Breach case could curtail web flaw finders
Being a good guy gets you prosecuted
Security researchers and legal experts have voiced concern this week over the prosecution of an information technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.
Last Thursday, the US Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information technology professional Eric McCarty, alleging that he used a web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue, which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records, was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable web application.
The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities, said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group.
"I think the bottom line is that anybody that does disclosures of security vulnerabilities has to be very careful (so as to) not be accused of being a hacker," Tien said. "The computer trespass laws are very, very tricky."
The case comes as reports of data breaches against corporations and universities are on the rise and could make security researchers less likely to bring flaws to the attention of websites, experts told SecurityFocus.
This week, the University of Texas at Austin stated that a data thief attacking from an internet address in the Far East likely copied 197,000 personal records, many containing social security numbers. In September, a Massachusetts teenager was sentenced to 11 months in a juvenile detention facility for hacking into telecommunications provider T-mobile and data collection firm Lexis-Nexis. And, in March, an unidentified hacker posted on the Business Week Online website instructions on how to hack into the admissions site of top business schools using a flaw in the ApplyYourself admissions program.
Eric McCarty, reached on Friday at the cell phone number published in the affidavit provided by the FBI in the case, said security researchers should take note that websites would rather be insecure than have flaws pointed out.
"Keep them to yourself - being a good guy gets you prosecuted," McCarty said during the interview. "I can say honestly that I am no longer interested in assisting anyone with their vulnerabilities."
McCarty confirmed that he had contacted SecurityFocus in June, offered information about the means of contact as proof, and waived the initial agreement between himself and this reporter to not be named in subsequent articles.
When the FBI came knocking in August, McCarty had told them everything, believing he had nothing to hide, he said.
"The case is cut and dried," McCarty said. "The logs are all there and I never attempted to hide or not disclose anything. I found the vulnerability, and I reported it to them (USC) to try to prevent identity theft."
McCarty admitted he had accessed the database at the University of Southern California, but stressed that he had only copied a small number of records to prove the vulnerability existed. The FBI's affidavit, which states that a file with seven records from the database was found on McCarty's computer, does not claim that the IT professional attempted to use the personal records for any other purpose.
To other security researchers, the case underscores the asymmetric legal power of websites in confronting flaw finders: Because finding any vulnerability in a server online necessarily means that the researcher had exceeded authorisation, the flaw finder has to rely on the mercy of the site when reporting, said HD Moore, a noted researcher and co-founder of the Metasploit Project.
"It is just a crappy situation in general right now," Moore said. "You have to count on the goodwill of the people running the site. There are cases when there are vulnerable websites out there, but unless you have an anonymous web browser and a way to hide your logs, there is no way to report a vulnerability safely."
Moore points to McCarty's case and the case of Daniel Cuthbert - who fell afoul of British law when he checked out the security of a charity website by attempting to access top-level directories on the web server - as warnings to researchers to leave websites alone. In October, Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in restitution.
Other researchers should be ready to pay as well, Moore said. Anyone who affects the performance of a server on the internet could find themselves in court, he said.
"Even if you look at the port scanning stuff - which is not technically illegal - if you knock down the server in the process of port scanning it, then you are liable for all the damages of it being down," Moore said.
Such legal issues are one reason for not testing websites at all, said security researcher David Aitel, chief technology officer of security services firm Immunity.
"We don't do research on websites," Aitel said, adding that the increasing reliance of programs on communicating with other programs has made avoiding web applications more difficult. "The more your applications are interconnected the more difficult it is to get permission to do vulnerability research."
Moreover, such a legal landscape does not benefit the internet companies, Aitel stressed. While companies may prefer to not know about a vulnerability rather than have it publicly reported, just because a vulnerability is not disclosed does not mean that the website is not threatened.
"If this is an SQL injection flaw that Eric McCarty can find by typing something into his web browser then it is retarded to think that no one else could do that," Aitel said.
