Ethical challenges in IT security

Hanno Böck

https://hboeck.de

@hanno

About myself

  • Journalist often covering IT security topics (Golem.de, Bulletproof TLS Newsletter, ...)
  • Hacker and freelance IT security specialist

I often discover security issues and later write about them

Disclaimer: IANAL

You won't get legal advice from me

My ethical framework

White Hat Hacker

What does White Hat mean?

  • I try to make things more secure
  • I don't use vulnerabilities to harm affected parties
  • I try to inform people about vulnerabilities before making them public

This isn't necessarily obvious

Many IT security professionals engage in different ways

(There's an active Zero Day market)

Many people in law enforcement circles think it's legitimate to keep vulnerabilities secret, even though it harms overall security

I'm not always nice

While I won't use vulnerabilities to attack people technically, I make vulnerabilities public and people who are sloppy with their security won't necessarily like that

I practice responsible disclosure

Responsible disclosure means to notify a party responsible for a security vulnerability before making it public and give them reasonable time to fix things

Responsible disclosure does not mean waiting for an undefined amount of time until the vendor is "ready"

Sometimes you'll end up in ethically challenging situations

Let's look at some Examples

<script type="text/javascript" src="https://example.org/fancy.js"></script>
What if the service from which you include Javascript ceases to operate?
Scan web pages, check if domains from src references resolve
piwiklionshare
Nonexisting Azure subdomain
Azure free account
Code included by dozens of web pages, mostly local US newspapers
Vast majority on two IP addresses by same company, contacted their abuse department
No answer, but code was removed within days
Biggest user of that script: Saline Courier
Tried to contact them via mail, no answer, code remained

What options do I have?

Do nothing?

  • The free Azure test account would expire eventually and I'd loose the subdomain
  • It's likely that someone with bad intentions would grab it (particularly as I was planning to write and talk about this kind of issue)
Risk of malware delivered on the newspaper's web page.

Keep the subdomain for an unlimited time?

Unclear costs, unlimited responsibility for the security of someone who doesn't even want to talk to me

Did I have other options to communicate with them?

They load Javascript from my subdomain

Saline Courier

It took them some time, but eventually they removed the Javascript reference.

Outcome: A security vulnerability was fixed.

Even after this they never contacted me

Was this the right thing to do?

Given the circumstances I think Yes.

The alternative would've been that probably someone else would've attack them, likely with malicious intent.

Next example: Databases

https://umziehen.de/dump.sql

Database with 200.000 addresses from an address change service from the german postal service (Deutsche Post)

What happened here?

Backup of MySQL database is stored on web root with an easily guessable name, everyone can download it

Why dump.sql?

Official MySQL documentation

Challenge: There were so many

I scanned the Alexa Top 1 Million list and found thousands of affected sites

How do you do responsible disclosure for thousands of sites?

Automate

Use abuse contacts to reach out to affected sites

Surprisingly many web hosts have abuse contacts that don't work (emails bounce)

Some will just ignore abuse mails

Some will ask you to jump through additional hoops to contact them, e.g. fill out a special form

Contact via national CERTs

Very mixed results: Some care, others don't

Manually contacting the most severe cases

In the case of the database leak I tried to make sure I contact all hosts with Gigabyte sized databases manually

Yet some of them are still online

(This was in 2017)

When you have vulnerabilities in thousands of targets there will be targets left vulnerable once you disclose

I have an undisclosed similar case right now, around 1/4th fixed and I don't expect it to get much better

Challenge 2: What to do with the data?

For some severe cases I did a brief check what kind of data there is

In the case of the postal service I counted the number of affected datasets

I deleted all data before I made the incident public, in case anyone asks me about the data I can truthfully say "I don't have it"

Password Breaches

Password reuse is a major and underappreciated problem

Password reuse

  • User uses same password for Facebook that he used for Linkedin
  • Linkedin data breach 2016, data is available
  • By trying Linkedin credentials on Facebook attacker can takeover account

haveibeenpwned.com

This guy knows your Myspace password

But he won't give it to anyone else and he's generally trying to do the right thing

Are you okay with that?

NIST Digital Identity Guidelines (SP 800-63B)

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.

NIST says you should use data from password breaches

(And I think they're right)

Troy Hunt, the guy who knows your Myspace password, provides a list of hashes of breached passwords. If you run a service with user accounts and passwords use it!

Pwned Passwords

Let's get into ethically even more murky territory

Would it be okay to download all the breaches you can find on the Internet and use it as a Pentesting company? Or for Bug Bounty hunting?

SEC-T 0x0A: F1nux - The problem with other people’s tables

It's not just companies like Myspace or Linkedin that are getting breached

2017 databases from Freedom Hosting II were leaked

Freedom Hosting II was a Dark Net web hoster

Their favorite customers: Web pages for child sexual abuse content

Would you want to have the Freedom Hosting II data on your hard disk?

Let's talk about the Internet of Things

The Internet of Things means a large number of companies that have no background in software are now software companies

In many IoT devices there's literally no security

Mirai Botnet

In 2016 Mirai was used for a DDoS attack against the web page of the journalist Brian Krebs

He had to take down his web page, because his sponsor Akamai said they couldn't handle it any more

The masses of insecure IoT devices have created a situation where you can hire a service that will take down someone's web page

In other words: IoT threatens freedom of press and freedom of speech

What can be done about this?

Better protection?

The only protection against DDoS is to have more infrastructure: more servers and better Internet connectivity than your attackers combined

There are very few companies that can handle such attacks, we don't want freedom of speech to depend on their goodwill

Vendors?

They don't care and there's almost no business case for better security

Users?

They usually are not even aware of the problem

Politics / Regulation?

This is probably the right way to handle this, but things are moving very slowly

California has created a law forbidding default passwords, but that's pretty much the only example of meaningful political action on this topic

BrickerBot

BrickerBot was trying to compromise trivially hackable IoT devices and destroy them

This is almost certainly illegal and I wouldn't do it

But I have a hard time condemning actions like BrickerBot

We're in a situation where basic rights (freedom of press/speech) are under threat by an irresponsible industry with little hope for any meainingful improvement

Summary

If you know about IT security issues act responsibly and try to do the right thing

It may not always be easy to know what the right thing is