Security reporting response handling [was: Suggestions for the future on your web site]

Jimmy Hess mysidia at gmail.com
Wed Jan 23 08:39:56 UTC 2013


On 1/22/13, Suresh Ramasubramanian <ops.lists at gmail.com> wrote:
> On Tuesday, January 22, 2013, Matt Palmer wrote:

What the article may not tell us is,   what the applicable College's
technology policies would be,   or  what sort of contacts between
student and university staff were taking place.
I see this as more as a press relations failure in the College's part;
  as they failed to have  a plausible explanation for their choice
published,  instead deciding to cite student privacy concerns.

Apparently, they bother to have students agree to certain professional
codes, but fail also, to require students agree if they reveal
disciplinary action against them to the media,  they waive the privacy
rights over the matter.

It's possible there was a warning received or ignored;  the first
time, that the student chose to ignore.
Or the first event was allowed to slide only because of the
circumstances:  or enforcement of policy was ignored because 1st
offense is excused.   But after a very blatant and  2nd occurence,  or
 1st offense actually formally reported to the school, it was just too
much.

  Or the student did not engage properly, or with proper attitude.
For example,  by failing to mention/discuss any offer or intent to
re-test or rescan or  help verify the vulnerability was indeed closed.

Such institutions often have bureaucratic rules,  and internal
politics/requirements to be seen enforcing their rules:  and enforcing
their rules equally  (not necessarily fairly, or with any reasonable
sort of logic).

I believe the same to be true of governments and other large
organizations --  intent doesn't always matter,  when allowed
behaviors are dictated by written rules.    The actor may intend to do
good,  and have in fact done 200x as much good than harm in action,
but the rules are clear, and demand action.

Violation of security policies often specify expulsion specifically,
and choice of rigid enforcement might be part of their defined
security plan.


The college could very well have a rule to cite;   that was reported
to them as broken,  and therefore their hands were tied,   as soon as
the  14 profs  agreed that yes,  this was a breach,   and yes,
Expulsion required by the policy in that case.


> Report - yes.  What this kid seems to have done is - reported it, got
> thanked for it. Then went ahead and pentested the site to see for himself

Yeah... about that.   So he didn't just "test" if the vulnerability
previously found still existed; the article suggests he ran an
in-depth scanning suite against the site a 2nd time.   This certainly
differentiates the behavior, from the normal malware probing activity
-- because it's a return attacker;   which may result in escalation of
a previously recorded security incident.

Discovering a vulnerability by chance, when interfacing with a
website, and reporting are one thing.      Deliberately running
invasive high-impact scanning tools (tools that contain warnings
against use on production sites), spidering an entire site, with
numerous very obvious attack attempts,  potentially generating
significant load and setting off many security monitoring alarms --
attempting to exploit a previously found,  or find new
vulnerabilities, on someone else's server on someone else's network,
without permission  from the network/server operator is for sure not
so a White Hat move.

It may be a Gray hat move;  however, as far as a security incident
response team, would be concerned -- the assumption has to be that any
unauthorized obvious protracted intrusion attempt is malicious;
therefore,  recovery and recourse  processes should be initiated, upon
detection.       The student's   word   that he wouldn't   steal
anything,  isn't very credible after launching two attack attempts.

Indeed... the school's description of  violation of professional
standards would be accurate.  A professional security auditor or white
had would generally not be running high volume invasive exploit
attempts against foreign networks without securing  permission.



> Expulsion, maybe not, though the article I read said 14 out of 15 profs in
> his college voted to boot the kid out.

It didn't say  under what circumstances they make that decision though.

It may be standard procedure, that its a thing done in private,  and
the de-facto
rule is   one  person  makes a recommendation,   and everyone almost always
agrees,

Or  "default is Yes";  unless someone can raises a specific objection.
So there's a lot of things that could mean <g>

> --srs
--
-JH



More information about the NANOG mailing list