Wednesday, June 17, 2009

Legalize It (Hacking GOV and MIL website)

Update 07.28.2009: Salesforce.com publishes their "Vulnerability Reporting Policy" and becomes the latest large corp to "legalize it." I was privy to early drafts for feedback and I must say, the final product looks pretty good! They even have a safe for testing playground for security researchers. Nice touch! Hopefully more organizations will follow suit.

Update
06.20.2009: Jack Mannino offers very well-thought and persuasive counterpoints to my suggestion below. I'll have to take some time to consider his arguments and respond accordingly. Boiled down Jack is reminding us that private websites are different in purpose than government systems, which exist for totally different purposes and may not automatically benefit from pen-test crowd-sourcing. The second main point is one of saturating already limited resources with respect to incident response.

I’d wager fewer than ten percent of United States .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities. The reasons why are probably the same as in the private sector. Those responsible don’t know or don’t want to know that problems exist. Statistically of course they do, and our statistics are validated by a recent Federal Aviation Administration security report indicating that 70 of its websites tallied thousands of vulnerabilities. Those who do acknowledge and wish to address the problem often lack the budget or authority to initiate a project. Consequently, enemies both foreign and domestic are likely to know more about what and where our government’s website vulnerabilities are located than the defenders do.

This is a vital concern and an issue I think could be solved through policy or legislation. I believe there are hundreds, maybe thousands, of vulnerability researchers ready and willing to volunteer themselves to find and disclose vulnerabilities -- for free -- if only allowed to do so. What every information security professional knows is there are the penetration tests you pay for and those that you get everyday for free, no matter who you are. What they also know is that testing anything you don’t own or have written consent to test runs the risk of legal prosecution. You are especially not supposed to touch government or military systems, as these organizations have an infinite amount of time and money to go after someone. This is vastly different from the approach of a private enterprise whose investigation eventually has a cost-benefit analysis attached. Generally, no more is invested than the amount lost.

Even so, some researchers are comfortable with harmlessly poking at private sector websites for Cross-Site Scripting, Cross-Site Request Forgery, SQL Injection, and other bugs. XSSed.com serves as good examples of open disclosure, which also demonstrates that no top-level domain is off limits despite the legal consequences. It is time to do something new because we know Web applications are the biggest InfoSec risk we face. This is an extraordinarily large problem. And so, what if, to meet this challenge, we leveraged people’s willingness to find vulnerabilities on their own time, eliminated their risk of prosecution, and instead provided a mechanism for disclosure like a government version of the MSRC? That’s right, let us hack .GOV and .MIL as a veritable army of volunteer pen-testers. How cool would that be! It is not like anyone is being prosecuted for simply finding a government website vulnerability, so no loss there. Sound crazy? Maybe, but here me out first.

Consider that several prominent websites such as PayPal, Microsoft, and Google have already successfully taken such measures. I have first hand knowledge that more are on the way. Their policies state that as long as the researchers follow the rules of engagement -- essentially not doing any damage or defrauding the system, and discreetly disclosing their findings so the companies can create a fix, no legal measures will be taken. These organizations have matured and learned to work with the community. After a fix has been issued, the researcher may tell the world to bolster his reputation in the security community. No dollars are exchanged, but impressive work has led companies to single out a specific researchers thank them. Yes, there are potential downsides, but in my humble opinion the gain more than justifies the risks.

Assuming reported vulnerabilities are fixed promptly, a similar approach would benefit the government while measurably raising the bar for the bad guys. Currently, it seems that for many governmental Internet-connected systems the bar is set quite low. By allowing the good guys to assist them, the government could get access to a qualified pool of security talent to fill their internal security positions. Wasn’t the Pentagon looking to hire high school students for this sort of thing anyway? Open source and commercial vendors could get a new playground to test and improve their vulnerability scanning products. Hard to beat free pen-tests. College students and security training professionals could apply and safely hone their skills. Fake websites are nice and all, but nothing in Web application security compares to experience on real systems. Everyone wins!

I know I’ve painted some broad strokes, but I’d very much like to hear what others think. If reasonable, perhaps this is something Jeff Moss, our de-facto hacker representative to the Department of Homeland Security, could run up the flag pole.

17 comments:

wcserafin said...

Interesting point here. Attacking forces anyone to protect. I found some websites developing spy software being tested in Yahoo! It can detect a user even if that user is in invisible status. It can also gather information in Hi5 profiles. I wanna know more about this. I have the sites listed in my post.

Tom Brennan said...

