We don’t get asked this question very much anymore but every so often, it’ll come up; “Do you guys look for vulns in websites that are not your clients and do you contact those companies to tell them?” (ie; read sometimes as; do you market your services in this way?). The answer is No and I don’t know of any of our competitors who work this way. To me, it’s akin to dodgy anti-malware operators.
This does leave you between a rock and a hard place at times. Let me explain. Our team specialises in network and web application penetration testing. It’s one of our core services and we do it well, as our clients know. When someone is good at something, there are times then through normal web browsing where a team member will see something that just doesn’t look right (read: probable vuln). So what do we do?
In most cases, we don’t do anything – unless:
1. The potential problem could endanger people/safety/security of critical infrastructure.
2. We know someone in the organisation who knows us and knows that this is not a marketing technique.
3. We’re aware of the organisation being open to such “advice”.
(1) and (3) are rare ((1) due to surfing behaviour (3) few organisations openly advertise this) and (2) is 50-50 given we have a relatively large network of contacts.
Rock and a hard place? Yes – be open to provide sincere help but brand threatening if the actions are viewed as nothing more than an attempt to win business.
You can’t blame people for being cynical. The industry is inundated with snake-oil salesmen who care nothing about their clients, false and mis-leading advertising from even the largest of brands, through to the spammers and other con-men peddling their dangerous products. Of course people are going to question a phone call or email out of the blue to tell them their site has problems.
The lines of what is legal and not legal can also be blurred in some scenarios though “intention” goes a long way to covering those people and organisations in such scenarios I have described above.
Now, the Cybercrime Act 2001 is reasonably clear on what is illegal activity – intentionally doing things to access, modify or impair an information system. So it dumbfounds me sometimes when I read about people doing things like cracking passwords, demonstrating SQL injection and hacking in one way or another onto a computer/system that they are not authorised to perform such activities upon. Many actively talk about this in news articles and blogs they write.
Are these people ignorant of the laws? I don’t know what else it can be. It’s rare to see prosecution, as we know, but flipping the aforementioned question, are some organisations themselves ignorant of the laws to their own detriment? I read an article recently in an online IT news site where the writer openly talked about how he hacked into some large, well know brand websites. By the tone of the article, he didn’t have permission to do this, so under the Cybercrime Act, his actions were illegal and the organisations who he hacked into, were well within their rights to have this guy prosecuted.
Some organisations I have seen have almost been apologetic to the person that “hacked” into them and then talked about it on his blog. I remember one recently where I thought, WTF?!?! This dude just hacked you, talked about it to the world and you come back all nice nice and promise to fix the problem. Sure, you need to fix the problem but you didn’t give this guy permission nor did they act in the spirit of “responsible disclosure” from the outset (albeit to an extent later though, but the horse had bolted).
It’s not open slather out there but gees, sometimes you can still see things and believe it almost is. (And I’m not talking about the bad guys here – I’m talking about the “good” guys doing things that just don’t seem legal).
You don’t need to be a Rhodes scholar to understand why the black hats openly publicize the tricks of their trade.
But why is it that so-called do-gooders feel the need to publish detailed “how to hack\crack” in open internet forums ? (I’m not talking about your Ruxcons or Kiwicons, which arguably do more good than harm)
In defending their piously misguided behaviour, the do-gooder’s argument is generally, that through their publicity, people will get off their backsides to protect themselves. Rubbish. Information is one thing, but publishing a detailed ‘how to’ in the open forum of the internet is akin to throwing more petrol on an already raging fire.
Those who publish their detailed “how to’s” are not motivated by doing a common good for society, they’re motivated by their overly inflated egos, seeing their name up in lights, and ‘cred’.
Stop kidding yourselves, do-gooders.
@Igor Tistical
another argument of the howdly-hoadly Ned Flanders-types is that the information is already out there, so no harm done.
In that case, why promulgate it further ?
It can only be their egos.
how many sites the first guy tried to hack before he got the result he wanted for his article. Generally script-kiddie level work. Wonder who they are trying to impress. Wouldn’t be gloating so much had he been caught and haven’t a few people in recent times been extradited for similar activities?
Interesting points you are bringing up there DD. While the act is clear, the devil is in the interpretation, focussing on intent.
@Igor Tistiaical,
Valid, but again – intent. The thing you have to realise is that there is nothing new. When you go to Kiwicon and get your latest 0day about that enterprise system that the vendor has been lying to you about how secure it is – what do you do ? When I was at a con recently, the guy I was sitting next to opened up his phone, called the office and said “We have a security problem with blah, do this – this – this to fix, k thnx”. Wow. That was cool, I thought.
