Feeds

Microsoft: Finding flaws on our website is OK

'Hate the vuln, love the finder'

Protecting against web application threats using SSL

ToorCon In a first for a major company, Microsoft has publicly pledged not to sue or press charges against ethical hackers who responsibly find security flaws in its online services.

The promise, extended Saturday at the ToorCon security conference in Seattle, is a bold and significant move. While researchers are generally free to attack legally acquired software running on their own hardware, they can face severe penalties for probing websites that run on servers belonging to others. In some cases, organizations have pursued legal action against researchers who did nothing more than discover and responsibly report serious online vulnerabilities.

"This is actually really important because online services - that's our stuff," Microsoft security strategist Katie Moussouris told several hundred researchers. "The philosophy here is if someone is being nice enough to point out your fly is down, they're really doing you a favor and you should thank them rather than calling the cops and saying you're a pervert."

Moussouris said she is pushing to get a provision added to a proposed standard that's making its way through the International Organization for Standardization that would protect ethical hackers who responsibly disclose vulnerabilities in other companies' websites. "If I get my way, it'll be in there," she said.

(In a brief exchange after her talk, Moussouris told us she didn't know offhand exactly how the proposed standard was designated. We're guessing it's this one, though we can't be sure.)

The idea is to make websites safer by taking advantage of the legions of independent researchers who stumble upon security bugs. As she put it: "Don't hate the finder, hate the vulnerability. We don't actually want to discourage people who are trying to help us by being iffy about whether we're going to go after them."

As things stand, researchers frequently turn a blind eye to gaping security holes on websites for fear of suffering a fate similar to that of Eric McCarty. The prospective student at the University of Southern California found a flaw in the school's online application system that gave him access to other applicants' records. In 2006, he was charged with computer intrusion after producing proof of his finding.

"There's definitely a lot of trepidation among legitimate researchers to find flaws in public-facing web applications because you never know how [companies] are going to react," said Alex Stamos, a founding partner at iSEC Partners, a firm that provides penetration-testing services. "That hurts us because the only people finding these flaws are the bad guys."

Moussouris's remarks came as she gave a progress report on Microsoft's efforts to be more responsive to security researchers. One new initiative is a two-day course called Defend the Flag, a modified version of Capture the Flag, for its IT employees who are new to security. Microsoft is also offering assistance to companies grappling with their own security issues and giving a heads-up when it learns of vulnerabilities affecting third-party vendors.

Microsoft's security team has also worked hard to strike a balance between releasing security patches quickly and making sure the updates don't break products that customers rely on.

"We are a huge target, obviously," Moussouris said. "Some of you love that about us. We basically face a lot of issues that a lot of vendors haven't had to deal with. Not many vendors out there can break the [internet] if they mess up their patches." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.