Reporting Vulnerabilities is for the Brave

Page Content

Share:

I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn’t have access to the source code or configuration information).  As luck would have it, the web site got hacked.  I had to talk to a detective in the resulting police investigation.  Nothing bad happened to me, but it could have, for two reasons. 

The first reason is that whenever you do something “unnecessary”, such as reporting a vulnerability, police wonder why, and how you found out.  Police also wonders if you found one vulnerability, could you have found more and not reported them?  Who did you disclose that information to?  Did you get into the web site, and do anything there that you shouldn’t have?  It’s normal for the police to think that way.  They have to.  Unfortunately, it makes it very uninteresting to report any problems.

A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof.  This got Eric McCarty in trouble—the proof is automatically a proof that you breached the law, and can be used to prosecute you!  Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time.  We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing.  I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it…).  Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means.  If there had been an overlap in time, we could have become suspects.

The second reason that bad things could have happened to me is that I’m stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism.  Why anonymously?  Because student vulnerability reporters are akin to whistleblowers.  They are quite vulnerable to retaliation from the administrators of web sites (especially if it’s a faculty web site that is used for grading).  In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem.  Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don’t yet either).  They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions.  Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities. 

So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited.  I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student.  My superiors also requested that I cooperate with the detective.  Was this worth losing my job?  Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?  Thankfully, the student bravely decided to step forward and defused the situation. 

As a consequence of that experience, I intend to provide the following instructions to students (until something changes):

  1. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.
  2. Try to avoid using that system as much as is reasonable.
  3. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos.  However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice.  We all want to do the right thing, and help people we perceive as in danger.  However, you shouldn’t help when it puts you at the same or greater risk.  The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer—you’re a student!) is just too high.  Moreover, this is a web site, an application;  real people are not in physical danger.  Forget about it.
  4. Delete any evidence that you knew about this problem.  You are not responsible for that web site, it’s not your problem—you have no reason to keep any such evidence.  Go on with your life.
  5. If you decide to report it against my advice, don’t tell or ask me anything about it.  I’ve exhausted my limited pool of bravery—as other people would put it, I’ve experienced a chilling effect.  Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity.  I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.



Edit (5/24/06): Most of the comments below are interesting, and I’m glad you took the time to respond.  After an email exchange with CERT/CC, I believe that they can genuinely help by shielding you from having to answer questions from and directly deal with law enforcement, as well as from the pressures of an employer.  There is a limit to the protection that they can provide, and past that limit you may be in trouble, but it is a valuable service. 

Comments

Before any exploits or intrusions, developers/administrators dismiss warnings and recommendations; once something concrete happens, they assume the worst and bring in law enforcement and waste enormous resource to harass the bug reporter. Some do it for revenge; some do it to show that they’re doing a good job; yet others do it so that they can assure the community, “whoever responsible for the break-in has been tracked down and will be investigated.” Accompanying that comment is often the public relations statement, “fortunately the attacker was stopped before doing more serious damages,” stealing credit from the person who did the research.

Going after the security researcher is safe and easy, so they do. When real attacks are waged from malicious parties, however, the standard procedure is to cover up.

Posted by iworms on Monday, May 22, 2006 at 09:35 AM

“where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem.”

Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don’t care what the type of the flaw is, it’s there own problem, they can handle there own infestation. I have reported wrong settings in a IBP forums and such when i register.

But i do so really cearful and I don’t test the limit of the wrong setings, I just let the admin know with a pm or a simple post. Lucky for me, this is not common, but I have seen it.

Posted by jonfr on Monday, May 22, 2006 at 11:47 AM

The best way to report such things is anonymously.  And if they don’t fix it, put all the details & code required to hack ‘em on Full-Disclosure or somewhere like that.

I had an exploit I found by accident that compromised the network drives given to students of a certain, nameless university.  I reported it anonymously, they (eventually) fixed it, and I never had any problems.  Of course, I was nice and I never reported it to anyone but them.  But given the huge lack of clue I ran into at times, well, I was probably right to worry.

So like I said:  be anonymous.  They can’t sue you if they can’t find you.

Posted by Anon on Monday, May 22, 2006 at 11:58 AM

How about sending a single email to the site admin from an anonymous email account?

Posted by Glauber Ribeiro on Monday, May 22, 2006 at 12:00 PM

[...] CERIAS has a blog post on Vulnerability Reporting For The Brave, which based on the title alone already had me ready to pick it apart line by line. [...]

Posted by Matasano Chargen » CERIAS on Vulnerability R on Monday, May 22, 2006 at 12:10 PM

Heh it’s kinda risky publishing vulnerability information nowadays. As you know, full disclosure in France is now crime, as well as writing exploits.
It seems the fear consumes them. So, find your bugs, write your exploits, keep them private and hack whoever you want (first target: Eugene Spafford heh)

Posted by Someone on Monday, May 22, 2006 at 12:11 PM

Is that anonymous as in ‘i don’t tell you who i am’, or anonymous as in ‘you couldn’t possibly find out who i am, no matter how hard you try’? 

