Monday, July 8, 2013

Should security social workers test websites without authorization to prove that they are insecure?

Earlier this month, the Electronic Frontier Foundation filed an appeal against the 41 month conviction of Andrew “Weev” Auernheimer, who along with a colleague exploited a hole in AT&T’s public website to siphon of 114,000 email addresses of AT&T’s ipad customers. Andrew erred in sending these email addresses to “Gawker” which published a few of them, prompting an investigation. Andrew was charged with identity theft and felony under the Computer Fraud and Abuse Act of 1986 (CFAA). Andrew’s colleague who wrote the script the “iPad 3G Account Slurper” which extracted the email addresses pleaded guilty and was not sentenced.

On June 6 , 2103  mainstream Indian media went ballistic on a blog post by a Cornell student of Indian origin who had scraped the entire ICSE Class X and ISC Class 12th  result off an online website, and analyzed the marks distribution. Luckily for the student, neither the 1, 50,000 students or the council of Indian School Certificate Examination (CICSE) board filed a case. The hacker fortuitiously did not disclose the data online as Andrew did.

In both these events the hackers claimed in defense that their act could not be equated to a hack, as they scraped data that was publicly available for anyone with reasonable technical knowledge. Notwithstanding, that in both these cases a script was written to extract bulk data, using randomized inputs.

There are security professionals and firms who test a company’s websites without authorization and utilize found vulnerabilities as a sales pitch. This practice prevalent in the early days of the dotcom era was acceptable to firms, who did not spend money in routine security assessments, as the largest risk was website defacements. At that time, amateur hackers were a nuisance to business, nothing more. Nowadays, the risk and benefits of cyber crime are far bigger and it is difficult to distinguish between well meaning professionals and crooks.

Should this practice be encouraged? I believe not. Should people like Andrew Auernheimer or Aaron Swartz be punished severely? I believe not. This is where an informed and aware judiciary has to draw the line. In first instance of new forms of crime, sentences are handed out to set an example.  This in my view is unjust to the person who was caught first, as others who follow may be more fortunate.
On a similar note, people and companies who do not take steps to protect their net infrastructure and customer data should be penalized. The fault for not using an encrypted wifi or not changing the wifi default password or for not using an update antirust or patching a computer should squarely rest on the owner, as its impact can have consequence for other people, firms or even national security.

Product vendors have found a way to motivate security researchers through legitimized bug finding through bug bounty programs. Bug bounty programs offer a bounty, which may be up to 1,00,000 US$ for every security bug found and disclosed responsibly. Responsible disclosure allows the product vendor time to fix the vulnerability before public disclosure. Such programs are unsuitable for companies and unauthorized non professional testing has the ability to create site outages.

photo credit: geoftheref via photopin cc

No comments:

Post a Comment