Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/12/2015
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Vulnerability Disclosure Deja Vu: Prosecute Crime Not Research

There is a lesson to be learned from a locksmith living 150 years ago: Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The recent example of a software vendor leveraging laws like the Digital Millennium Copyright Act (DMCA) to intimidate a security researcher is counterproductive. The researcher and team at the security consulting firm IOActive took a risk by attempting to report security flaws in a digital lock, and the company that makes the lock didn't exactly welcome the news.

While we don’t know all the details, according to multiple press reports, IOActive tried to contact the vendor privately before public disclosure, and that vendor responded through its lawyers, who mentioned the DMCA. As Chris Sogohian, staff technologist for the ACLU, tweeted about this incident, "Having a lawyer respond to security researchers is like asking your neighbor to turn down the music w/ a gun in your hand. It won't end well"

This phenomenon is sadly all too common when we look at the history of security research, and results in a chilling effect on security research. Attackers and criminals are the only parties who benefit when security researchers fear the consequences for reporting issues.

The year 1853 called. They want their disclosure debate back.

A locksmith living over 150 years ago named Alfred Charles Hobbs said it beautifully when discussing whether revealing lock-picking techniques publicly was acceptable: "Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery."

The irony that the modern lock manufacturers have not learned the lessons of their industrial-age forebears indicates that we haven't sufficiently shifted the norms of vendor behavior in over a century and a half or more.

Hackers gonna hack.
When vendors lack a process and ability to receive, investigate, remediate, and communicate about security vulnerabilities, often the first reaction is to call in the lawyers. However, software bugs are not usually fixed by lawyers, threats, or intimidation. They simply distract all parties from the only route that ensures our collective security.

Back when I founded Symantec Vulnerability Research, I made t-shirts for the team that said simply:

All software contains bugs. The maturity of a vendor's product security is measured in part by how it handles vulnerability reports. Those who are unable to gracefully deal with external parties who are trying to warn them of security holes are putting their users, and possibly the Internet as a whole, at risk.

Recently, I worked with MIT Sloan School of Management and Harvard Kennedy School on relevant research, sponsored  by Facebook, on system dynamics modeling of the 0day market. The result of the research concluded, among other things, that defenders should try to increase the rate of finding vulnerabilities through incentives for bugs. Responding to friendly hackers with legal intimidation runs counter to this research and all recommended best practices.

5 Stages of Vulnerability Response Grief: A Standard Approach
Denial. Anger. Bargaining. These are all emotional reactions to a technical problem. The cure? Acceptance. This short video offers a humorous look at this serious issue. Unfortunately this is still an ongoing phenomenon, and organizations will benefit from quickly understanding the pitfalls of these activities that don't ultimately work to improve their security posture.

As I write this from the 25-year anniversary meeting of the ISO SC27 working group in Malaysia, I am happy to report that we already have standard guidelines in the form of ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes. These are available to help organizations adopt a vulnerability handling, coordination, and public disclosure process. Will a set of standards end the disclosure debate once and for all? Not entirely, but it is an important first step.

Hackers can help prevent attacks if they can come forward without fear of prosecution. Encourage research, offer proper incentives, and have a safe and transparent way to receive potential security issue reports.

Prosecute crime, not research. The result is a safer Internet for everyone.

Katie Moussouris is the founder and CEO of Luta Security, a company offering unparalleled expertise to create robust vulnerability coordination programs. Luta Security specializes in governments and multi-party supply chain vulnerability coordination. Moussouris recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
5/19/2015 | 10:27:36 AM
Re: Defender's point of view
Imagine the PHP code that you write\wrote\sell or provide is being used all over the Internet for whatever reasons people use it for... now imagine it's weak and vulnerble and you missed it during your "code review".... now, wouldn't you want someone to point that out to you no matter how arrogant they were or would you rather some attorney for Company X contact you with a law suit?

