Several weeks ago, I reported that some researchers had contacted me anonymously to give me a slew of vulnerabilities they had uncovered in their research. As a result of the FBI’s over-the-top raid on Justin Shafer, they had become scared of trying to notify entities of what they had found. They left it up to me to decide whether to try to make the notifications or just delete all the information rather than incur any risks or the time-consuming task of making notifications.
As I report on the Daily Dot today, I did pursue making the notifications, including an experiment as to whether I could get a company to give me some assurances before I shared information with them. You can read what happened when I required some assurances from GoDaddy that they would not shoot the messenger.
But that still left me with over 380 vulnerabilities to deal with. I am grateful for the help of Jigsaw Security, who agreed to make the notifications. I will be following up on some of the vulnerabilities tagged as most serious by the researchers, but for now, I want the anonymous researchers to know that I did follow up and didn’t just throw out the results of their research. I hope that gives them some measure of satisfaction.
And because I want my readers to get a better sense of what the researchers told me about their research and concerns, I am going to quote from some of their communications (with light editing):
We were seeing an increase in the use of sqldumps and symlinks as well, and from the very superficial data we looked at, we believe that 90% of the Fortune 500 companies have at least one website/subdomain that exposes either clear text creds, a repo or a backup file, all of which would compromise their site.
[…]
The significance of this research and outcome, [i.e.,] the critical vulns, is two fold. First is that these kinds of simple yet devastating bugs, such as password files or database backups was something that was very big in the early to mid-2000’s. It had significantly gone down, to the point that it wasn’t something people would automatically look for anymore. In the last three years, their (sic) has been a marked increase of this kind of problem. We are regressing, not progressing in terms of the most basic of security checks.
The two we do have solid numbers on, top 1 million websites and top 1000 domains, the unprotected exposure of /.git/index, .htpasswd and sql backup files above the webroot has increased 8% in 2015 and with this last count 14%.5 in 2016.
[…]
And the troubling thing is these are major companies with millions of users data that they are entrusted with. And to have things like http://[url redacted by DataBreaches.net]/.htpasswd in production on their main website shows that these big corporations have still to learn even the most basic 101 security. Instead most of these corporations are bloated with what I like to say is “corporate security” a process and automated driven system, with an extreme amount of removal from [what’s] going on in the real world.
Today, most big companies are still headed on the security side by those that still take a huddle behind a firewall approach to security. Indeed, [it’s] quite easy to see in their hiring practices that they haven’t strayed from this mentality, seeking meaningless certs and college degrees over proven and tested knowledge and experience for candidates. Many are still run by the devs or devs that switched to security mid-career, which is a lot like having the foxes in the hen house. These make up the majority of those walking around cons like Black Hat and paying 2k a ticket and buying all the meaningless threat intel crap floating out there.
[…]
I mean look at [telecom’s name redacted by DataBreaches.net]. I see a file up there that is a standard backup file giving clear text creds to that server and database. We know they have millions of customers and that they tout themselves as a “leader in cyber security.”
[…]
Look at [company name redacted by DataBreaches.net], the [redacted] bullshit company, who sell tapes and videos on running a successful IT business for 1,000’s of dollar[s], with their .svn/ repository wide open, which could be taken over very easily and made to do anything the attacker wanted. Whether [it’s] serving malware, being used to host torrent files somewhere or as a foothold into their bigger network, this is basic security 101 stuff that all that high powered suits can’t seem to understand.
[…]
This is one of our favs:
[Name redacted by DataBreaches.net] promotional website for their ‘consumer grade cybersecurity’ product with an LFI and RFI from a backdoor proxy file. (URLs redacted for now — Dissent)
And finally:
…. We both work in the tech industry and usually aren’t this concerned with our research work, but it really struck us that the FBI did that to the researcher for accessing an unprotected FTP site. If this holds up, it really then opens up a new and darker issue, is open to the public really just open to the public they are OK with. If you think about it, millions of people would be in violation of the shitty [CFAA] law if accessing a anon ftp is considered illegal. But moreover, that he took his time to alert the company, and this is how he is repaid?
If they want scared, they got it. Why risk ruining our lives to helping organizations that don’t care, don’t wanna know and don’t fix. Also, would you please mention in what ever you do write that this research was done in accordance of all laws in the US and Canada, and at no time did we use the files that are exposed and public, nor did we attempt to access restricted information. The research was meant to help organizations get a grasp on some of these things.
I did try to contact the researchers to let them know the follow-up, but as anticipated, they had shut down the throwaway account they had used to contact me. If they see this and wish to contact me again, please use the same pseudonym so I’ll know it’s you.
