The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Reporting Vulnerabilities is for the Brave

Monday, May 22, 2006 by Pascal Meunier
in Infosec Education, Kudos, Opinions and Rants, Policies & Law, R&D, Secure IT Practices
Share:

I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn’t have access to the source code or configuration information).  As luck would have it, the web site got hacked.  I had to talk to a detective in the resulting police investigation.  Nothing bad happened to me, but it could have, for two reasons. 

The first reason is that whenever you do something “unnecessary”, such as reporting a vulnerability, police wonder why, and how you found out.  Police also wonders if you found one vulnerability, could you have found more and not reported them?  Who did you disclose that information to?  Did you get into the web site, and do anything there that you shouldn’t have?  It’s normal for the police to think that way.  They have to.  Unfortunately, it makes it very uninteresting to report any problems.

A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof.  This got Eric McCarty in trouble—the proof is automatically a proof that you breached the law, and can be used to prosecute you!  Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time.  We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing.  I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it…).  Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means.  If there had been an overlap in time, we could have become suspects.

The second reason that bad things could have happened to me is that I’m stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism.  Why anonymously?  Because student vulnerability reporters are akin to whistleblowers.  They are quite vulnerable to retaliation from the administrators of web sites (especially if it’s a faculty web site that is used for grading).  In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem.  Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don’t yet either).  They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions.  Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities. 

So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited.  I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student.  My superiors also requested that I cooperate with the detective.  Was this worth losing my job?  Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?  Thankfully, the student bravely decided to step forward and defused the situation. 

As a consequence of that experience, I intend to provide the following instructions to students (until something changes):

  1. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.
  2. Try to avoid using that system as much as is reasonable.
  3. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos.  However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice.  We all want to do the right thing, and help people we perceive as in danger.  However, you shouldn’t help when it puts you at the same or greater risk.  The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer—you’re a student!) is just too high.  Moreover, this is a web site, an application;  real people are not in physical danger.  Forget about it.
  4. Delete any evidence that you knew about this problem.  You are not responsible for that web site, it’s not your problem—you have no reason to keep any such evidence.  Go on with your life.
  5. If you decide to report it against my advice, don’t tell or ask me anything about it.  I’ve exhausted my limited pool of bravery—as other people would put it, I’ve experienced a chilling effect.  Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity.  I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.



Edit (5/24/06): Most of the comments below are interesting, and I’m glad you took the time to respond.  After an email exchange with CERT/CC, I believe that they can genuinely help by shielding you from having to answer questions from and directly deal with law enforcement, as well as from the pressures of an employer.  There is a limit to the protection that they can provide, and past that limit you may be in trouble, but it is a valuable service. 

Tags for this post:

Leave a comment (57 so far) »

Comments

Posted by /Cry : Brave Professor Teaches New Vulnerability R
on Monday, May 22, 2006 at 05:29 PM

[...] Brave Professor Teaches New Vulnerability Reporting Trick   The trick: don’t; that is basically the gist of what Pascal Meunier, a professor at Perdue, has to say after his brisk run-in with the law following the time that he reported a flaw in a web application in conjunction with a student of his, who found the vulnerability.  If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable. Try to avoid using that system as much as is reasonable. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos. However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn’t help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer — you’re a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it. Delete any evidence that you knew about this problem. You are not responsible for that web site, it’s not your problem — you have no reason to keep any such evidence. Go on with your life. If you decide to report it against my advice, don’t tell or ask me anything about it. I’ve exhausted my limited pool of bravery — as other people would put it, I’ve experienced a chilling effect. Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”. How great, that modern professors are teaching such brave responsibility to their students. As a software developer, I can see this from both sides, sort of.  I definitely understand the developers giving the bug reporter’s information to the police in hopes that they could lead them to the hacker.  After all, who is the most likely person to hack the site?  A person that knows a vulnerability, and maybe learned some more.  From the reporter’s side, I can understand being a little troubled about being reported to the police, especially if you are innocent, but at the same time, I would understand that the police are just following sensible leads. It really saddens me that a professor would not at least suggest to report vulnerabilities anonymously in such a case.  I can imagine that this professor was too ignorant to think of this idea, but I have known professors to be far dumber.  No, I think this is the professor’s way of legitimizing laziness.  Yes, I have reported possible vulnerabilities to closed source vendors (including a company that I used to work for), and even code documentation (MSDN) and I am not worried about being grabbed for hacking someone’s web server through a fix I suggested because I have nothing to hide and I am not worried about losing a few hours of my day after a company probably lost thousands of dollars (though, I will say that I am no where near as important as an impowered professor).  Published Monday, May 22, 2006 8:57 PM by Picky [...]

