Posted on 04/27/2006 9:27:52 AM PDT by APRPEH
Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.
Last Thursday, the U.S. Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue--which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records--was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable Web application.
The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities, said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group.
"I think the bottom line is that anybody that does disclosures of security vulnerabilities has to be very careful (so as to) not be accused of being a hacker," Tien said. "The computer trespass laws are very, very tricky."
The case comes as reports of data breaches against corporations and universities are on the rise and could make security researchers less likely to bring flaws to the attention of Web sites, experts told SecurityFocus.
This week, the University of Texas at Austin stated that a data thief attacking from an Internet address in the Far East likely copied 197,000 personal records, many containing social security numbers. In September, a Massachusetts teenager was sentenced to 11 months in a juvenile detention facility for hacking into telecommunications provider T-mobile and data collection firm Lexis-Nexis. And, in March, an unidentified hacker posted on the Business Week Online Web site instructions on how to hack into the admissions site of top business schools using a flaw in the ApplyYourself admissions program.
Eric McCarty, reached on Friday at the cell phone number published in the affidavit provided by the FBI in the case, said security researchers should take note that Web sites would rather be insecure than have flaws pointed out.
"Keep them to yourself--being a good guy gets you prosecuted," McCarty said during the interview. "I can say honestly that I am no longer interested in assisting anyone with their vulnerabilities."
McCarty confirmed that he had contacted SecurityFocus in June, offered information about the means of contact as proof, and waived the initial agreement between himself and this reporter to not be named in subsequent articles.
When the FBI came knocking in August, McCarty had told them everything, believing he had nothing to hide, he said.
"The case is cut and dried," McCarty said. "The logs are all there and I never attempted to hide or not disclose anything. I found the vulnerability, and I reported it to them (USC) to try to prevent identity theft."
McCarty admitted he had accessed the database at the University of Southern California, but stressed that he had only copied a small number of records to prove the vulnerability existed. The FBI's affidavit, which states that a file with seven records from the database was found on McCarty's computer, does not claim that the IT professional attempted to use the personal records for any other purpose.
To other security researchers, the case underscores the asymmetric legal power of Web sites in confronting flaw finders: Because finding any vulnerability in a server online necessarily means that the researcher had exceeded authorization, the flaw finder has to rely on the mercy of the site when reporting, said HD Moore, a noted researcher and co-founder of the Metasploit Project.
"It is just a crappy situation in general right now," Moore said. "You have to count on the good will of the people running the site. There are cases when there are vulnerable Web sites out there, but unless you have an anonymous Web browser and a way to hide your logs, there is no way to report a vulnerability safely."
Moore points to McCarty's case and the case of Daniel Cuthbert--who fell afoul of British law when he checked out the security of a charity Web site by attempting to access top-level directories on the Web server--as warnings to researchers to leave Web sites alone. In October, Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in restitution.
Other researchers should be ready to pay as well, Moore said. Anyone who affects the performance of a server on the Internet could find themselves in court, he said.
"Even if you look at the port scanning stuff--which is not technically illegal--if you knock down the server in the process of port scanning it, then you are liable for all the damages of it being down," Moore said.
Such legal issues are one reason for not testing Web sites at all, said security researcher David Aitel, chief technology officer of security services firm Immunity.
"We don't do research on Web sites," Aitel said, adding that the increasing reliance of programs on communicating with other programs has made avoiding Web applications more difficult. "The more your applications are interconnected the more difficult it is to get permission to do vulnerability research."
Moreover, such a legal landscape does not benefit the Internet companies, Aitel stressed. While companies may prefer to not know about a vulnerability rather than have it publicly reported, just because a vulnerability is not disclosed does not mean that the Web site is not threatened.
"If this is an SQL injection flaw that Eric McCarty can find by typing something into his Web browser then it is retarded to think that no one else could do that," Aitel said.
The U.S. Attorney's Office alleges that McCarty's actions caused the university to shutter its system for ten days, resulting in $140,000 in damages. The university had provided investigators with an Internet address which had suspiciously accessed the application system multiple times in a single hour, according to the affidavit provided by the FBI in the case. The information allowed the FBI to execute a search warrant against McCarty, discover the names of his accounts on Google's Gmail and subpoena those records from the Internet giant, the court document stated. Among the e-mails were messages sent from an account--"ihackedusc@gmail.com"--to SecurityFocus detailing the vulnerability, according to the affidavit.
The U.S. Attorney's Office declined to comment for this article. A representative of the University of Southern California also declined to comment except to say that the school is cooperating with the investigation.
"It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice's cybercrime and intellectual property crimes section, said last week after his office announced the charge. "He went beyond that and gained additional information regarding the personal records of the applicant. If you do that, you are going to face--like he does--prosecution."
The case has aspects similar to the prosecution of Adrian Lamo, dubbed the Homeless Hacker, for breaching systems at the New York Times. Lamo would frequently seek out vulnerabilities in online systems, exploit the vulnerabilities to gain proof of the flaws and then contact the company--and a reporter--to help close the security hole. In 2004, Lamo plead guilty to compromising the New York Times network and served six months under house arrest and had to pay $65,000 in restitution.