Here's a concept that is simple... Lets say that you are a FBI/Infragard member http://www.infragard.net note one of the 31,000+ persons that the FBI has performed a background check on and has given you the thumbs up ;) well if you have static IP address and you register with your Infragard # and your static IP now you have a "license" or a get out of jail free card. So this could work... after all Obama wants you to think about what you can do for your country well.. ok game on.
http://www.pcworld.com/article/165773/obamas_cybersecurity_initiative_wins_praise.html

MustLive said...

Nice post Jeremiah!

As you know, legality of hacking is important topic for me ;-).

> Fake websites are nice and all, but nothing in Web application security compares to experience on real systems.

Exactly. I use this credo for 4,5 years already.

> Sound crazy?

Not so crazy. Making legal mechanism for disclosure for government sector is good and wise idea. Such official and legal mechanisms are needed as for government, as for private sectors - to remove fears of good guys for their security actions and improve web sites security.

For example I don't worry about finding vulnerabilities at government web sites (including of my own country), but people in other countries, like in USA, can worry about that :-). So it's limiting the whole process of securing of Internet. And it must be fixed.

> Wasn’t the Pentagon looking to hire high school students for this sort of thing anyway?

It's good that at least in your country there are clever enough people in the government :-) (and there is a money for this purpose). I hope that there will be more clever governments out there.

> Those who do acknowledge and wish to address the problem often lack the budget

Yes, there is such problem. And here is solution for USA government: if your own security professionals want too much cash, than hire foreign security professionals, e.g. from Ukraine. With the same or even better quality of work, it'll be ten times cheaper to hire them ;-).

> I’d wager fewer than ten percent of United States .GOV and .MIL websites are professionally tested

Do you know how much USA government sites were hacked this year? Because during my weekly researches, as I already wrote at my site, I found three hacked Ukrainian .gov sites in first half of this year. And yes, hacked by Turkish hackers :-).

Jean-Philippe said...

"After a fix has been issued"

It would be the main problem.
How can you insure they fixed it, who would do it ?
A special Agency ? That would go through hundred and hundred of useless report ?

(I have worked in a company asking some employees to find security vulnerabilities in one of the tool they were developing, and you would be amazed by the number of people not knowing the difference between a stack exhaustion they found and stack buffer overflow thinking they have found something...)

Also wouldn't it focus of a specific vulnerability that people would try to reproduce without reporting if they found something ?

Why not try to build secure and robust application in the first place ?

Jeremiah Grossman said...

@Tom Good idea! We could at least start with Infragard being allowed.

@MustLive, yep. You've been posting on the exact same subject. Clearly something has to change. Amazing how many people though fight to keep the status quo.

@Jean, The site owner would first claim they fixed it the issue. If they had not, the pen-testers would quickly find out and the disclosure process repeats.

Clearly the concept would not be without its headaches as you point out. Still, I believe the results would be worth any pain. If Google, PayPal and the MSRC can pull it off, all Im saying is why couldn't the GOV to the same?

And you still can build "a secure application", but of course no code is ever quite perfect. Not to mention all the current applications that simply won't be rebuilt from scratch just to make them secure for oh so many reasons all amounting to cost.

Jean-Philippe said...

@Jeremiah,
"why couldn't the GOV to the same? "

Good point, maybe because it is not the same scale.
Google have about 20K employees and there are 3.68 million full-time and 1.39 million part-time state-level-government civilian employees (as of 2002)

The scale is way bigger, tons of small departments, directors, IT everywhere, tons of contractors, with specific needs, applications, ideas...
http://www.alexa.com/search;1?q=gov (3000 ?)

"...but of course no code is ever quite perfect...for oh so many reasons all amounting to cost"

You are right I know, I know, I was playfully mocking the concept in fact.

Jeremiah Grossman said...

@Jean, if the scale turns out to be too massive, and indeed it could be the case, the GOV still retains the privilege of limiting the scope. Perhaps open up the systems on a dept by dept or site by side basis to keep things manageable.

Jeremiah Grossman said...

One more thing, perhaps CERT could help in the management of said program. They seem to be set up for exactly this.

kingthorin said...

hurrdles for implementation.

1)a) How would you prevent dozens of people from "testing" the same site/app at the same time? (Read un-intentional DoS/DDoS)
b) If multiple resources are testing the same site/app how could you be 100% sure that a result your seeing was caused by the stimulus/interaction you performed?

2) Assuming you don't mean just low hanging fruit. How would you have the GOV & MIL provision credentials to use for said testing activities?

3) Assuming these are production systems. Who would be responsible for the potential spurious entries in databases caused by injection testing? (If they don't have the resources to test the sites/apps it's unlikely that they have the resources to rollback or clean databases).

