Troy Hunt is a cyber security expert and creator of the popular website Have I Been Pwned. I do read his blog and listen to his podcast in which he mainly discusses cyber security (obviously) but also discusses some life events and hobbies.
YouTube recommended me a presentation he did for AusCERT2017 about responsible disclosures. It’s actually an interesting topic how some companies are very welcoming for people to report security vulnerabilities, whereas others are very distrusting and can threaten to sue.
You can watch the presentation in full:
AusCERT2017 Day 1 Troy Hunt: The Responsibility of Disclosure
Otherwise, here is a summary of the presentation.
He begins by telling a story of how someone found a security vulnerability on a website, extracted loads of data, used some of the login credentials to get in. He filmed it all and put it on YouTube. He got arrested.
Even though someone like that could claim to not be malicious, he would clearly violate some laws like Computer Misuse Act.
- So how can you investigate a security flaw?
- How can you disclose it?
- Where is the line between being responsible and irresponsible?
Troy has a “Sinéad O’Connor” test. Enter her name in the data entry field of the website. If the apostrophe in a name gives you an SQL error, then you know there is a vulnerability – it is prone to SQL injection. You don’t need to go any further and actually carry out the attack; illegally accessing data to prove it.
If you grab 1 record, the company is obligated to disclose this to the user who lost their data. If someone takes 10,000 records, it’s a bigger problem and more inconvenient to the company. Just 1 unauthorised access to a record sufficiently illustrates the point. Accessing more than you need is more likely to be met with a negative response and possible legal action.
He then goes through some more notable examples and attitudes to the disclosure:
PayAsUGym got breached and ignored the hacker. Although the hacker was trying to extort money, by ignoring them completely, PayAsUGym had no idea how bad the breach was. Initiating the dialogue could have at least given them more information to attempt to limit the damage.
Cloud Pets had a security flaw in their toy, but also had a publicly exposed MongoDB database which attackers wiped and ransomed. Later on, when journalists contacted the owner, he responded
“you don’t respond to some random person about a data breach“.
Spiral Toys CEO
As Troy says, random people are exactly the people that will tell you about a problem.
Australian Red Cross Blood Service disclosed their breach very quickly, put out communication through multiple channels, and apologised. Troy was impressed with this response. The problem was a third-party who placed backups on a public-facing server so they could have easily downplayed it or passed the blame.
For more info, Troy also has a blog about disclosures, including the example of Cloud Pets.
Stranger Coding Tings 