Hello #infosec!
I'm researching the topic in light of a "leak" of the Luxembourgish parliament (documents not meant for the public were public if you knew the url, as all documents were sequentially numbered, somebody stumbled onto it by using an automated downloader and later told the press about it)
some questions:
-is there a big difference between people stumbling onto vulnerabilities vs. "ethical hackers"/security reseachers searching for them?
-should both groups being treated equally?
@jollysea first and foremost one should contact the vendor (LU parliament here) and try to alert them to this. Coordinate the disclosure with them.
#infosec
The documents were (as far as it know to the public by now) mostly reports from interal commissions, which one could argue should be public in the first place. Other documents had personal information, so really a mixed bag.
First, the LU Parliament reacted with "thank you press for disclosing this", but now they have filed legal charges (but one does not know who is targeted)
a lot of layers here, so I'm happy for your thoughts.
(if it's OK for you to be quoted in an article, signal it to me)
@jollysea
What "vulnerability" are you talking about? They were publishing documents they shouldn't have. A mistake, but no vulnerability or hacking.l The documents were published for anyone to see. The fact that you have to know the name is not a security measure, and the realization that you can guess it is not hacking.
This is the same thing as if they put the printed documents somewhere in a public library, and all you needed to see them was to know on which shelf they are.
@deshipu @jollysea
leaving your mongodb port exposed to the internet is also a mistake.
It's offering a service you shouldn't offer.
Not checking password in your authentication code is also a mistake. It's letting in people that shouldn't be let in.
Are you going to say these things aren't vulnerabilities either?
If not, where do you draw a line?
@Wolf480pl @deshipu I don't think it's that interesting to discuss the semantics of "vulnerability", I'm happy to use another term if it's more appropiate.
my main point is "what's the best way to deal with this if you discover it" and "what's the best way to deal with such situations when you are the vendor/the one with the mistake/vulnerability"
@jollysea @Wolf480pl I would say the same thing you would do when you found such documents in a public library: either report it to the person in charge, or pretend you didn't see anything an move away quickly hoping nobody saw you (that is the safer option). The person in charge should then thank you for noticing the problem, secure the documents and amend the procedures to make sure it doesn't repeat. Possibly fire the person who did it, in the process of amending the procedure.
@Wolf480pl @jollysea Of course they are not vulnerabilities. They are bad decisions or mistakes in configuration.
@deshipu IMO the latter (eg. if (goodhash = hash(pass)) instead of if (goodhash == hash(pass)) is IMO a vulnerability, not a bad decision or mistake in configuration.
@Wolf480pl @jollysea The difference is that vulnerabilities are undocumented.
@deshipu oh, I'm sure everyone thorougly documents every configuration mistake they make.
In this big spreadsheet where all their servers and their IP addresses are, they document every port they expose on each server, even if they expose it by mistake, right?
@Wolf480pl In other words, if you forget to lock your door, or leave your wallet at a train station, those are also vulnerabilities and you have been hacked?
@deshipu
well... no.
But if you forget to install a lock in your door, that is a vulnerability.
Actually, when you forget to lock your door, it is a vulnerability in your process of leaving home. The problem is not that you didn't lock the door, it's that you're likely to do it again, because you haven't developed a strong habit of closing the door.
@Wolf480pl Why leave home at all, that only creates vulnerabilities!
@deshipu that depends on your threat model.
@Wolf480pl My threat model is incompetent IT staff and journalists who call every mistake a hacking attempt and blame the person who stumbled upon it.
@deshipu well, IMO things like "I found a remote code execution in this internet-exposed server, didn't go deeper, reported the vulnerability" shouldn't be called hacking attempts either. And people who stumpled upon it shouldn't be blamed for it.
@Wolf480pl Except it's really hard to "stumble upon" a remote code execution flaw without specifically looking for it. It feels a little bit like your neighbor telling you that you forgot to lock the car parked by your garage, because he checked. Not really something that makes him seem trustworthy to me.
@deshipu that's not a good analogy, unless you have no fence around your house and your garage is wide open.
@Wolf480pl My garage is closed, but the car is parked in front of it.
@jollysea no, I don't think there's a big difference between security researchers finding such vulnerabilities in an organized way, and people "stumbling into them" (as far as ethics are concerned).
The crucial question is what happens later. Do they report it and coordinate disclosure with the vendor (or, in this case, people from the LU parliament)? Do they sell to the highest bidder? Do they exploit it for their own gain?
@jollysea of course there are additional layers possible here. If (say) LU Parliament was corrupt and there was a strong public interest in publishing these documents either way, perhaps that's the ethical course of action. All depends on the context.
But assuming no such public interest, coordinated disclosure is what should happen and what makes it ethical.
Now, another question is what happens if they report it and nothing happens for months? Should they go public with it or not? #infosec
#infosec
-the vulnerability was disclosed on twitter/to the press. My gut feeling and everything I read about RD says this wasn't a good idea? Not sure when the person knew it was a systemic vulernability?
-What could/should be done to raise awareness what to do when you stumble upon such a "leak"?
-Do you see a difference between public institutions and private companies?