Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

2/19/2019
01:00 PM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Take White Hats Seriously to Staunch the Flow of Zero-Days

Zero-day vulnerabilities are serious, and on the rise. And IT-security teams make the problem worse when they fail to respond, or respond poorly, to responsible vulnerability disclosures.

When it comes to the rising zero-day threat, IT-security organizations may have no one to blame but themselves and their poor attitudes toward data stewardship.

Zero-day vulnerabilities and the exploits thereof are trending upward. Earlier this month, for instance, both Microsoft and Apple had to issue patches on multiple respective zero-day vulnerabilities that were reportedly already being actively exploited in the wild. Meanwhile, digital-transformation technologies like IoT and AI are only exacerbating the problem.

But if you're a white-hat researcher who finds and responsibly reports a zero-day vulnerability, good luck getting the company to acknowledge it.

The question for disclosure closure
Last month, 14-year-old Grant Thompson accidentally discovereda bug in Apple's Group FaceTime feature in iOS 12.1 and MacOS Mojave. The flaw allowed a caller to turn someone else's iPhone into a listening device without the other party having to answer a call. Thompson's mother -- an attorney -- emailed Apple, posted several times to social media, and faxed Apple a letter on her law firm's letterhead. It was not until her posts went viral and major news outlets picked up the story that Apple began to address the issue on January 30, about a week and a half after the fact.

Thompson and his mother aren't the first to endure such endemic vulnerability-disclosure absurdism. Some yet more notorious examples:

  • Starting in 2017, security researcher Dylan Houlihan repeatedly attempted to get Panera Bread to acknowledge and address a website data leak exposing millions of customers' data. (It took an introduction from a mutual contact to even get in touch with Panera's Director of Inofrmation Security, who took him for a scammer at first.) After about eight months of fruitless persistence, Houlihan finally gave the information to renowned cybersecurity journalist Brian Krebs -- who not only brought national attention to the story, but also discovered that the data leak impacted tens of millions of people than originally thought. (See: Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch.)
  • In 2016, Asus got slapped with an FTC consent order subjecting it to, inter alia, 20 years' worth of audits as fallout from "AsusGate" -- when the company failed to respond appropriately to a security researcher's multiple emails from 2013 attempting to get it to address major security flaws in its routers.
  • Also in 2013, Palestinian researcher Khalil Shreateh attempted to report to Facebook multiple times a bug that would allow any user to post to any other user's timeline without the requisite permissions. After not being taken seriously (he was flat-out told "this is not a bug"), Shreateh was driven to post to CEO Mark Zuckerberg's wall a missive explaining his discovery. Only then did Facebook's security team pay heed -- and then refused to apply its bug-bounty program to Shreateh because Shreateh had technically violated Facebook's "white-hats only" policy by posting to Zuckerberg's wall. (Outraged members of the security community raised a $10,000 fund for Shreateh.

Perverse incentives
At best, companies' dismissive behavior and responses (or non-responses, as the case may be) to vulnerability disclosures not only disincentivizes researchers from doing the research and making the disclosures to these companies. At worst, it may turn a hacker's hat from white to gray or even black, according to Chris Richter, an advisor to cybersecurity startups. After all, if an IT-security team won't listen, the NSA or a dark-web forum might.

"That is a huge business on the dark web -- finding zero-day vulnerabilities, not revealing them to the vendor, and selling them to the highest bidder," says Richter. "[Or] they shop it to foreign governments that want to make use of it."

An iPhone vulnerability, for example, can literally fetch millions of dollars -- and Richter points out that gray- and black-market bounties are rising.

RTFDisclosure
There's only so much that can be done about bad corporate culture; sometimes this escalates to wilful ignorance. IT-security departments know that their knowledge of a possible data compromise may trigger a variety of time-sensitive compliance requirements, intense political pressure, and/or the possibility of fines and other unfavorable enforcement actions -- even if they competently handle their incident response (particularly these days if GDPR applies). (See: GDPR Fines: Some Bark, Little Bite.) Even when communications-service providers (CSPs) detect another company's breach and so alert it, the response may be a curt "Thank you for letting us know; don't ever call us again." (See: Four Enterprise Security Lessons From Maury.)

But for companies like Apple and Panera, the solution begins with making it easy to send disclosures to a properly trained and empowered human who will read and act on them. Katie Moussouris, CEO of Luta Security, reports finding that only 6% of the Forbes Global 2000 offers dedicated security-reporting channels.

"Make this process obviously distinct from the 'Hi I think my account is hacked' customer-support process," urges Houlihan. "You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way."

Related posts:

— Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.