Feeds

Breach case could curtail web flaw finders

Being a good guy gets you prosecuted

Securing Web Applications Made Simple and Scalable

To other security researchers, the case underscores the asymmetric legal power of websites in confronting flaw finders: Because finding any vulnerability in a server online necessarily means that the researcher had exceeded authorisation, the flaw finder has to rely on the mercy of the site when reporting, said HD Moore, a noted researcher and co-founder of the Metasploit Project.

"It is just a crappy situation in general right now," Moore said. "You have to count on the goodwill of the people running the site. There are cases when there are vulnerable websites out there, but unless you have an anonymous web browser and a way to hide your logs, there is no way to report a vulnerability safely."

Moore points to McCarty's case and the case of Daniel Cuthbert - who fell afoul of British law when he checked out the security of a charity website by attempting to access top-level directories on the web server - as warnings to researchers to leave websites alone. In October, Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in restitution.

Other researchers should be ready to pay as well, Moore said. Anyone who affects the performance of a server on the internet could find themselves in court, he said.

"Even if you look at the port scanning stuff - which is not technically illegal - if you knock down the server in the process of port scanning it, then you are liable for all the damages of it being down," Moore said.

Such legal issues are one reason for not testing websites at all, said security researcher David Aitel, chief technology officer of security services firm Immunity.

"We don't do research on websites," Aitel said, adding that the increasing reliance of programs on communicating with other programs has made avoiding web applications more difficult. "The more your applications are interconnected the more difficult it is to get permission to do vulnerability research."

Moreover, such a legal landscape does not benefit the internet companies, Aitel stressed. While companies may prefer to not know about a vulnerability rather than have it publicly reported, just because a vulnerability is not disclosed does not mean that the website is not threatened.

"If this is an SQL injection flaw that Eric McCarty can find by typing something into his web browser then it is retarded to think that no one else could do that," Aitel said.

The US Attorney's Office alleges that McCarty's actions caused the university to shutter its system for 10 days, resulting in $140,000 in damages. The university had provided investigators with an internet address which had suspiciously accessed the application system multiple times in a single hour, according to the affidavit provided by the FBI in the case. The information allowed the FBI to execute a search warrant against McCarty, discover the names of his accounts on Google's Gmail and subpoena those records from the internet giant, the court document stated. Among the emails were messages sent from an account - "ihackedusc@gmail.com" - -to SecurityFocus detailing the vulnerability, according to the affidavit.

The US Attorney's Office declined to comment for this article. A representative of the University of Southern California also declined to comment except to say that the school is cooperating with the investigation.

"It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant US Attorney for the US Department of Justice's cybercrime and intellectual property crimes section, said last week after his office announced the charge. "He went beyond that and gained additional information regarding the personal records of the applicant. If you do that, you are going to face - like he does - prosecution."

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.