[Infowarrior] - Breach case could curtail Web flaw finders

[Richard Forno]

 Breach case could curtail Web flaw finders
Robert Lemos, SecurityFocus 2006-04-26
http://www.securityfocus.com/print/news/11389

Security researchers and legal experts have voiced concern this week over
the prosecution of an information-technology professional for computer
intrusion after he allegedly breached a university's online application
system while researching a flaw without the school's permission.

Last Thursday, the U.S. Attorney's Office in the Central District of
California leveled a single charge of computer intrusion against San
Diego-based information-technology professional Eric McCarty, alleging that
he used a Web exploit to illegally access an online application system for
prospective students of the University of Southern California last June. The
security issue--which could have allowed an attacker to manipulate a
database of some 275,000 USC student and applicant records--was reported to
SecurityFocus that same month. An article was published after the university
was notified of the issue and fixed the vulnerable Web application.

The prosecution of the IT professional that found the flaw shows that
security researchers have to be increasingly careful of the legal minefield
they are entering when reporting vulnerabilities, said Lee Tien, senior
staff attorney for the Electronic Frontier Foundation, a digital-rights
advocacy group.

"I think the bottom line is that anybody that does disclosures of security
vulnerabilities has to be very careful (so as to) not be accused of being a
hacker," Tien said. "The computer trespass laws are very, very tricky."

The case comes as reports of data breaches against corporations and
universities are on the rise and could make security researchers less likely
to bring flaws to the attention of Web sites, experts told SecurityFocus.

This week, the University of Texas at Austin stated that a data thief
attacking from an Internet address in the Far East likely copied 197,000
personal records, many containing social security numbers. In September, a
Massachusetts teenager was sentenced to 11 months in a juvenile detention
facility for hacking into telecommunications provider T-mobile and data
collection firm Lexis-Nexis. And, in March, an unidentified hacker posted on
the Business Week Online Web site instructions on how to hack into the
admissions site of top business schools using a flaw in the ApplyYourself
admissions program.

Eric McCarty, reached on Friday at the cell phone number published in the
affidavit provided by the FBI in the case, said security researchers should
take note that Web sites would rather be insecure than have flaws pointed
out.

"Keep them to yourself--being a good guy gets you prosecuted," McCarty said
during the interview. "I can say honestly that I am no longer interested in
assisting anyone with their vulnerabilities."

McCarty confirmed that he had contacted SecurityFocus in June, offered
information about the means of contact as proof, and waived the initial
agreement between himself and this reporter to not be named in subsequent
articles.

When the FBI came knocking in August, McCarty had told them everything,
believing he had nothing to hide, he said.

"The case is cut and dried," McCarty said. "The logs are all there and I
never attempted to hide or not disclose anything. I found the vulnerability,
and I reported it to them (USC) to try to prevent identity theft."

McCarty admitted he had accessed the database at the University of Southern
California, but stressed that he had only copied a small number of records
to prove the vulnerability existed. The FBI's affidavit, which states that a
file with seven records from the database was found on McCarty's computer,
does not claim that the IT professional attempted to use the personal
records for any other purpose.

To other security researchers, the case underscores the asymmetric legal
power of Web sites in confronting flaw finders: Because finding any
vulnerability in a server online necessarily means that the researcher had
exceeded authorization, the flaw finder has to rely on the mercy of the site
when reporting, said HD Moore, a noted researcher and co-founder of the
Metasploit Project.

"It is just a crappy situation in general right now," Moore said. "You have
to count on the good will of the people running the site. There are cases
when there are vulnerable Web sites out there, but unless you have an
anonymous Web browser and a way to hide your logs, there is no way to report
a vulnerability safely."

Moore points to McCarty's case and the case of Daniel Cuthbert--who fell
afoul of British law when he checked out the security of a charity Web site
by attempting to access top-level directories on the Web server--as warnings
to researchers to leave Web sites alone. In October, Cuthbert was convicted
of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in
restitution.

Other researchers should be ready to pay as well, Moore said. Anyone who
affects the performance of a server on the Internet could find themselves in
court, he said.

"Even if you look at the port scanning stuff--which is not technically
illegal--if you knock down the server in the process of port scanning it,
then you are liable for all the damages of it being down," Moore said.

Such legal issues are one reason for not testing Web sites at all, said
security researcher David Aitel, chief technology officer of security
services firm Immunity.

"We don't do research on Web sites," Aitel said, adding that the increasing
reliance of programs on communicating with other programs has made avoiding
Web applications more difficult. "The more your applications are
interconnected the more difficult it is to get permission to do
vulnerability research."

