Cybersecurity Research Consequences
19 minute read | Last updated 7-Feb-2019 | 
Security
Mornings With Mark no. 0160
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
Morning, everybody. How you doing today on this episode of the show. I want to look at some of the legal aspects are legal consequences of conducting security research that you might not be aware of. Now before we go any further. I want to cover two quick things really really quickly the first I’m not a lawyer.
I think I’m up to speed on laws that impact computers and system usage and cybercrime around the world. I covered that in my Graduate Studies in this have stayed up to date ever since the end of the day. I am not a lawyer. The second is that the basis of this topic is coming from a report from a site called SEC juice.com.
This is a one instance of this report of the story. I haven’t seen corroboration, but the digging on social media everything does seem to line up when it seems authentic. But again, I haven’t seen that sort of additional corroboration. I haven’t dealt with his outlook before so we’ll take everything with a grain of salt and treated all his alleged activity and a hypothetical but that doesn’t Change the point of what I want to talk to you about on this show.
Now first the story and of course, I’m going to link to it in the description so you can read it yourself, but it basically goes like this to enterprising security researchers based in the EU were surfing Showdown something caught their eye and they dug deeper lo and behold what they find is a network of products from a company called atrient.
Now, it makes kiosks that are primarily sold to gambling and entertainment physical properties in order to manage loyalty program so you can go up in badge and it says, you know Mark you’ve got ten thousand fifteen will give you free tickets to the show tonight. I’m something along those lines so attracts a lot of sensitive information in their place near throat physical properties at the client’s location now the researchers and they found a whole bunch of wrong.
It’s really the best way to put it information is being transmitted in the clear. They could identify specific kiosk there appeared to be an API. Writable there’s a whole bunch of security challenges here and they raise their hand with the vendor and tried to say hey, we found some of these things we’d like to responsibly disclose them.
So for as a reminder responsible disclosure is essentially researchers working with the affected organization on a specific time line normally about 90 days to get the issue resolved before the information goes public. So essentially giving the company time to respond so that when the information comes out in whether that’s in a cve bulletins or come in front of building exposure bulletin or as a talk customers and organizations are either already patched working quickly grab the passion and fix themselves so that the disclosure does actually create more harm.
So the researchers try to get the company’s attention didn’t work couldn’t get anybody answering basically got the cold shoulder. They went as far as leaving a message on an FTP server solo riding a file to FTP server to get the admins to call them back about the issue will get back that key Point later in this story.
Give me cold shoulder be frustrated trying to do the right thing and I truly believe they were trying to do the right thing. They reached out to the editor at Tech juice. And I said, hey, can you help here? They went out on social media. Social media post a bow.
Story being written got the attention of the FBI in their Fusion unit of the fusion unit is designed specifically stepping in situations like this where there’s researchers with positive intentions for trying to help a company fix their security in a company doesn’t want any part of it Wheels turn FBI gets on a call with everybody involved on seems like a company’s taking it seriously and they say hey researchers, let’s take this offline so that we can get some legal paperwork behind here and discuss and maybe some compensation.
So that happens and then from there on out the researchers as pancake. This is great security companies doing the right thing. We’re going to see some monetary upside, which is great as well as But the company continues to ignore them give him the cold shoulder. It ends up in the researchers confronting the company at an event an alleged assault which may or may not have happened really depending on your definition of assault.
But again wasn’t there in a lawyer can speak to it and then now the company legally threatening action against the researchers. Now what I want to talk about in this episode though was that this is par for the course is a risk that a lot of researchers are taking they are trying to do the right thing.
They’re trying to responsibly disclose it for the most part. We’ve seen examples where people are not trying to do that are just trying to gain notoriety but they the most part when people are out in the public announcer on the white hat side of the equation they’re trying to do the right thing or try to help companies make better products customers to be protected a man to gain some credibility as a researcher in the industry the challenges unless there’s a published bug Bounty program laying out permissions.
They may in fact be breaking the law by conducting this type of research. This is why Call Donnie’s exist as wife third party organizations. I can help broker that relationship to help ease these illegal tensions and again, not a lawyer but we’re looking at the law in the UK and the Computer Fraud and Abuse Act.
Very similar language that basically says it’s illegal to use a computer or a computer system in any unauthorized manner. They don’t speak at all to the security of those systems to research exemptions to educational exemptions. It’s a flat-out. You cannot use a computer in a way that’s not authorized now authorization based on case law is determined by the people who owned the system which is why when you login you’ll see banners in the survey responses that say Hey, you need to be an authorized user on an employee of X.
And when you login sometimes the windows used to get that dialogue that is like a Government system Bubba Bubba Bubba D’s are all reminders and more legal than security to be able to point to say Hey, you knew what authorized usage was and you went beyond it is why we have terms of service is why we have user user license agreement to this potential misuse now reading through what the researchers did and the information they gathered is clear that they went further than just a simple packet to an IP address to see if it was online like a showdown.
That’s right. Shouldn’t pigs all these IP addresses and record the banner responses. It’s clear that in their own admission writing a file to the FTP the dam now access deeper into the systems and where that line is from a security researcher perspective is really hard to judge serve a case-by-case ethical or moral decision of how far you can probe into a system to see if it’s vulnerable or from the Lost perspective.