The person disclosing this information had been in lengthy discussions with the vendor, so the vendor was 100% aware of the problem. From my experience this is common – the vendor will sit on a problem and ask for it to not be disclosed. Why? So they don’t have to do anything about it any time soon.
Why is this a problem ? Well for two main reasons. If I ask a vendor about the security of their product, they will proudly tell me how great their security team is, how the systems are hardened etc. Oh good I think. Now I’m not sure is they are lying or just ignorant but if developers were just half as good as the vendor reps say there would be no security industry at all. It is hard to give them the benefit of the when they have been made aware of the problems, they actively attempt to silence people about it and then continue to tell customers that there products are secure.
The other thing to consider is that there is nothing new in the world. If one person can find a bug then others can – and most likely have. If this bug is in software that you use to protect your business and not only do you not know about it, but neither does the vendor or you staff there is very little you can do about it. In fact anything you did do that protected you from it would almost be by accident.
So sure its annoying when some spotty kid stands up at a con or mailing list / whatever and drops a vuln for ‘mad props’ but then at least you know how crap most software is and can hold your vendor accountable – which in the long term will make software more secure.
I don’t disagree that there are good ways and bad ways to disclose this information – there is always room for an idiot. Some recent talk at Kiwicon were drawing a fine line, and I make no excuses for that.
Another thing to consider is this. I is not a crime to know something, or how to do something. I know how to stab my co-workers in the eye with a pen, an act that could well kill them. I know how to drive my car onto the pavement and run people over while laughing and singing the national anthem but I do not. Because I know it is not the right thing to do – I make the choice.
@One Wonders,
Amongst a host of other crimes, that bloke should be extradited to Middle Earth for claiming in his bio that he’s a “Warlock”, ffs.
Seriously though, I’ve not encountered a self-proclaimed Warlock before, but I reckon if I did, I’d have to punch him fair in the nose for being a rolled gold dickhead.
@Dec
there is no doubt that proving ‘intent’ is a basis for our laws. There are many laws however, where intent need not be proved.
Surely you are not suggesting, are you, that since his intentions were pure, therefore, he had not technically broken the law, prima facie ?
If you are, I believe you would be incorrect, my good friend.
While his so-called pure intentions might be a mitigating factor in his final sentencing, the purest of intentions are no defence at law, according to my reading of the Computer Crimes Act.
Notwithstanding this, exactly how pure were his intentions ? The story he’s published demonstrates clearly – his intent to show how easily it was to crack into a publicly listed website. He then tells us that at some time later, he informed the owners of his deeds. You could safely assume from this, he had no prior permission to do this, just as a person “testing” the locks on your door and then entering your house has no prior permission. Whether they intended to do anything or not whilst inside your house is superfluous. It matters naught. The law is clear.
I’m happy to stand corrected if you can show me where this defence of “intent” exists, but I am reasonably confident you can not.
@Backyard Lawyer
Sorry I wasn’t clear – I’m not suggesting that at all. Just that things like your computer connecting to another can be different with intent.
For example Wifi – your neighbour has a new wifi network. It sends out a beacon and your computer connects to it, automatically, sending you an IP with Gateway etc. Then there Mac finds you with Bonjour and starts offering you services, or they broadcast to you with SMB (network neighbourhood). All because you didn’t disable wifi before turning on your computer. Its easy for these things to happen without intent – but if you notice your neighbour has wifi and you know it isn’t yours and you start to use it and you connect to their share drives etc.. on one level its the same.. but on others it clearly isn’t.
And if anyone wants to pipe up and say if their wifi is not secured it is an invitation.. well lets not go there sista.
Am I the only one not seeing a link to a certain hacking story?
I didn’t post any links intentionally. If anyone is speculating, that’s their call. There’s enough of these types of stories over the years anyway and some that certainly do stand out in recent times. The gist of my post was not to out anyone into a public “trial” but rather look at the motivation/intent itself and question the legal knowledge (and understanding of the repercussions) of people undertaking this type of activity.
@DD
I agree with you on this, my good young man: Lets not bother with the public trial.
I find the defendant guilty as charged.
Bailiff ? Escort that Warlock idiot out of my Court !
[...] http://beastorbuddha.com/2009/01/22/unauthorised-access-to-company-websitesinformationsystems/ Leave a Reply [...]