The US Attorney's Office alleges that McCarty's actions caused the university to shutter its system for 10 days, resulting in $140,000 in damages. The university had provided investigators with an internet address which had suspiciously accessed the application system multiple times in a single hour, according to the affidavit provided by the FBI in the case. The information allowed the FBI to execute a search warrant against McCarty, discover the names of his accounts on Google's Gmail and subpoena those records from the internet giant, the court document stated. Among the emails were messages sent from an account - "firstname.lastname@example.org" - -to SecurityFocus detailing the vulnerability, according to the affidavit.
The US Attorney's Office declined to comment for this article. A representative of the University of Southern California also declined to comment except to say that the school is cooperating with the investigation.
"It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant US Attorney for the US Department of Justice's cybercrime and intellectual property crimes section, said last week after his office announced the charge. "He went beyond that and gained additional information regarding the personal records of the applicant. If you do that, you are going to face - like he does - prosecution."
The case has aspects similar to the prosecution of Adrian Lamo, dubbed the Homeless Hacker, for breaching systems at the New York Times. Lamo would frequently seek out vulnerabilities in online systems, exploit the vulnerabilities to gain proof of the flaws, and then contact the company - and a reporter - to help close the security hole. In 2004, Lamo pleaded guilty to compromising the New York Times network, served six months under house arrest and had to pay $65,000 in restitution.
In the University of Southern California case, McCarty identified the vulnerability in the USC system when he decided to apply to the school and, before registering, used a common class of flaws known as structured query language (SQL) injection to test the site, he said during last week's interview. Such attacks exploit a flaw in the code that processes user input on a website. In the USC case, special code could be entered into the username and password text boxes to retrieve applicants' records, according to the FBI's affidavit.
USC administrators initially claimed to SecurityFocus that an analysis of the system and log files indicated that only two database records could be retrieved using the SQL injection flaw. After additional records were provided to the administrators, the university acknowledged that the entire database was threatened by the flaw. The FBI's affidavit contains the email that McCarty allegedly sent to SecurityFocus with two additional records from the database.
The events outlined in the affidavit indicated that McCarty tried to act responsibly, said Jennifer Granick, a cybercrime attorney and executive director of the Stanford Law School's Center for Internet and Society.
"Here is a guy who didn't use the information, he notified the school - albeit through a third party - what was he supposed to do differently?" Granick said. "It's a Catch-22 for the security researcher, because they have arguably broken a law in finding the flaw."
The case does underscore that researchers will have to become more savvy about dealing with the legal aspects of their craft, said David Endler, director of security research for 3Com subsidiary TippingPoint.
"Finding a vulnerability in a website is a bit different than finding a vulnerability in a product. You can do a lot of things to a product that won't affect users. You shouldn't poke around a website unless you have permission or have been hired to do it...it's just not worth it."
As the creator of two vulnerability-buying programs, Endler is familiar with the contorted legal issues that can sometimes face vulnerability researchers. He believes that cases, such as McCarty's prosecution, will likely lead to researchers either allying themselves with one of the flaw-bounty programs or declining to disclose any discoveries.
Already, the influence of corporate legal teams had reduced the significance of the vulnerability disclosure movement, Immunity's Aitel said.
"The peak of disclosure has long past us," he said. "Who out there is really giving away bugs these days? The disclosure movement passed us by more than two years ago and people have gone underground with their bugs."
And having fewer security researchers looking over the shoulders of website administrators and internet software makers will only mean less pressure to fix vulnerabilities and weaker security for sites on the internet, the EFF's Tien said.
"There is an under-disclosure of vulnerabilities and weaknesses, and that is bad thing for security, because the less people know about security problems, the less pressure is put on companies to improve security," Tien said.
Author's note: As described in the article, the FBI's affidavit supporting the charge against Eric McCarty of computer intrusion alleges that he was the source for an article published on SecurityFocus by the author. The author did not cooperate with the FBI's investigation nor was he asked to do so. In an interview conducted on Friday and in an email exchange, McCarty provided proof that he was the author's source and waived the condition of anonymity that he requested for the original article.
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus