is much happier with persistent connections "Off" when dealing with Slashdot visits.

Re:Posting anonymously

[pete6677]

Its called the Law of Unintended Consequences. Too bad so many people in positions of authority are not aware of this.

Re:I have some experience with this

[jafac]

Similarly, I was recently taking a proctored exam. The exam center used a computer-based testing method, running on a Windows PC. The test was a math test, and the computer was pretty much wide open. Only very minimal measures were taken to lock down access and functionality. Yet, they had a pair of goons frisk me on the way in, and took away my cell phone, my watch, and pen.

I demonstrated for the proctor, the fact that ANYONE could use the start menu, run item to open calc.exe, and therefore, access the windows calculator program, and that they really ought to do a better job securing these machines, seeing as how they spent so much money on the hired muscle.

I was immediately accused of cheating on the test.

I had to contact the professor to get the calculator-restriction lifted (the test was not on arithmatic, but rather on polynomial equations - involving nothing that a calculator would help anyone on anyway).

 

While searching for a job, I found a bug...

[bIOHZRd]

...Basically, I was job hunting and a friend directed me to a website of his company who was hiring. Now, instead of typing "www.company.com" i typed in "company.com". Boom, I'm presented with a database login. Hmm, I thought this was maybe for the job search, and didnt see a register button, so I just hit login. I was then presented with what I THOUGHT was a fake database...kind of like the example php websites you can "login" to to get a taste for the app. I wasn't 100% sure, but eventually decided to try running a sql command...I changed all the company descriptions (it was a hiring agency) to "Change your admin password!" I then realized (late I know), that this was a REAL database after more poking around and finding real names/phone #'s/emails. I found the head of the company's email and politely told her there is a SERIOUS hole in her system. She (VERY) quickly responded with her phone number that I already knew and asked me to call. So, being the good citizen that I was, I called. Ha! She immediately asked my personal information which I was hesitant to give, and resorted to only giving my first name. Then she connected me with the "IT guy" if you could call him that, and I explained what I had did and how I did it. Throughout this whole conversation I was very nervous and got the feeling that I was being criminalized. After the whole ordeal was over (luckily they had backups), she offered me the job that I was initially seeking, but I politely refused stating I didn't feel comfortable working for a company that was as insecure as hers.

Re:Not so different

[alienmole]

A friend of mine once noticed a mains power anomaly being reported on a regular basis by his APC SmartUPS. He reported it and provided the info from the power supply's automated report to power company. Later that day, he got a call from the police wanting to know why he knew so much about the power system - the power company had "turned him in". The police accepted his explanation, but he (and I) were a bit taken aback by the incident.

BTW, where is your sig from? I like it. I'm still trying to learn those virtues, though...

My first and last time

[The Wicked Priest]

In 1988, on the first BBS I ever called, I found a vulnerability one day. It was a configuration error that allowed any user to elevate themselves to sysop status. Thinking I was being helpful, I reported it to the sysop. The next call, I was shocked to find myself locked out. Eventually the co-sysop persuaded the sysop to let me back on, but I was "on probation".

So of course I learned my lesson, and I never reported any vulnerability to anyone, ever again. Found them, though.

Here's my favorite: On my first ISP (shell account), files in /var/spool/mail/ were set readable and writable by the "mail" group. Also, "pine" was setgid mail. I could start pine, Compose a new message, and then ^R anybody's inbox right into it. One of the sysadmins had three megs of messages in his inbox, and some of them included credit card numbers. But like I say, I'd learned my lesson; I reported nothing. (Don't worry, that ISP later got assimilated by a bigger one, and that particular email system is long gone.)

Re:I don't get it

[Jerim]

I don't trust the legal system to understand technology.

Their logic is that you accessed someone else's account. Whether you intentionally did it or not, the fact remains that you did it. Therefore, 9 out of 10 courts are going to assume you are guilty.

Just like if they saw you carrying a bag of cash right after someone robbed the 7-11. Nevermind the fact that you just cashed your paycheck at the local bank. You were found carrying money in a bag right after a store was robbed. No one is going to listen to you.

Add in the fact that you are talking technobabble speak to judges who have still haven't masterd the "double click" and you get a recipe for disaster.

Re:I have some experience with this

[drspliff]

Suprisingly I went through an almost identical situation to this, and also left about 6 months afterwards for similar reasons.

In my case it was a very simple SQL injection bug in the login page, being the person I am I do test for these things out of curiosity and an almost compelling need to re-assure myself that the systems I'm working with or using are relatively secure.

I landed up in the middle of an 'investigation' after an e-mail with a couple of screenshots and a quick description of the bug was sent over to the department which was developing the web application.

It is very true that if you raise these issues, their now considered your responsibility to fix, not because the developer was incompetant or just nieve of these types of security problems, but because before you discovered them they simply 'didn't exist'!

To this day I still do web app auditing and report vulnerabilities to the developers when their found, but always in sandbox or test environments rather than live sites; as in future I may end up in court simply for reporting these things (which implies I was 'hacking' or doing generally illegal things in the eyes of the mis-informed).

There are already procedures that most security professionals follow, for example disclosing only to the developers and allowing a 30 day lea-way for them to patch it. In the case when the developers don't respond and you consider it to be a risk to the public, publishing the bug along with a patch so users can fix it themselfs.

It's just a shame there's this big grey area (and often completely black) in the law.

Just my two cents...

Re:Depends on who you report to

[LandruBek]

You are right, and this highlights a critical factor. As long as the website is working fine (commercial nor otherwise) the owner's attitude is usually, "Step right up and join in the fun" or "Get em while they're hot" or "Read my wisdom" and basically acts like he is standing in the center of the marketplace.
 
But the instant that anyone discovers, say, an account with username "user" and password "user" or a server vulnerable to putting ".." in the URL, suddenly the 'house' analogy gets whipped out: "OMG, this is like you just walked into my bedroom when I'm having sex with my wife and you started taking pictures and singing Old Lang Syne! How violated I am, you cad! My website is like my house ."
 
But they can't have it both ways. This shows the serious schism in the averge site owner's understanding of just what a web site is -- what it means that millions of people can read the pages you are serving up, and often can affect things on your server. Both analogies are kind of weak, but the second is a lot weaker.

Vulns on uni networks

[dcam]

I once found an issue on a university network.

It turned out that for a number of the windows labs, available to all students, you were always logged in as administrator. When I reported this issue (along with a list of actions I could perform that would be cause damage to the University or its students), I got the brush off. At the time I considered exploiting this to demonstrate the problem. I'm glad I didn't.

This is a few years ago but it was interesting that there was a total disregard for any security concerns with that particlular section of IT support.