Posted by SecuriTeam Blogs » Reporting Vulnerabilities
on Monday, May 22, 2006 at 06:11 PM

[...] I came across this nice article: Reporting Vulnerabilities is for the Brave by Pascal Meunier. The article speaks about how frequently vulnerability researchers come face to face with the ugly side of disclosing vulnerabilities, such as in the case of Eric McCarty. [...]

Posted by Here's an idea
on Monday, May 22, 2006 at 06:29 PM

If you find a vulnerability and there is YOUR sensitive data in the application, sue the company/school for wrongly exposing YOUR sensitive data.

It’s true that the web server and application belong to them, but YOUR data belongs to YOU. You did not give them permission to share it with the world. You don’t have to give details on the vulnerability or “prove it”. The burden of guilt is upon them.

Posted by Asim Shaikh
on Monday, May 22, 2006 at 07:30 PM

I was refered to this blog by a friend.. maybe cause i have been through this before.. like they say.. been there done that.. There are many websites i come across daily who are exploitable.. at most nowdays I see if there is anything useful for me and keep quite about it..

Risk factor of doing a good deed increase’s when its a goverment site u come across which is vulnerable. They are like double edge sword which are ignored by administrators and hackers alike unless some misfit brave soul decide’s to hack it.

In past i have been thanked for reporting bugs but nowdays mostly threatened by law suites.. which has forced me to threw away my grey-white hat and get along with black which suites my needs and hides my deeds well . .

Many have recommened anonymous proxies and mails to report such things.. but my experience says they are mostly ignored unless the sender ip can be confirmed to be prosecuted..

In todays world its best to mind your own business and ignore them unless u are paid to look at it.. Nobody cares even if millions of credit cards get hacked each day and not reported for this very same reason..

Posted by saken
on Monday, May 22, 2006 at 07:50 PM

Every vulnerability is an asset and should be sold to a persons who can appreciate your knowledge,skill and time spent to discover these vulnerabilities.
Mind *YOUR* own business.

Posted by Ray
on Monday, May 22, 2006 at 08:17 PM

I entered an IP address that was one number off when accessing a VNC connection and stumbled onto a a computer that was linked to a VPN of a major merchant bank. The teleworker using the system was processing lease financing applications. Apparently the nice IT boys & girls from the bank who set up Mr. Telecommuter’s system decided to put in VNC for a little remote administration and neglected to even set a password. I’m sure they told him “you’re on the VPN, everthing’s secure, no sweat, don’t worry”. The kicker is that although I could see all kinds of email addresses, I could never see HIS email address, and I could not come up with another reasonable way to let him know the magnitude of his insecurity without exposing myself to all kinds of potential risk. So in the end I just let it go. Proves three things: 1) with no reasonable system to report vulnerabilities, white hats finding them just won’t report them; 2) there really is no such thing as security by obscurity; and 3) even major merchant banks with uber-secure VPNs can be done in by one dumb-ass IT “professional”.

Posted by jkm
on Monday, May 22, 2006 at 08:34 PM

You guys (and girls) that think you are smart and report bugs/holes etc anonymously, please be adviced that it is hard to be anonymous.

If you submit data in a webform, your IP will show. If you create a brand new email account (yahoo, google, whatever) your IP will be included in the recipients mail header. The owner of the system you use will leave information to the authorities (or others) if they become preassured.

To be anonymous is NOT easy!

Posted by RMS
on Monday, May 22, 2006 at 08:49 PM

If people we’re not lying you wouldn’t need police and there you would be able to report any bug you want to report. But they should consider that YOU’re reporting a bug, not that THE NEIGHBOOR is reporting the fact that you know a bug.

Posted by Ryan Clark » Blog Archive » Reporting
on Monday, May 22, 2006 at 09:17 PM

[...] read more | digg story [...]

Posted by Mirko
on Monday, May 22, 2006 at 09:34 PM

“Reporting vluns is for the braves”: You are very right. This is even if you are employed by a company to find vulns and report them. People always have these after thoughts about why you do what you do in the first place.

