[Infowarrior] - Group: Anti-hacking laws can hobble Net security

[Richard Forno]

 Group: Anti-hacking laws can hobble Net security
Robert Lemos, SecurityFocus 2007-06-15
http://www.securityfocus.com/print/news/11470

Jeremiah Grossman has long stopped looking for vulnerabilities in specific
Web sites, and even if he suspects a site to have a critical flaw that could
be compromised by an attacker, he's decided to keep quiet.

The silence weighs heavily on the Web security researcher. While ideally he
would like to find flaws, and help companies eliminate them, the act of
discovering a vulnerability in any site on the Internet almost always
entails gaining unauthorized access to someone else's server -- a crime that
prosecutors have been all too willing to pursue.

"I have long since curtailed my research," said Grossman, who serves as the
chief technology officer for Web site security firm WhiteHat Security. "Any
Web security researcher that has been around long enough will notice
vulnerabilities without doing anything. When that happens, I don't tell
anyone, rather than risk reputational damage to myself and my company."

Grossman's fears underscore the fact that security researchers who find
flaws in Web sites are crossing a line and trespassing on systems that do
not belong to them. However, applying the law to good Samaritans interested
in eliminating possible online risks only undermines the security of the
Internet, a working group of researchers, digital-rights advocates and
federal law enforcement officials concluded this week.

"I think that if you look at the software security world, there has been
many, many cases of someone knowing about a vulnerability before you do and
be using it out in the wild," said Sara Peters, editor for the Computer
Security Institute. "There is no way to say that these same things are not
happening in the Web world. Assuming that nothing is going wrong, because
you haven't heard about it is a very myopic and callow way of looking at
it."

Dubbed the Working Group on Web Security Research Law, the panel of experts
has started to study whether researchers have any ability to play the good
Samaritan and find security flaws in Web sites without risking prosecution.
The group met at the Computer Security Institute's NetSec on Monday and
released an initial report that raises more questions about the status of
Web vulnerability research than provides answers to concerned bug hunters.

While security researchers have been able to test computer software and
disclose details about any flaws found, the working group concluded that
there is no way to test a Web server without prior authorization and not run
the risk of being prosecuted. Software security researchers are free to
disclose flaws fully or take part in a process that allows the vendor to
plug the holes, while Web researchers that disclose vulnerabilities in a way
that angers the Web site owner could easily be reported to law enforcement.

"The way it is right now, if you find a vulnerability and the site owner
finds about it, you can be held culpable for anything that happens after
that," Peters said. "Perhaps, that is a bit of hyperbole, but not much.
There is no culpability for the Web site owner."

The working group's report, available from the Computer Security Institute
(registration required), includes four case studies including that of Eric
McCarty.

In June 2005, McCarty, a prospective student at the University of Southern
California, found a flaw in the school's online application system and
notified SecurityFocus of the issue. SecurityFocus contacted the school at
the request of McCarty and relayed the information to USC, which initially
denied the seriousness of the issue but eventually acknowledged the
vulnerability after McCarty produced four records that he had copied from
the database. In April 2006, federal prosecutors leveled a single charge of
computer intrusion against McCarty, who accepted the charge last September.

As part of its policy, SecurityFocus did not publish an article on the issue
until USC had secured its database.

While CSI's Peters believes that good Samaritans should be given some
leeway, a few of the comments found on McCarty's computer by the FBI -- and
repeated in court documents -- suggested that vengeance was a motive. For
that reason, Peters suggests that security researchers who decide to look
for vulnerabilities in Web sites use discretion in dealing with site owners.

"You can't let anyone run wild and hack into Web sites indiscriminately,"
Peters said. "If you publicly disclose a vulnerability in a Web site you are
pointing a big red arrow at a single site, so there needs to be some
discretion."

The working group also concluded that the Web is becoming increasingly
complex as more sites share information and increase interactivity,
characteristics of what is referred to as Web 2.0. Earlier this year,
security researchers warned that Asynchronous JavaScript and XML (AJAX), a
technology that many sites use to add Web 2.0 features, brings additional
risks to the table for security researchers and vulnerability analysts.

"AJAX is not necessarily adding more vulnerabilities to the landscape, it is
making it more difficult for the scanner vendors to find the
vulnerabilities," said WhiteHat Security's Grossman, who is also a member of
the working group. "The sites still have vulnerabilities, but they are
harder to find."

Independent researchers finding vulnerabilities in Web sites could put
pressure on site owners to secure their part of the Internet. However, the
working group could not agree on whether the law should be changed to allow
for good Samaritans.

That likely leaves liability as the best stick, said Grossman, who Web site
owners should be held liable to some extent for any consumer data lost due
to a vulnerability in their site.

"I think the motivation has to monetary," he said. "Right now, the Web site
owners are the ones that have to pay for the security, but the consumer is
the one bearing all the costs of failure."

Such an equation, he said, is unlikely to add up to better security.