How do you distinguish one from the other?  And, should your attempt at the latter fail, does your extra effort in hiding your identity diminish your claim to be a simple ‘good Samaritan’?

Posted by Mr Anonymous on Monday, May 22, 2006 at 12:13 PM

the reality is that some websites can harm people. Banking, Health and other information is availible via the web.  If you have found a big enough bug, don’t tell anyone. send it the basics in a legal text that is not fully incriminating from a hotspot, or other open network that is not so traceable, using a temp mail portal.  I know it seams like a bad line from “Sneakers” or “Hackers” or some other movie, but we do have a reasonable need to promote security. Even the best admin can miss something.  Better to miss it and have a concerned end user point it out than lose millions and harm real people from not knowing.

The sad fact is, we are cultivating a nirvana for those we wish to do harm.  A better responce yet is to call you local goverment official and make sure they understand what they are enacting, when they slap our hands for doing what is RIGHT.

Posted by Richard on Monday, May 22, 2006 at 12:16 PM

Perhaps a pre-emptive strike would be better:
If the web site is part of an organization which has accepted your credit card info, or has required you to submit to them personal information such as a SSN or grades, or health insurance info, get a lawyer and sue them for breach of privacy.  Or complain to a Federal Agency that the organization is exposing your personal info.  Even if the website ultimately is shown to have no physical connection to a database that has the info, they both go into the same organization, and the info may, at some level, be accessible.

Make it a public complaint; strike first.

Posted by W.Taylor on Monday, May 22, 2006 at 12:20 PM

Yeah I understand this. Got in a decent amount of hot water for reporting a bug that got me access to a whole boatload of stuff I shouldn’t have. Phone records, student records, private SSL keys, etc., I think the only reasons I wasn’t expelled was that I was friends with one of the sysadmins.

Also if any of them are reading this: Hi Dave, Phopp, Mary, etc.,

Posted by Jon on Monday, May 22, 2006 at 12:26 PM

I personally wouldn’t recommend helping big vendors out, no good deed goes unpunished in my experience.

Posted by Michael Lynn on Monday, May 22, 2006 at 12:29 PM

I had a vulnerability reported against my code once, which was invalid. The reporter found an interface flaw (which was not written particularly robustly) but then of course was stopped when he tried to take action with the form at the end of the multi-page form by the underlying business logic (which was written robustly) and clearly said he’d been blocked.

Of course, what pissed me off the most is that, valid or otherwise, he reported the invalid exploit to a public forum FIRST and didn’t come to us privately.

And frankly, with websites if you report publically, then black hats on those lists are going to wonder what ELSE is weak and go gunning for the you, which is exactly what happened.

1 day after the intial report, some teenagers from Dallas broken in (via bind we _think_) and we had to scorched earth half a dozen servers.

And then the guy had the hide to offer to consult with us to fix it.

Bastard.

(sorry, just venting, consider it a reminder to report privately first and at least give us poor coders a chance to avoid becoming a giant target)

Posted by Adam on Monday, May 22, 2006 at 12:46 PM

In light of this, several other articles, and a few months of research - would it be beneficial to people to have a website designed to be a gateway for anonymously reporting vulnerabilites?

I’m thinking of a site that would not record ANY (no IP’s in the access logs) personal information of the people using it that would act as a go-between between the researchers and the sites they’ve discovered the vulnerabilities in.  The researcher would submit the vulnerability to the site, the site would then contact the target site and inform them of the possibility of an exploit.  All parties would be protected as the researchers submit anonymously and the site itself did nothing more than pass on information (they themselves did not conduct the research/exploit).

Posted by Shalev on Monday, May 22, 2006 at 12:53 PM

Are we becoming so totalitarian?

My political science teacher explained that the reason so many North Koreans could not fit into South Korean culture after finding a way home was because of a significant culture differece. Typically a N. Korean is discouraged from any sort of self initiative by the government / employer / etc. When they get to S. Korea and are given a large immigrant stipend from the S. Korean government to get their lives back on track, they often wind up homeless or in the most menial of jobs because they don’t fit into the robust, curious and motivated S. Korean culture.

I don’t want the US to become like N. Korea.

Posted by No Such Thing As Anonymous on Monday, May 22, 2006 at 12:55 PM

It is always easier to kill the messager than to kill the message. Is history repeating itself?

It saddens me utterly that people are giving in to this type of intimidation. It is understandable and at the same time unforgivable.

This is the end of any and all of the values that build the medium in the first place.

I have no problem reporting any problem I care about. Eventhough someone might want to haunt me for whatever misguided reason. Some basic principles _are_ worth fighting for.

Posted by Bertho Stultiens on Monday, May 22, 2006 at 12:55 PM

If you need to stay anonymous, for this or any purpose, I recommend Tor (http://tor.eff.org/).

Posted by Pupeno on Monday, May 22, 2006 at 01:25 PM

Gotta have your lawyer in your back pocket at all times.. Its Sad, but you don’t want to get burned bad, or incriminate your self.

Posted by Mr. HMM on Monday, May 22, 2006 at 01:28 PM

You think this is bad? Someone I know found a dead body underwater while scuba diving, and reported it to the police. The police arrested her and treated her as a murder suspect. She swears she will NEVER report any crime again, especially a dead body.

