Case Study

Posted on by admin

Case Study
Resources:
Flawed USC admissions site allowed access to applicant dataMan charged with accessing USC student dataReporting Vulnerabilities is for the BraveSpot a Bug, Go to JailBlack Hat Organizer Unbowedsla.ckers.orgNew Siemens SCADA Vulnerabilities Kept Secret

There is an ongoing debate about Responsible Disclosure. Is it ethical (or legal) to report a vulnerability in a computer system or website? If a “White Hat Hacker” reports a vulnerability to the owner of the website, he might get in trouble. Read Breach case could curtail Web flaw finders<Alternate link>(note that you must read all three linked pages–the alt link has them all together) and answer the following questions:

1. Eric McCarty found a flaw in the USC website. What danger did this vulnerability pose, and to whom?
2. Was McCarty’s action malicious? Did it cause harm to USC?
3. Discovering the vulnerability was not itself illegal. What did McCarty do that was illegal? Why did he do it? Be specific.
4. A conviction in this case would likely discourage other security researchers from reporting security vulnerabilities to websites. How could this effect affect the security of the Web? Explain. (4 points)
http://www.securityfocus.com/news/11389/1

http://www.securityfocus.com/news/11239
http://www.securityfocus.com/brief/191
http://www.cerias.purdue.edu/site/blog/post/reporting-vulnerabilities-is-for-the-brave/