Moreover, such a legal landscape does not benefit the Internet companies,
Aitel stressed. While companies may prefer to not know about a vulnerability
rather than have it publicly reported, just because a vulnerability is not
disclosed does not mean that the Web site is not threatened.

"If this is an SQL injection flaw that Eric McCarty can find by typing
something into his Web browser then it is retarded to think that no one else
could do that," Aitel said.

The U.S. Attorney's Office alleges that McCarty's actions caused the
university to shutter its system for ten days, resulting in $140,000 in
damages. The university had provided investigators with an Internet address
which had suspiciously accessed the application system multiple times in a
single hour, according to the affidavit provided by the FBI in the case. The
information allowed the FBI to execute a search warrant against McCarty,
discover the names of his accounts on Google's Gmail and subpoena those
records from the Internet giant, the court document stated. Among the
e-mails were messages sent from an account--"ihackedusc at gmail.com"--to
SecurityFocus detailing the vulnerability, according to the affidavit.

The U.S. Attorney's Office declined to comment for this article. A
representative of the University of Southern California also declined to
comment except to say that the school is cooperating with the investigation.

"It wasn't that he could access the database and showed that it could be
bypassed," Michael Zweiback, an assistant U.S. Attorney for the U.S.
Department of Justice's cybercrime and intellectual property crimes section,
said last week after his office announced the charge. "He went beyond that
and gained additional information regarding the personal records of the
applicant. If you do that, you are going to face--like he
does--prosecution."

The case has aspects similar to the prosecution of Adrian Lamo, dubbed the
Homeless Hacker, for breaching systems at the New York Times. Lamo would
frequently seek out vulnerabilities in online systems, exploit the
vulnerabilities to gain proof of the flaws and then contact the company--and
a reporter--to help close the security hole. In 2004, Lamo plead guilty to
compromising the New York Times network and served six months under house
arrest and had to pay $65,000 in restitution.

In the University of Southern California case, McCarty identified the
vulnerability in the USC system when he decided to apply to the school and,
before registering, used a common class of flaws known as structured query
language (SQL) injection to test the site, he said during last week's
interview. Such attacks exploit a flaw in the code that processes user input
on a Web site. In the USC case, special code could be entered into the
username and password text boxes to retrieve applicants' records, according
to the FBI's affidavit.

USC administrators initially claimed to SecurityFocus that an analysis of
the system and log files indicated that only two database records could be
retrieved using the SQL injection flaw. After additional records were
provided to the administrators, the university acknowledged that the entire
database was threatened by the flaw. The FBI's affidavit contains the e-mail
that McCarty allegedly sent to SecurityFocus with two additional records
from the database.

The events outlined in the affidavit indicated that McCarty tried to act
responsibly, said Jennifer Granick, a cybercrime attorney and executive
director of the Stanford Law School's Center for Internet and Society.

"Here is a guy who didn't use the information, he notified the
school--albeit through a third party--what was he supposed to do
differently?" Granick said. "It's a Catch-22 for the security researcher,
because they have arguably broken a law in finding the flaw."

The case does underscore that researchers will have to become more savvy
about dealing with the legal aspects of their craft, said David Endler,
director of security research for 3Com subsidiary TippingPoint.

"Finding a vulnerability in a Web site is a bit different than finding a
vulnerability in a product," Endler said. "You can do a lot of things to a
product that won't affect users. You shouldn't poke around a Web site unless
you have permission or have been hired to do it. ... It's just not worth
it."

As the creator of two vulnerability-buying programs, Endler is familiar with
the contorted legal issues that can sometimes face vulnerability
researchers. He believes that cases, such as McCarty's prosecution, will
likely lead to researchers either allying themselves with one of the
flaw-bounty programs or declining to disclose any discoveries.

Already, the influence of corporate legal teams had reduced the significance
of the vulnerability disclosure movement, Immunity's Aitel said.

"The peak of disclosure has long past us," he said. "Who out there is really
giving away bugs these days? The disclosure movement passed us by more than
two years ago and people have gone underground with their bugs."

And having fewer security researchers looking over the shoulders of Web site
administrators and Internet software makers will only mean less pressure to
fix vulnerabilities and weaker security for sites on the Internet, said the
EFF's Tien.

"There is an under-disclosure of vulnerabilities and weaknesses, and that is
bad thing for security, because the less people know about security
problems, the less pressure is put on companies to improve security," Tien
said.

Author's note: As described in the article, the FBI's affidavit supporting
the charge against Eric McCarty of computer intrusion alleges that he was
the source for an article published on SecurityFocus by the author. The
author did not cooperate with the FBI's investigation nor was he asked to do
so. In an interview conducted on Friday and in an e-mail exchange, McCarty
provided proof that he was the author's source and waived the condition of
anonymity that he requested for the original article.