I know police is supposed to suspect everyone, but they could have investigated her surreptitiously. As is, they succeeded in creating a person who will never help them again.

Posted by Ilya on Monday, May 22, 2006 at 02:10 PM

I wrote an article called “It’s 2am, do you Know What Your IT Staff Are Doing?”  (http://www.nist.org/news.php?extend.118) that outlines the recent such case at USC.  But the article tries to explain from a legal point of view why most businesses would be very stupid to report someone intruding in to their system. Regardless of their intent. The best thing you can do is NOT to hunt for vulnerabilities on someone else’s system.  If you stumble upon something, totally by accident, report it anonymously if you left no trail (which if it truly was by accident then you shouldn’t haven’t been covering your tracks), or simply ignore it.  I think most people hunt for vulnerabilities for egotistical reasons, they want the glory. So being totally anonymous probably doesn’t appeal to most people.

I don’t want to hijack this great discussion so please direct any comments back here.

Posted by John Herron on Monday, May 22, 2006 at 02:14 PM

The problem today is the black hats are protected by numerous laws and privacy regulations.  Most of them are incredibly stupid and arrogant, so finding them is pretty easy - they brag, they tell everyone they meet, and so on.

The ones that are not so incredibly stupid are still out there.  Ready and willing to do however much damage they can, just because they can.  There are no consequences for them, and they believe it is their target’s fault they are able to wield such power.

So all you have are stupid script kiddies and innocent do-gooders that are just trying to help.  Unfortunately, it is almost impossible to tell the difference between the two from the outside and without any special knowledge.

Until the black hat folks are stopped, this sort of thing will continue to happen.  Trying to be a do-gooder will get you lumped in with the script kiddies and you do stand a good chance of being prosecuted.

Posted by Paul Crowley on Monday, May 22, 2006 at 03:23 PM

[...] In a previous blog, I discussed how vulnerable our Internet was to attacks and that there are really no hard and fast solutions to these problems. Plus the fact that there are a good number of times that when you report a vulnerability you get in trouble because your guilt is presumed. This and other reasons make it difficult to ensure that systems are in tip top shape (security-wise). What makes things worst are inherent weaknesses of the Internet that can be exploited such as the Domain Name System (DNS) and the use of Distributed Denial of Serivce (DDOS). These problems affect everybody and do not single out a paricular country or region as vulnerable. [...]

Posted by It’s hip2b2 (Mobile, Security, Web 2.0, Pipe on Monday, May 22, 2006 at 03:23 PM

No - F them. 

If the world is reaching the point where helping someone is more trouble than it is worth - then let them reap the rewards of promoting that kind of internet.

If they want that sort of help - let them put up on their page or net.issue how to reach them for possible bugs/exploits.

Like the author said, if it isn’t life or death then it isn’t worth making an issue out of.

Let them sink their fangs into the real trouble makers.

Posted by SGA on Monday, May 22, 2006 at 03:36 PM

I think the final word of advice got cut off at the end of the post:

6. Curl into a ball until the bully stops kicking you. Weep. Live life in fear, ensuring you never do anything that any other person would consider wrong in case they come get you. If they do, start this step again.

Posted by Mike on Monday, May 22, 2006 at 03:45 PM

Treat computers as if they were buildings. You wouldn’t go around testing the locks on strange office buildings: don’t go around testing the security on strange websites. If you found an office building with its front door open you wouldn’t go inside to prove that it was really unlocked: treat websites the same way.

If you do happen to notice a vulnerability in the normal course of your dealings with the website then there is nothing you can do that will not make you a suspect. It really is true that guilty parties are often the ones who report crimes. Anything you do to lower your profile could be seen as evidence of a guilty mind. The safest thing to do is to terminate your dealings with that website, check that your passwords are secure, and move on.

Posted by Joe in Australia on Monday, May 22, 2006 at 05:17 PM

Trying to find SQL injection vulnerabilities just for fun is like trying to open the door of every car in your neighbourhood. Sure, someone will have left the car unlocked (I do sometimes) and maybe you can do him a big favour by opening the door, locking it and leaving. But what if a cop is watching you? You BROKE INTO SOMEONE ELSE’S CAR and you will be arrested. And what if the owner left the keys inside because he was urged to pee, and when he comes back he finds the car locked with the keys inside? And what will you do if the car alarm goes off?

Instead, if you see a car that is *evidently* unlocked (so evident that you can tell it from outside the car) and you know for sure you can alert the owner or someone responsible for the car (like a parking lot owner), you look for him and tell him. Otherwise, you just stay out of trouble and hope for the best.

Same thing if you go to a restaurant and find a gun under a table. Will you take it and try to fire it so you can be sure it’s dangerous or just alert the authorities?

There’s no reason it should be different in the internet - take care of yourself before taking care of someone else…and don’t let your ego and your dreams of becoming a hero ruin your life.

Posted by Carlos on Monday, May 22, 2006 at 05:22 PM

Leave a comment

Commenting is not available in this section entry.