http://www.wired.com/news/columns/circuitcourt/1,70857-0.html

http://www.wired.com/news/technology/infostructure/1,69488-2.html
http://sla.ckers.org/forum/list.php?3
http://www.schneier.com/blog/archives/2011/05/new_siemens_sca.html
Breach case could curtail Web flaw finders
Robert Lemos, SecurityFocus 2006-04-26
Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university’s online application system while researching a flaw without the school’s permission.
“Keep (vulnerabilities) to yourself–being a good guy gets you prosecute. I can say honestly that I am no longer interested in assisting anyone with their vulnerabilities.”
Eric McCarty, a security professional charged with computer intrusion
Last Thursday, the U.S. Attorney’s Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue–which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records–was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable Web application.
The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities, said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group.
“I think the bottom line is that anybody that does disclosures of security vulnerabilities has to be very careful (so as to) not be accused of being a hacker,” Tien said. “The computer trespass laws are very, very tricky.”
The case comes as reports of data breaches against corporations and universities are on the rise and could make security researchers less likely to bring flaws to the attention of Web sites, experts told SecurityFocus.
This week, the University of Texas at Austin stated that a data thief attacking from an Internet address in the Far East likely copied 197,000 personal records, many containing social security numbers. In September, a Massachusetts teenager was sentenced to 11 months in a juvenile detention facility for hacking into telecommunications provider T-mobile and data collection firm Lexis-Nexis. And, in March, an unidentified hacker posted on the Business Week Online Web site instructions on how to hack into the admissions site of top business schools using a flaw in the ApplyYourself admissions program.
Eric McCarty, reached on Friday at the cell phone number published in the affidavit provided by the FBI in the case, said security researchers should take note that Web sites would rather be insecure than have flaws pointed out.
“Keep them to yourself–being a good guy gets you prosecuted,” McCarty said during the interview. “I can say honestly that I am no longer interested in assisting anyone with their vulnerabilities.”
McCarty confirmed that he had contacted SecurityFocus in June, offered information about the means of contact as proof, and waived the initial agreement between himself and this reporter to not be named in subsequent articles.
When the FBI came knocking in August, McCarty had told them everything, believing he had nothing to hide, he said.
“The case is cut and dried,” McCarty said. “The logs are all there and I never attempted to hide or not disclose anything. I found the vulnerability, and I reported it to them (USC) to try to prevent identity theft.”
McCarty admitted he had accessed the database at the University of Southern California, but stressed that he had only copied a small number of records to prove the vulnerability existed. The FBI’s affidavit, which states that a file with seven records from the database was found on McCarty’s computer, does not claim that the IT professional attempted to use the personal records for any other purpose.
To other security researchers, the case underscores the asymmetric legal power of Web sites in confronting flaw finders: Because finding any vulnerability in a server online necessarily means that the researcher had exceeded authorization, the flaw finder has to rely on the mercy of the site when reporting, said HD Moore, a noted researcher and co-founder of the Metasploit Project.
“It is just a crappy situation in general right now,” Moore said. “You have to count on the good will of the people running the site. There are cases when there are vulnerable Web sites out there, but unless you have an anonymous Web browser and a way to hide your logs, there is no way to report a vulnerability safely.”
Moore points to McCarty’s case and the case of Daniel Cuthbert–who fell afoul of British law when he checked out the security of a charity Web site by attempting to access top-level directories on the Web server–as warnings to researchers to leave Web sites alone. In October, Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in restitution.
Other researchers should be ready to pay as well, Moore said. Anyone who affects the performance of a server on the Internet could find themselves in court, he said.
“Even if you look at the port scanning stuff–which is not technically illegal–if you knock down the server in the process of port scanning it, then you are liable for all the damages of it being down,” Moore said.
Such legal issues are one reason for not testing Web sites at all, said security researcher David Aitel, chief technology officer of security services firm Immunity.
“We don’t do research on Web sites,” Aitel said, adding that the increasing reliance of programs on communicating with other programs has made avoiding Web applications more difficult. “The more your applications are interconnected the more difficult it is to get permission to do vulnerability research.”
Moreover, such a legal landscape does not benefit the Internet companies, Aitel stressed. While companies may prefer to not know about a vulnerability rather than have it publicly reported, just because a vulnerability is not disclosed does not mean that the Web site is not threatened.
“If this is an SQL injection flaw that Eric McCarty can find by typing something into his Web browser then it is retarded to think that no one else could do that,” Aitel said.
The U.S. Attorney’s Office alleges that McCarty’s actions caused the university to shutter its system for ten days, resulting in $140,000 in damages. The university had provided investigators with an Internet address which had suspiciously accessed the application system multiple times in a single hour, according to the affidavit provided by the FBI in the case. The information allowed the FBI to execute a search warrant against McCarty, discover the names of his accounts on Google’s Gmail and subpoena those records from the Internet giant, the court document stated. Among the e-mails were messages sent from an account–“ihackedusc@gmail.com”–to SecurityFocus detailing the vulnerability, according to the affidavit.
The U.S. Attorney’s Office declined to comment for this article. A representative of the University of Southern California also declined to comment except to say that the school is cooperating with the investigation.
“It wasn’t that he could access the database and showed that it could be bypassed,” Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice’s cybercrime and intellectual property crimes section, said last week after his office announced the charge. “He went beyond that and gained additional information regarding the personal records of the applicant. If you do that, you are going to face–like he does–prosecution.”
The case has aspects similar to the prosecution of Adrian Lamo, dubbed the Homeless Hacker, for breaching systems at the New York Times. Lamo would frequently seek out vulnerabilities in online systems, exploit the vulnerabilities to gain proof of the flaws and then contact the company–and a reporter–to help close the security hole. In 2004, Lamo plead guilty to compromising the New York Times network and served six months under house arrest and had to pay $65,000 in restitution.
In the University of Southern California case, McCarty identified the vulnerability in the USC system when he decided to apply to the school and, before registering, used a common class of flaws known as structured query language (SQL) injection to test the site, he said during last week’s interview. Such attacks exploit a flaw in the code that processes user input on a Web site. In the USC case, special code could be entered into the username and password text boxes to retrieve applicants’ records, according to the FBI’s affidavit.
USC administrators initially claimed to SecurityFocus that an analysis of the system and log files indicated that only two database records could be retrieved using the SQL injection flaw. After additional records were provided to the administrators, the university acknowledged that the entire database was threatened by the flaw. The FBI’s affidavit contains the e-mail that McCarty allegedly sent to SecurityFocus with two additional records from the database.
The events outlined in the affidavit indicated that McCarty tried to act responsibly, said Jennifer Granick, a cybercrime attorney and executive director of the Stanford Law School’s Center for Internet and Society.
“Here is a guy who didn’t use the information, he notified the school–albeit through a third party–what was he supposed to do differently?” Granick said. “It’s a Catch-22 for the security researcher, because they have arguably broken a law in finding the flaw.”
The case does underscore that researchers will have to become more savvy about dealing with the legal aspects of their craft, said David Endler, director of security research for 3Com subsidiary TippingPoint.
“Finding a vulnerability in a Web site is a bit different than finding a vulnerability in a product,” Endler said. “You can do a lot of things to a product that won’t affect users. You shouldn’t poke around a Web site unless you have permission or have been hired to do it. … It’s just not worth it.”
As the creator of two vulnerability-buying programs, Endler is familiar with the contorted legal issues that can sometimes face vulnerability researchers. He believes that cases, such as McCarty’s prosecution, will likely lead to researchers either allying themselves with one of the flaw-bounty programs or declining to disclose any discoveries.
Already, the influence of corporate legal teams had reduced the significance of the vulnerability disclosure movement, Immunity’s Aitel said.
“The peak of disclosure has long past us,” he said. “Who out there is really giving away bugs these days? The disclosure movement passed us by more than two years ago and people have gone underground with their bugs.”
And having fewer security researchers looking over the shoulders of Web site administrators and Internet software makers will only mean less pressure to fix vulnerabilities and weaker security for sites on the Internet, said the EFF’s Tien.
“There is an under-disclosure of vulnerabilities and weaknesses, and that is bad thing for security, because the less people know about security problems, the less pressure is put on companies to improve security,” Tien said.
Author’s note: As described in the article, the FBI’s affidavit supporting the charge against Eric McCarty of computer intrusion alleges that he was the source for an article published on SecurityFocus by the author. The author did not cooperate with the FBI’s investigation nor was he asked to do so. In an interview conducted on Friday and in an e-mail exchange, McCarty provided proof that he was the author’s source and waived the condition of anonymity that he requested for the original article.

READ ALSO :   compare and contrast the orthodox and critical approaches to terrorism studies