Posted by Martin Sturm » Blog Archive » Helping
on Monday, May 22, 2006 at 11:07 PM

[...] Today I read about this article on Slashdot. It is written by a teacher who helped a student reporting a vulnerability on a public (commercial?) website. Because shortly after their report the website was hacked and the police investigated the case, they were almost treated like criminals. I think this is ridiculous. It is almost the same that you will get arrested when you report a suspicious bag on a railway station or warn a house owner when you see that he left his front door open. Fortunately, here in the Netherlands there is no law which enables the police to arrest people for reporting a vulnerability as far as I know (and according to a teacher at our university). Hopefully the EU will not take the US law as an example for this kind of stuff, because the people over there who created this law are obviously not aware of the daily practice regarding the discovery of flaws in software. A typical example of the ignorance of some politician. The teacher in the article concludes that you should destroy all the evidence that you are aware of an existing vulnerability and certainly not tell the developer/site owner about the bug. While it may be the best thing to do, it is really crazy that you should do this. How the hell do politician want the get a ’safer and better world’ when it is not allowed to report defects? On the other side, it explains the growing number of spam, the increase in identity theft, the new problems with phising and so on… if they are not going to change this laws and rules, I think we are only seeing the beginning of these things. [...]

Posted by TropicalCoder
on Tuesday, May 23, 2006 at 01:30 AM

I found this whole discussion so sad - so full of cynicism. It seems all respondants fell into the same hopelessness - for lack of a better word. We can’t just leave it like that, or we are lost as a human family. We must not give up so easily on our natural urge to help our fellows. Please, somebody - offer a ray of hope. When we just walk on by when we see a brother in distress (It’s not my problem!) it diminishes us all.

Posted by John Herron
on Tuesday, May 23, 2006 at 01:46 AM

And then comes proof of why we need internal auditors and paid PEN testers.  http://www.nist.org/comment.php?comment.news.118 This is totally unsatisfactory!

Posted by Technosophy » Blog Archive » Security
on Tuesday, May 23, 2006 at 04:15 AM

[...] What should you do if you discover an info security vulnerability in a website or other piece of software?  Report it, right?  Think carefully before you do - your knowledge of the flaw may be taken as evidence against you! [...]

Posted by Alton Naur
on Tuesday, May 23, 2006 at 05:35 AM

You always need to look at the “terms of use” section of the website, and not do anything that is beyond what is permitted there.  In some cases if you even “view source” on a fancy webpage (e.g. AJAX), your actions could be interpreted as an infringement on the “do not reverse engineer” terms of the Digital Milennium Copyright Act.

Posted by CERT/CC
on Tuesday, May 23, 2006 at 06:27 AM

——-BEGIN PGP SIGNED MESSAGE——-

CERT/CC can (most of the time) help.  We have a Vulnerability Analysis Team whose day job includes reporting vulnerabilities to vendors, including web site developers/owners.  To speak to a couple of the legitimate concerns raised in this thread:  We can act as a proxy to maintain the anonymity of a reporter, and we are usually better positioned to deal with angry vendors, legal threats, law enforcement, etc.

To report to CERT/CC, please see our old-school text vulnerability reporting form:

http://www.cert.org/reporting/vulnerability_form.txt

And here is our still-accurate-but-slightly-dated vulnerability disclosure policy:

http://www.cert.org/kb/vul_disclosure.html

——-BEGIN PGP SIGNATURE——-
Version: GnuPG v1.2.1 (GNU/Linux)

iQCVAwUBRHM3iETFt36OlbLxAQHi5AP9HcDQQc6D8V+vEvSAS0QX1rHc1NFwpE9l
/NyllFPcenyq8xxNzCxU3bTafTZCiP6wY+Bcoc5CRsNS7V1wCWLwCci97P7JgsRt
b9IHjhmrf5tPdkgHxwa8RWBDFzZ0ITO2e+/nd+kG2BGQxWFkwHA+/We+PXWClMLo
khfijr65H6c=
=jt9n
——-END PGP SIGNATURE——-

Posted by lensovet
on Tuesday, May 23, 2006 at 09:15 AM

Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.
Oh really? It’s <i>just</i> an application, no people are affected. How about applications that handle sensitive data, bank transactions, medical records, et al? Who are you kidding? In today’s increasingly online world, such a statement is just pure nonsense.
Hell, maybe people should stop reporting OS security flaws as well. Have you ever looked at who reports the security flaws in Apple’s Mac OS? Half the time, it’s ordinary people. Damn I wish they would stop! My Mac is just too secure!
Puhlease.

Posted by Lord Hedgehog
on Tuesday, May 23, 2006 at 10:14 AM

Your story reminds me of my own—while a student (1996), I found a vulnerability that granted me access to anyone’s account in the university.  Fearful of reprisals, although I believed I’d done nothing wrong, I asked a friend (and staff member) to relay the vulnerability.  He did, and nothing bad ever came from it.  I don’t know how much ten years have changed the culture, but I fear for students that can’t explore and discover.