4) Although "professionals" might take cares not to crash things, it does indeed happen. If you haven't contracted for the work who would you contact to report an outage? Assuming these are production systems would an outage by a 3rd party (prosecutable or not) be acceptable to the asset/system owner/operator? (Seems unlikely)

5) How would "professionals" be defined/identified for this undertaking/process? Or are you simply suggesting that no-one be prosecuted for attacking (testing) Government resources? (I'm sure some people will say "intent" and proof of "intent" is a pretty tangled web.)

I kind of like Tom's infragard idea.

Jeremiah Grossman said...

@kingthorin

1) I don't think you can ever eliminate this risk, it'll always be there. Still unless the site is extremely fragile, shouldn't be a likely problem.

2) Give out no credentials unless you can self sign-up on the site. Yes, this limits comprehensiveness, but again since we're crowd sourcing just the low hanging fruit, this should be OK as well. of course if they really want to hand out test accounts, I suppose that is the site owners choice.

3) Hmm, good question. Wonder how PayPal, MS, and Google handle that. Probably just roll with it as its not that big of a headache. That is unless the pen-tester gets really exploitive in a public area of the site, which they shouldn't.

4) Seems related to #1. Whoever the GOV MSRC would be is the primary contact. Again, site owners can opt-in to crowd sourcing a pen-test. Or they can choose to pay for one. Their call, but everyone gets one.

5) Originally I was thinking everyone, but if it was just Infraguard initially... I could go with that as well.

Jack Mannino said...

Jeremiah,
Thank you for acknowledging my counterpoints. I think regardless of our opposing views on some things, we are both in agreement that a lot more can surely be done, across all sectors!

Black Cell said...

Jeremiah, the .GOV and .MIL sites have so many applications both internal and external it would be IMPOSSIBLE to test them. Their current mode of testing is to run AppScan on the sites and randomly select 1 out of 30 to have their internal red teams perform a deeper assessment.

Some of the testers are amazing, others are so so. This is what guys like Matt Fischer after leaving SPI DYNAMICS.

Anonymous said...

This makes sense.... but you are dealing with the GOVERNMENT and MILITARY.

Secrecy and political CYA are the rule. It will never happen.

BUT it is still a great idea. So pilot it through the private and/or non-profit sector: "Hack My Site!" Winner's boards, give out prizes from participating vendors, etc. Might cut into WhiteHat's revenue, though. :>

Set up a non-profit clearinghouse that acts as a neutral ground for the talents who post to xssed.com and sla.ckers.org and set up a notification process and educate the companies on fixing their sites and keeping.

Vulnerabilities will not be published, hackers get their jollies, sites get fixed, drive by malware decreases,....

*sigh*
A guy can dream, can't he?

Anonymous said...

Let's take a look at this from another point of view, shall we ?

[Off-topic] The wording is not the most fortunate here, IMO.
PayPal, Google, Microsoft, etc are in no position of legalizing anything themselves, they are not a state in state.
http://dictionary.cambridge.org
"Legalize - to allow something by law."
For the average user, reading this, it's pretty scary to see that the (state/country) Paypal legalized hacking. :)

Coming back to the topic:
.gov (usually) stands for web sites of those empowered to enforce the law.
"these organizations have an infinite amount of time and money to go after someone."
It's not only that, is what some of them do, they have to do that, or else there is no need for them.
Opening a legal investigation does not mean "prosecuting" somebody.
I do understand your point though.

The fact that a big corp "allows" some form or another of (unauthorized) action it's a complete different aspect, it's like comparing bodyguard agencies with the police.
Bodyguard agencies are not directly interested in getting bad guys, while the police is.
In case of a security breach, they handle different than police the pre-incident, the incident itself and the aftermath.
You can't just go and say, look I found this SLQi on this .gov site, but you have to believe I did not use it to view/extract any confidential information. They have to investigate this aspect, open a legal investigation, is what they do, what they suppose to do.
The problem is how this investigation is ran. And that a security researcher has to deal with it.

There might be already a too thin line between the community watch and "vigilantes", on the private web sites area:

1.
http://www.readwriteweb.com/archives/rockyou_hacker_30_of_sites_store_plain_text_passwords.php
"tells us that he used an SQL injection to gain direct access to RockYou's database, where he found login information for more than 32 million user accounts."
"The hacker showed us an image containing the last few lines of a 32,603,388-line, seven-column dataset weighing in at 276 MB."
"Don’t lie to your customers, or i will publish everything"
"They are now hunting for me, but why? I didn't do anything wrong. They should now be in jail because they put all of these people at risk."
Come again ?