Don't take it personal, it's a mistake that someone found, hopefully before it was exploited for ill.
JBauerofPrivacy
50%
50%
JBauerofPrivacy,
User Rank: Apprentice
5/15/2015 | 3:22:42 PM
An example of a different approach
United Airlines is offering up to a million air miles to hackers who can find security bugs in its network. 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/15/2015 | 8:18:31 AM
Re: Defender's point of view
@Thomas Claburn, love how you expanded on the metaphor of the lock picker at the front door. Perfect! 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/13/2015 | 12:50:14 PM
Re: Defender's point of view
@AnonymousMan  I see your points, but it's a bit more complicated than that when you're dealing with a public Website, because the safety of that site affects all the people who use it, not just the people who own the domain. And the trouble is that the way the laws are written right now, simply looking for a vulnerability in a website -- not disclosing it or testing it -- is technically a felony crime under U.S. and U.K. law, punishable by fines and even jail time.

Although it doesn't usually turn out that way, there have been cases when good samaritan security researchers have been convicted of cybercrimes under these laws -- like when Daniel Cuthbert got convicted in the UK for executing a single shellcode command after he thought he might have just given his credit card information to a phishing site.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/13/2015 | 11:28:33 AM
Re: I Need that T-Shirt!
The T-shirt is defnitely cool, @ChristianBryant. But your point about the value of vulnerability research -- and the need for lawmakers to protect it -- is critical. Hopefully Katie's message will reach beyond the world of Dark Reading to TPTB in Washington. What we need is intellegient cyber crime legislation. Not a dragnet.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/13/2015 | 5:16:58 AM
I Need that T-Shirt!
OK, so that was a terrible label for my comment (I've been too serious on some of these) but, really, awesome message on the T!

I spend hours a day reading sites like DR, Exploit-DB and PacketStorm.  The imagination that goes into vulnerability research can't be stressed enough.  Without these individuals, teams and organizations (most of whom are either anonymous or feel some security in their visibility and numbers), we would not only be less safe but also our software would be buggier and less enjoyable to use.

The law must catch up, must address cyber-crime intelligently and recognize the value of folks like vulnerability researchers and not simply see them as part of the problem.  Even for those on the "right" side of the law who do recognize this, they then need to fight for them, for they too often get swept up in the nets.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
5/12/2015 | 6:01:27 PM
Re: Defender's point of view
>Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks. 

This metaphor doesn't quite capture the Internet since there's no real sense of physical location. It would be more accurate to imagine someone opening his or her front door to find the entire population of the Internet outside, with a subset of this group running automated door-hacking attacks.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
5/12/2015 | 5:18:00 PM
Re: Defender's point of view
That is not just a different storyteller, it's a different story.  Not invalid mind you, but not the same situation. I wrote a PHP application and put it on the Internet.  Does anyone have the right to test it for vulnerabilities, as long as their heart is pure?  And my specific point...how does the defender discern intent from the packets.
dritchie
100%
0%
dritchie,
User Rank: Strategist
5/12/2015 | 4:58:17 PM
Re: Defender's point of view
On the other hand:


You come home from the store, Your neighbor tells  you that he just found out that his front door can be opened by banging on the lock 3 times and since you have the same lock, maybe you should change it.


Do you:

1.  Thank him and go buy a new lock kit

2. Kick him in the soft parts since he was looking at your lock for specifics.

 

Many different ways of looking at it and it depends on who is telling the story.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
5/12/2015 | 3:30:55 PM
Defender's point of view
Imagine that you come home one evening to find someone hunched over working on your front door lock with a set of picks.  Do you:

a) assume they are a security researcher, and politely ask them to let you know if they successfully pick the lock?

b) assume they are a criminal and swing a grocery bag full of avacados into their soft parts?

I generally agree with the idea of not prosecuting security researchers, there is no question IMHO that researchers are often egocentric ideologues who could care less about actual users. Some have a sense of entitlement that is simply dumbfounding....as if putting something on the Internet gives them free reign because, well, it's on the Internet and stuff.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4108
PUBLISHED: 2019-11-14
Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.
CVE-2018-12207
PUBLISHED: 2019-11-14
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.
CVE-2019-0117
PUBLISHED: 2019-11-14
Insufficient access control in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics may allow a ...
CVE-2019-0123
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2019-0124
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting TXT, may allow a privileged user to potentially enable escalation of privilege via local access.