Re: Security reporting response handling [was: Suggestions for the future on your web site]
On 1/22/13, Suresh Ramasubramanian ops.li...@gmail.com wrote: On Tuesday, January 22, 2013, Matt Palmer wrote: What the article may not tell us is, what the applicable College's technology policies would be, or what sort of contacts between student and university staff were taking place. I see this as more as a press relations failure in the College's part; as they failed to have a plausible explanation for their choice published, instead deciding to cite student privacy concerns. Apparently, they bother to have students agree to certain professional codes, but fail also, to require students agree if they reveal disciplinary action against them to the media, they waive the privacy rights over the matter. It's possible there was a warning received or ignored; the first time, that the student chose to ignore. Or the first event was allowed to slide only because of the circumstances: or enforcement of policy was ignored because 1st offense is excused. But after a very blatant and 2nd occurence, or 1st offense actually formally reported to the school, it was just too much. Or the student did not engage properly, or with proper attitude. For example, by failing to mention/discuss any offer or intent to re-test or rescan or help verify the vulnerability was indeed closed. Such institutions often have bureaucratic rules, and internal politics/requirements to be seen enforcing their rules: and enforcing their rules equally (not necessarily fairly, or with any reasonable sort of logic). I believe the same to be true of governments and other large organizations -- intent doesn't always matter, when allowed behaviors are dictated by written rules.The actor may intend to do good, and have in fact done 200x as much good than harm in action, but the rules are clear, and demand action. Violation of security policies often specify expulsion specifically, and choice of rigid enforcement might be part of their defined security plan. The college could very well have a rule to cite; that was reported to them as broken, and therefore their hands were tied, as soon as the 14 profs agreed that yes, this was a breach, and yes, Expulsion required by the policy in that case. Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself Yeah... about that. So he didn't just test if the vulnerability previously found still existed; the article suggests he ran an in-depth scanning suite against the site a 2nd time. This certainly differentiates the behavior, from the normal malware probing activity -- because it's a return attacker; which may result in escalation of a previously recorded security incident. Discovering a vulnerability by chance, when interfacing with a website, and reporting are one thing. Deliberately running invasive high-impact scanning tools (tools that contain warnings against use on production sites), spidering an entire site, with numerous very obvious attack attempts, potentially generating significant load and setting off many security monitoring alarms -- attempting to exploit a previously found, or find new vulnerabilities, on someone else's server on someone else's network, without permission from the network/server operator is for sure not so a White Hat move. It may be a Gray hat move; however, as far as a security incident response team, would be concerned -- the assumption has to be that any unauthorized obvious protracted intrusion attempt is malicious; therefore, recovery and recourse processes should be initiated, upon detection. The student's word that he wouldn't steal anything, isn't very credible after launching two attack attempts. Indeed... the school's description of violation of professional standards would be accurate. A professional security auditor or white had would generally not be running high volume invasive exploit attempts against foreign networks without securing permission. Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out. It didn't say under what circumstances they make that decision though. It may be standard procedure, that its a thing done in private, and the de-facto rule is one person makes a recommendation, and everyone almost always agrees, Or default is Yes; unless someone can raises a specific objection. So there's a lot of things that could mean g --srs -- -JH
Re: Security reporting response handling [was: Suggestions for the future on your web site]
This kid is not a hacker. Changing a url to point to profile.php?id=45 instead or profile.php?id=44 don't require anything special. Downloading a tool only requiere knowing how to click download. This is level basic of computer useage. Kids these days host modded Minecraft servers at 11 years old. The claim that he got expelled because he has run a tool that could have, maybe, made the website slower (the duration of the scan) is weak. A more realistic reason is moral panic // he is making us look bad. Making stupid people look stupid should not be a crime. -- -- ℱin del ℳensaje.
Re: Security reporting response handling [was: Suggestions for the future on your web site]
--- oscar.vi...@gmail.com wrote: From: . oscar.vi...@gmail.com weak. A more realistic reason is moral panic // he is making us look bad. Making stupid people look stupid should not be a crime. - It's his wake up call ... oops, I mean his 'welcome' to the wonderful world of corporate/government/university politics. Welcome kid. This is what it's going to be like until you're too old to care... ;-) scott
Re: Security reporting response handling [was: Suggestions for the future on your web site]
On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote: This article may be of interest: http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/ Basically, a Montreal student, developping mobile software to interface with schools system found a bug. Reported it. And when he tested to see if the bug had been fixed, got caugh and was expelled. I the context of this thread, they found a vulnerability in the web site's archutecture that allowed the to access any student's records. This is the perfect type of incident you can bring to your boss to justify proper architecture/security for your web site. How would you react if it was your company's name in the headline ? That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. See Also: First State Superannuation. - Matt
Re: Security reporting response handling [was: Suggestions for the future on your web site]
On Tuesday, January 22, 2013, Matt Palmer wrote: That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself whether the bug was fixed or not. Which justifies the company asking him to stop I guess - and it definitely justifies the kid's prof chewing him out. Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out. --srs -- --srs (iPad)
Re: Security reporting response handling [was: Suggestions for the future on your web site]
Hi, (Mind the English, like my French, its awful) Going from, what seems to be, a non-service impacting XSS scan to expulsion is a bit of a trek. I'm sure there is a big chunk of story missing. Beside, a 20yo is rarely aware of the proper etiquette when it comes to scanning websites and the worst he should have got is a sit down with security experts to explain to him how to go about it in the future. Hopefully, stories like this will provide more incentive to 3rd party software providers to add this type of scan to their QA. And train their developers into the art of internet security when it comes to XSS/SQL Injection (see OWAPS/etc). PS: Being in Montreal, too bad someone already offered him a job :( I may have some part-time work for a bright kid soon. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 01/22/13 06:27, Suresh Ramasubramanian wrote: On Tuesday, January 22, 2013, Matt Palmer wrote: That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself whether the bug was fixed or not. Which justifies the company asking him to stop I guess - and it definitely justifies the kid's prof chewing him out. Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out. --srs