2.
"In the third picture we have user, the password for the MySQL server, and host (IP address from which you can log those users). We see another big mistake. Many users have % the host. When you decode the password that we can log on MySQL server from any IP. For example user password phXXXX, * A1F1CB851D62F002C09A0C9C4A76262473432F55, highlighted in red in the print screen is decoded: !QAZ2wsx ( I replaced some point in the username with X’s )"
“I do not break, I do not delete, I do not change, and I NEVER save anything.”
Come again with the breaking part ?

Even according to some vendors' rules these do not sound good:

Paypal:
Do not engage in security research that involves
* Use of an exploit to view data without authorization, or corruption of data.

Salesforce.com does not permit the following types of security research:
Accessing, or attempting to access, data or information that does not belong to you

Imagine these fellas taking on such an iniative, it won't last more than three days...

Cheers!

Jeremiah Grossman said...

@anonymous, you make some good points and clearly the idea should not introduced without a number of considerations. Still, I don't think it should be dismissed either as being too radical. Here's where I am:

By allowing/legalizing these independent pen-tests, do we cause more harm than good. Meaning, whatever we allow the "good guys" to do, are the "bad guys" doing worse already? The question, is it worth it? I think on a large number of websites, it would be.

Anonymous said...

Personal I don't think it's an idea too radical. -> things look radical because we just speak too generally IMHO, so it can be like this, or like that, or etc. But that's normal (and expected) I would say, for a start.
I've read all the comments from here and blog posts linked, including the article posted on WhiteHat Security's web site.
I think that everybody makes valuable points, and there are pro and against points, which is a pretty interesting aspect, if we just sat and think about this. If would be only negative feedback, would be something, if would be only positive feedback, again it will be something. But there is both, and that's really something.

IMHO, about the topic, I think the problem itself is the legalization process.
.gov unlike PayPal etc., need to operate within legal boundaries, hence your title of this post becomes quite justified for .gov. Also from the researchers' perspective this is also a need.
But most people do not really read very carefully laws, and more important they do not really understand them at a full extent(they are not lawyers, terminology etc.).
This opens a potential "abuse" from the lawman, while on the other side to have the researcher to suddenly become from a good guy a bad guy. This can make researchers walk away from such a program.
Also this works in the oposite way, a too laxed law, will "grant" the researcher too much room to play. While for seasoned reserchears this is not a big case(they might have defined strong lines), for less experienced people or bad guys, this can lead to abuse. And further this will lead to the questioning of such a program.

Another problem I see, due to the legal aspects, is the process of reporting vulnerabilities(apart from the one of finding them and how to (safely) do that), which will be a little more beaurocratic and stressful compared to the one from the private area.
This can be a psychological aspect. Seasoned researchers might handle it, but beginners might loose temper(things become more personal than it's necessary), depending how the person on the other end behaves(the law is crucial here, too much liberty in wrong direction, and the researcher can feel provoked), and from here and breaking the law it's just a small step("Don’t lie, or i will publish everything", which is a translation of "send me the piece of paper where you want me to plead guilty and I will sign it"). And in this case, unlike with the private companies, as you already mentioned, they will do come after the researcher. This is also why I said that from the researchers' perspective a law is also a need, to prevent abuse against them.

---

Sigh, "Your HTML cannot be accepted: Must be at most 4,096 characters", need to break the comment...

Anonymous said...

the rest of the comment:

IMHO, it might work if they(.gov) open a per monthly, rotation system, where researchers can sign to participate(without being payed), assuming laws will exist to legalize your idea.
Real names, real contracts, all legal, .gov feeling comfortable, also same comfortable feeling for the reasearchers, who will be temporarly part of the .gov, not some outsiders, thus in the same time they can be anybody(outsiders free to sign in) and somebody(under a temporarly contract) -> mitigate the objections of ones "with the army of script kiddies DoSing .gov. etc."
A scoring system can be used to allow researchers with valuable results to participate again much faster than ones with no/limited results while "fresh blood" comes in monthly. This will also allow researchers to put their name on a "hall of fame" wall, boosting their reputation(which will justify the lack of any payment).
The problem with such a system will be to get it right so that researchers to not feel discriminated, and avoid what might come from this.
Another problem, for a start, is that such a rotation system can only be for finding vulnerabilities, and not, at a certain extent, for helping them fix these properly(mitigate the resource shortage), a sort of a red/blue community teams. There are quite some implications from here.
Also, to have these working, I think we need lawyers to step in, and similar with researchers's work(meaning free of charge), take a look at the legalization process, and through blog posts/articles, analyze/disect the laws of interest, and offer directions, what exactly means this and that, what one should not really do under any circumstances, etc.

But then again, probably most feasible, for the moment being, seems to have .gov hire more of such valuable reasearchers in the first place...
It's still a start IMHO.

Cheers!