And I do realize that a lot of what they are saying is not new in any way. I had heard many of the same observations and complaints from the hacker formerly known as GhostShell in lengthy discussions I had with him. I have also heard it from others.
But apart from the ongoing security concerns, I think companies – and the public – need to accept that just because there’s a law that says, “thou shalt not test or research without permission,” that will not stop those with criminal intent. Nor will it stop those who are just intensely curious but have no evil intentions. We need to give that latter group a way to safely report what they have found. Think of the program the Pentagon recently ran. You had to be a U.S. citizen and register for the program. Well, that wouldn’t work for someone like GhostShell, who probably could (and dare I say, probably already has?) found vulnerabilities that the Pentagon might want to know about.
So at the risk of sounding like a broken record: your incident response plan should include a way for people to anonymously report vulnerabilities to you apart from any bug bounty program you may offer. And a link to how to anonymously report vulnerabilities or security breaches should be easy to find on your web site.
If you haven’t done that already, go do it now. Seriously. And then let me know that you’ve done it so I can give you a public thumbs up.
The Pentagon invite only to US soil means that international laws and rules do not come into play. I don’t know about a company that have satellite companies in the USA and the HQ outside of the USA, its a subject best left to lawyers and event planners.
Personally, I think it was wrong for them to dump this on you, its a burden, and some wise crack at one of those high profile companies could easily say you personally took too long to notify the staff there, and they were breached because of it. The original finders of this mess should have simply sent a detailed package to CERT or the FBI, where it is now in the hands of the government. They have details and it would be up to them to contact all responsible parties.
As far as public thumbs up, its a target on people’s back, some one on the dark side simply reads these posts.The evil people can read these posts, ans since they are quite adept at finding holes and places to exploit, they can give a good “educated” guess at where these places listed in this post are. They may not have the exact path to the files, but if they write a script, send it to the bots in their control to go finds these type of files or catch phrase, and its a metter of time before they pinpoint what method the researchers used to find all of this……mess.
Should a cyber war ever happen on a global scale, this could easily create havoc to ruin a bunch of different companies.
Why would I trust the FBI to notify promptly? And I’ll bet you CERT wouldn’t have taken this on, either.
you’re assuming that just because you vent on forums, millions of people are going to come here and read this? They’d rather have you waste your time (in their eyes) than come up with an avenue where a government agency needs to step in.
The knock on a door by a blogger can be thought of as another side attack. The knock of an official three letter entity may make them pay a ttention a little bit more.
Most of these companies could give a crap about security. All it takes is a little time and planning and most of these vulnerabilities could easily be resolved.They run scans at night automatically when they are asleep, and address the most critical first, then, once the motivation is rolling, do a little bit at a time. Unfortunately, many surf the web rather than work, and you get what they pay for.
Get what they pay for in security defenses, talent, maintenance, upgrades, and attention to detail.
They are into making a profit. Period. Once “they” fall victim to an incident, they can hire a firm that will call an admin using default credentials or password reuse a “sophisticated attack.
The problem with all of this is, qualified and experienced talent.There are hundreds of thousands of jobs out there but the majority of people seem not to care that the network security arena has good paying jobs. All they need to do is be selective for a company that is willing to make the work area a safe and secure environment.
Notifying “promptly” ? It has been months if not years for some of these companies. The promptly went out the window when the vulnerability became available to public view. I applaud your deep desire to pound on doors until your knuckles bleed but this fight needs to be dealt on a global scale. Its not going to happen over night, or even over a year. to unscrew this way of life, its going to take CERT like organization to take action, to do scans and inform companies about issues – same with the three letter agencies. They need to be fined, their ability to communicate with the outside world needs to be blocked temporarily. Once you affect the surfing and the inability to tweet and write BS on faceplant, they will notice that there is an issue with their business.
Never assume my actions are confined to venting on forums. And even though I have been disappointed by federal regulators NOT going after some very big entities on data security, I continue to pursue that route, too. As to CERT, I have approached them in the past on one particular issue that I thought they could and should do more about. They didn’t, so I won’t be so quick to run back to them.
Yes, I am just one blogger with a little blog, and yes, the courts have not been helpful to consumers who try to hold companies accountable for sloppy security. But I am also in discussion with others that involve TLAs.
FWIW, I loved what South Korea did: it banned companies that had had massive breaches from taking on new customers for 3 months or so. Hurt their bottom line and you get their attention.
In the meantime, I’ll just go replenish my supply of bandaids for my knuckles.
Grab alot of them. CSO online reports that there are close to 170,000 servers on the list now that are compromised.
I like this experiment, mind if I call it an experiment?
What we see is what you have been stating since… forever. Proper and speedy contact.
Regression reminds me of that movie “Idiocracy”. Good work.