Posted by Die Blog Diebin » Blog Archive » None
on Tuesday, May 23, 2006 at 10:28 AM

[...] Und wieder einmal ist es besser, Sicherheitsluecken fuer sich zu behalten. Pascal Meunier, ein Wissenschafter am Center for Education and Research in Information and Assurance der Purdue Universitaet in Indiana, schreibt in einem Blog Eintrag ueber einen neuen None Disclosure Fall. Einer seiner Studenten hat eine Sicherheitsluecke in einer Webapplikation aufgedeckt und ihm mitgeteilt. Die Sicherheitsluecke wurde gefixt, die Seite wurde gehackt. Die Bullen wollten wissen welcher Studi das war, aber er hats ihnen nicht gesagt. In dem Blog Eintrag schreibt er:  it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person [...]

Posted by RocketEddy
on Tuesday, May 23, 2006 at 11:01 PM

This is one of those situations where it’s easy to see both sides. The real problem is the culture we’re developing where we attack people for trying to help.

It’s like suing somebody for breaking your arm whilst pulling your unconscious body from a burning building.

Of course, you can look at it the other way. If you have a website/application/body in a burning building.. what would you prefer? For somebody to help you, or for somebody who can help to “pass by on the other side” for fear you might act against them?

It’s a sad day when somebody goes after the good samaritan. The solution is clearly to stop these attacks on the person who attempts to help. Until we solve that issue, more and more people are going to stop helping, and the world becomes a shittier place for us all.

In this particular case, it’s not an immediate life-or-death situation. So you can be cautious. If you stumbled across a suspected flaw whilst doing only things you’re supposed to be doing… then a message to the admins explaining your suspicions and outlining exactly how they arose is the obvious first step. If you offer to help them investigate further with written permission to do so, the choice is theirs. If they turn you down, screw ‘em. At least you tried. But do NOT attempt to prove you’re right just “because you can”. And keep a copy of all correspondance.

Posted by Simon
on Wednesday, May 24, 2006 at 12:47 AM

As a coder I think it’s utter nonsense for me to attack someone for reporting a vulnerability in my application. I’d instead be extremely grateful.

Actually most of the time I think the coder community doesn’t know what they are doing. In the end vulnerabilities occur because coders don’t think twice or thrice about their class/object/property/method invocation, because the thrill is in seeing the darn app work, and the adrenaline rush dies down after the app goes out the door. Code walkthroughs are more and more rare these days.

Posted by Sy Ali
on Wednesday, May 24, 2006 at 02:18 AM

Seeing as the programs get handed over to non-coders once they’re done, it ends up being that the non-coders get these vulnerability reports.  They freak, since they lack the background and tools to deal with the problem.

Even when the report lands in a coder’s lap, it’s usually not the original coder, nor is it in the lap of a person who is in a position of power to swiftly decide upon the problem.  So panic ensues.

If it were a personal project and the original developer got the report then the reaction would be better.  But since the report ends up being bogged down by non-techs and beurocrats.. things get hairy.

Posted by meneame.net
on Wednesday, May 24, 2006 at 02:25 AM

<strong>Reportar vulnerabilidades es para valientes</strong>

Si encuentras comportamientos extraños en un sitio web, no intentes confirmar que es vulnerable, no se lo cuentes a nadie ni intentes fardar, olvídalo, borra cualquier evidencia que implique que conoces el problema, no eres responsable de ese sitio w…

Posted by PsicoIT Support
on Wednesday, May 24, 2006 at 01:00 PM

<strong>Toda Buena Acción Será Castigada ®</strong>

Tal como lo detalla Pascal Meunier (un científico del Center for Education and Research in Information and Assurance) en su blog, la tarea, casi siempre "de onda", de reportar vulnerabilidades en software o sit ...

Posted by Mulhall
on Wednesday, May 24, 2006 at 09:44 PM

Why are you afraid of becoming a suspect?
A suspect is not a convict.

Pascal Meunier has given two reasons for you to be afraid:
1 The police will suspect you
So what?
2 They’ll want to speak to the student who found the vulnerability?
So what?

You’ve found a vulnerability and you feel it’s your civic duty to report it, but you don’t feel it’s your civic duty to help the police follow it up?

It seems to me that the problem is your lack of confidence in the justice system of your society, not in the way vulnerability reports are handled.

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry