Among the hackers who trawl the Internet for vulnerable systems are a class of uninvited security researchers who uncover security flaws not to exploit them, but report them.
Various terms are used to describe such hackers: white hat, grey hat, or even “ethical hacker”.
The convention of referring to hat colours comes from old American cowboy movies where the good guys wore white hats, while the bad guys wore black hats.
In computer security, the term “black hat” is used to describe a hacker with malicious intent – someone who breaks into systems to destroy them or to steal data with the aim to profit from it.
“Grey hat” is a term that has emerged to describe a hacker who might break laws by accessing vulnerable systems without permission, but who does not have the malicious intent of a black hat.
White and grey hats who hunt for insecure systems on the Internet do so for a multitude of reasons.
Some are motivated by altruism. They know that for every one of them there are many more black hats doing exactly the same thing.
Others are mostly in it for the recognition, albeit for their online alias, or are hoping to find issues for which they can claim a bug bounty and earn some income.
Whatever the motivation that drives them, the principle is the same: find insecure systems and get the people responsible for the blunder to fix it.
Make it easy for hackers to notify you of security problems
A recent example of this practice publicly affecting a South African company was the disclosure of a security flaw in the online infrastructure of LogBox, a medical data start-up that is being adopted by hospitals and pathologists.
An anonymous security researcher, who goes by Anurag Sen on Twitter, discovered an exposed Elasticsearch database containing LogBox user access tokens.
Sen emailed LogBox using the only address the company published on its website and received a support ticket stating that LogBox had received his e-mail and would attend to it.
When Sen received no further response, they approached their media contacts with the story.
LogBox later told MyBroadband that its lack of response was due to human error. The support agent who received Sen’s email believed it to be a hoax or scam and disregarded it.
This is the first thing companies should address: make it easy for legitimate security researchers to contact you if they find a problem in your systems.
What to do when the media comes knocking
When TechCrunch published its article about the security vulnerability at LogBox, the company’s reaction was hasty and aggressive.
LogBox was bitterly unhappy with the way Sen and TechCrunch handled the disclosure.
It immediately told South African media who came asking about the report that the article was inaccurate and that it was “exploring legal remedies” against TechCrunch and Sen.
This raises two important points regarding how you respond to the involuntary disclosure of security vulnerabilities in your systems:
- As soon as the media gets involved, you need to accept that an article will be published with or without your input.
- Don’t shoot the messenger. People are starting to understand that security vulnerabilities happen to the best engineers, but if you respond negatively you risk inflaming a small incident into a media storm.
Journalists also have a responsibility to ensure that they report a vulnerability in a way that doesn’t unnecessarily expose people further. The industry nomenclature for this is coordinated disclosure. It is also sometimes called responsible disclosure.
In this regard, LogBox contends that TechCrunch behaved poorly.
The company said it asked TechCrunch for a one-day extension on its deadline to fully investigate the issue, close the security hole, and notify anyone who was affected.
When LogBox closed the misconfigured network port that caused the Elasticsearch database to be exposed to the Internet, TechCrunch took notice and published its article.
According to LogBox, TechCrunch said that since the vulnerability was closed, there was no reason to hold back the article any further.
However, LogBox argued that this was a bad assumption on TechCrunch’s part. How could it know that there wasn’t a deeper security issue that LogBox still needed to address?
MyBroadband asked TechCrunch for comment on LogBox’s statement, but it did not respond by the time of publication.
Advice from a professional hacker
MyBroadband asked the Head of SensePost at Orange Cyberdefense, Dominic White, what advice he would give to companies on the topic of coordinated disclosure.
White explained that as companies have moved to cloud infrastructure providers, so too have hackers.
Where hackers used to trawl the Internet for sensitive data uploaded to insecure webservers, they now search for exposed cloud services.
A few years ago, the low hanging fruit was unsecured Amazon S3 cloud object storage buckets. Nowadays, it is Elasticsearch databases.
White also explained that although hackers like Anurag Sen may be breaking laws in countries like South Africa and the United States to find potential data leaks like the one at LogBox, threatening them with legal action is unwise.
Not only does it risk inflaming a relatively small incident into a public relations nightmare, but it is also unlikely that you would see a successful prosecution.
Worse things than public disclosure
“Sen using the access tokens in the Elasticsearch database to actually get into the user accounts is where it steps over into unlawful territory, even though it shouldn’t be,” White said.
“I think the fact that we don’t have an exemption for security research done with the public good in mind, and done without harm beyond the harm of the original vulnerability, is problematic.”
South Africa had an opportunity to add in such an exception with the Cybercrimes Bill but squandered it.
The reason a hacker like Sen takes that extra step into doing something unlawful is to ensure that he has discovered something real and is not just wasting everybody’s time by trying to report it.
“His intent was very clearly to make LogBox aware of this issue,” White stated.
“It’s not ideal for LogBox that Sen went to the press, but how bad would it be if a less noble hacker simply downloaded the doctor and patient data, and sent LogBox a ransom note threatening to leak it unless they pay up?”
Having a security flaw reported in the press is probably the “second-least-worst” thing that could happen, White argued.
How to make it easy for hackers to report security vulnerabilities
To avoid a situation where a hacker needs to go to the press to get the attention of a vulnerable company, White offered the following practical advice:
- Take a look at the
security.txtstandard. In short, you place a file called security.txt on the root directory of your website with contact details for people to report security vulnerabilities.
- Have a “[email protected]…” e-mail alias.
- Publish the details of your security communication channels.
- Actually have someone who looks at those channels and responds in a timely fashion.
Regarding the issue of dealing with hoaxes and scams sent to inboxes dedicated for security, White said that it’s no different than monitoring any other public company email address.
“I haven’t heard reports of people getting inundated with hoaxes at their security mailboxes,” he said.
Another important issue is that if any of your company’s support channels receive anything security-related, they need to be trained to escalate it.
Even when it is tempting to dismiss something as a hoax due to poor grammar or spelling, it is better to have it escalated as a rule so that it can be validated.
“There are many people involved in information security for whom English is not their first language,” he said.
“A simple follow-up to someone who claims they have found a vulnerability is to provide you with a demonstration.”
Companies may also consider using services like HackerOne and other bug bounty platforms. This effectively lets you pay for your security mistakes with money rather than bad press.
White advised that companies who are considering using bug bounty programmes first commission a penetration test of their public-facing systems so that they don’t pay large sums of money for hackers to discover basic bugs that could have been easily avoided.
Never waste a good crisis
If you do find yourself in the situation where an embarrassing security vulnerability is going to be made public, White’s advice is to never waste a good crisis.
“If this is the thing that makes you realise that security is important, that’s great,” said White.
People can get defensive when something big goes wrong, but it is important to ask tough questions when it happens, he said.
“You need to ask who thought this was a good idea, and why, so that you know whether it’s necessary to send one person for training, or whether it’s a company-wide issue.”