In the University of Southern California case, McCarty identified the vulnerability in the USC system when he decided to apply to the school and, before registering, used a common class of flaws known as structured query language (SQL) injection to test the site, he said during last week's interview. Such attacks exploit a flaw in the code that processes user input on a Web site. In the USC case, special code could be entered into the username and password text boxes to retrieve applicants' records, according to the FBI's affidavit.
USC administrators initially claimed to SecurityFocus that an analysis of the system and log files indicated that only two database records could be retrieved using the SQL injection flaw. After additional records were provided to the administrators, the university acknowledged that the entire database was threatened by the flaw. The FBI's affidavit contains the e-mail that McCarty allegedly sent to SecurityFocus with two additional records from the database.
The events outlined in the affidavit indicated that McCarty tried to act responsibly, said Jennifer Granick, a cybercrime attorney and executive director of the Stanford Law School's Center for Internet and Society.
"Here is a guy who didn't use the information, he notified the school--albeit through a third party--what was he supposed to do differently?" Granick said. "It's a Catch-22 for the security researcher, because they have arguably broken a law in finding the flaw."
The case does underscore that researchers will have to become more savvy about dealing with the legal aspects of their craft, said David Endler, director of security research for 3Com subsidiary TippingPoint.
"Finding a vulnerability in a Web site is a bit different than finding a vulnerability in a product," Endler said. "You can do a lot of things to a product that won't affect users. You shouldn't poke around a Web site unless you have permission or have been hired to do it. ... It's just not worth it."
As the creator of two vulnerability-buying programs, Endler is familiar with the contorted legal issues that can sometimes face vulnerability researchers. He believes that cases, such as McCarty's prosecution, will likely lead to researchers either allying themselves with one of the flaw-bounty programs or declining to disclose any discoveries.
Already, the influence of corporate legal teams had reduced the significance of the vulnerability disclosure movement, Immunity's Aitel said.
"The peak of disclosure has long past us," he said. "Who out there is really giving away bugs these days? The disclosure movement passed us by more than two years ago and people have gone underground with their bugs."
And having fewer security researchers looking over the shoulders of Web site administrators and Internet software makers will only mean less pressure to fix vulnerabilities and weaker security for sites on the Internet, said the EFF's Tien.
"There is an under-disclosure of vulnerabilities and weaknesses, and that is bad thing for security, because the less people know about security problems, the less pressure is put on companies to improve security," Tien said.
Author's note: As described in the article, the FBI's affidavit supporting the charge against Eric McCarty of computer intrusion alleges that he was the source for an article published on SecurityFocus by the author. The author did not cooperate with the FBI's investigation nor was he asked to do so. In an interview conducted on Friday and in an e-mail exchange, McCarty provided proof that he was the author's source and waived the condition of anonymity that he requested for the original article.
That kind of activity would get one in trouble with any organization. What an idiot.
I feel safer knowing the FBI is on the job like this.
ping
Sorry, having to fix a gaping security hole does not count as "damages". This is a textbook case of shooting the messenger. If anything, the students have a better case against the university for gross negligence in protecting their personal information.
"White hat" hackers live in a strange limbo and need to be prepared for the idea that they might not be appretiated. Nobody tries to sneak into a bank vault under the guise of trying to help their security. Hacking is hacking and it's still a form of unlawful entry.
"White hat" hackers live in a strange limbo and need to be prepared for the idea that they might not be appretiated(Sic). Nobody tries to sneak into a bank vault under the guise of trying to help their security. Hacking is hacking and it's still a form of unlawful entry.
6 posted on 04/27/2006 11:14:56 AM MDT by discostu
Unlawful entry is just that: unlawful entry. I should be charged with a crime, Get Root ! Hacking is programming without documentation.
if I tell you that you failed to lock your front door ?
i would also point out that if the systems are secure to start with, hackers and white hats would be out of business.
that would be trespassing. do you trespass with your computer?
You're not a white hat if you're looking for vulnerabilities without permission.
Simple rule of thumb for the systems I manage, if you don't have permission in writing to attempt an exploit, you're hostile. Period.
You should be charged with a crime if you entered my house against my wishes to find out if my door is locked. That's trespassing regardless of your other activities.
Problem is the white hat hackers are still hackers and still entering computer systems without the owner's permission. It all sounds nice with them warning companies about their vulnerabilities but they're still hacking without permission or prior warning.
That's how I look at it. I think everybody running a network should have some skillful hackers in their employ trying to break into the system, but everybody else is just another hacker and shouldn't be suprised when thought of accordingly.
bump
If the operator of the computing system
and database did not exercise "Due Diligence"
for security and they were breached
that is negligence on their part.Get Root !
So, that's between them and their employer. Doesn't change the fact that the hacker entered a system they did not own without the permission of the owners, that's illegal.
This is pretty much like discovering that your neighbor's door lock is broken and telling him.
The only reason the University even knew he had been there was because he told them. They are so technically inept that they would never have been able to detect it themselves.
If he was smart, after discovering the vulnerability he would have sold the information to Russian hackers instead of informing the website administrator.
That way he'd have a few more bucks in his pocket and wouldn't be facing prosecution.
The term you are searching for is Cracker.
To "Hack" is to program without documentation.
get Root !
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.