It’s Crystal Clear unauthorised use is anybody using the system in a way that the company who owns Under the Pier? Didn’t authorize ahead of time I am so you probably from the outside and then writing files to their system is in my opinion a clear on authorized use which is why exactly we have pentesting as a service.
We have been testing as an industry and there are clear contacts to identify the people doing the penetration testing. So they don’t fall under this exact legal challenge because now we have these researchers you were trying to do the best thing and that is my belief based on their their previous work based on the responses are social but what I wanted to highlight and why I’m making this video is because the responses I’m seeing on Twitter in the discussion around this everybody is siding with the researchers, which I totally get their trying to do a good thing and it’s easy to vilify corporations, but at the end of the day these researchers might be in serious significant legal trouble just because you found something at the hey, look we’re trying to help you doesn’t mean somebody needs to receive help and we’re seeing this unfortunately decently often wear companies have a negative reaction to this kind of vulnerability disclosure because when you take off your meal Set a timer for a minute and answer put yourself in the company’s perspective.
This is a danger to their business model. They are selling to some very I’m risk-adverse and security aware customers and from the tech report server believe they’ve got a crap job of it right is an absolute house of cards that can just be poked over and everything to Fall to Pieces because I’m sure the casinos do not want to explain to their customers why their private activity is being broadcast over the internet in the clear.
So this is a fundamental risk to the business model Here Comes ease to unknown researchers who say hey, we have good intentions trust us hears everything that’s wrong with your business. And if it leaks it could be absolutely catastrophic. Of course, the business is going to be very very defensive.
It’s rare that somebody company culture would allow the fortitude to say who you’re right. Let’s do the right thing here. They’re going to want to try to silence. Hopefully they silenced at me like a will pay you some money will sign some legal paperwork so that you can’t go speak about this not come back and attack but it is a risk and that’s what I wanted to raise.
Is that based on the letter of the This could be a risk for security researchers. It’s so even though they’re in the EU. This company is based in the states in the US law is pretty darn clear. We’ve seen some absolutely horrendous consequences based on walks with the Law’s the law until it changes.
This is what we have to deal with and how to change that to whole another thing. I wanted to create this video based on this event really did get this discussion going and I think it’s been massive stride, but I think we need to keep talking about it specially with coffin season starting up again.
I’d love to see this as a regular topic of discussion and saying that looks getting kicked off. Hit me up online at Mark NCAA in the comments down below and as always by email Mark and I’ll be at Mark n. CA tell me what you think. How are your experiences? What do you think of this issue? Let’s keep this discussion going.
Let’s take it to the next level and let’s try to get research on going and I’m in a much smoother Manor for everybody involved help raise everybody up by sharing our knowledge. So have a fantastic day and we’ll see you on the show. Morning, everybody. How you doing today on this episode of the show.
I want to look at some of the legal aspects are legal consequences of conducting security research that you might not be aware of. Now before we go any further. I want to cover two quick things really really quickly the first I’m not a lawyer. I think I’m up to speed on laws that impact computers and system usage and cybercrime around the world.
I covered that in my Graduate Studies in this have stayed up to date ever since the end of the day. I am not a lawyer. The second is that the basis of this topic is coming from a report from a site called SEC juice.com. This is a one instance of this report of the story.
I haven’t seen corroboration, but the digging on social media everything does seem to line up when it seems authentic. But again, I haven’t seen that sort of additional corroboration. I haven’t dealt with his outlook before so we’ll take everything with a grain of salt and treated all his alleged activity and a hypothetical but that doesn’t Change the point of what I want to talk to you about on this show.
Now first the story and of course, I’m going to link to it in the description so you can read it yourself, but it basically goes like this to enterprising security researchers based in the EU were surfing Showdown something caught their eye and they dug deeper lo and behold what they find is a network of products from a company called atrient.
Now, it makes kiosks that are primarily sold to gambling and entertainment physical properties in order to manage loyalty program so you can go up in badge and it says, you know Mark you’ve got ten thousand fifteen will give you free tickets to the show tonight. I’m something along those lines so attracts a lot of sensitive information in their place near throat physical properties at the client’s location now the researchers and they found a whole bunch of wrong.
It’s really the best way to put it information is being transmitted in the clear. They could identify specific kiosk there appeared to be an API. Writable there’s a whole bunch of security challenges here and they raise their hand with the vendor and tried to say hey, we found some of these things we’d like to responsibly disclose them.
So for as a reminder responsible disclosure is essentially researchers working with the affected organization on a specific time line normally about 90 days to get the issue resolved before the information goes public. So essentially giving the company time to respond so that when the information comes out in whether that’s in a cve bulletins or come in front of building exposure bulletin or as a talk customers and organizations are either already patched working quickly grab the passion and fix themselves so that the disclosure does actually create more harm.
So the researchers try to get the company’s attention didn’t work couldn’t get anybody answering basically got the cold shoulder. They went as far as leaving a message on an FTP server solo riding a file to FTP server to get the admins to call them back about the issue will get back that key Point later in this story.
Give me cold shoulder be frustrated trying to do the right thing and I truly believe they were trying to do the right thing. They reached out to the editor at Tech juice. And I said, hey, can you help here? They went out on social media. Social media post a bow.
Story being written got the attention of the FBI in their Fusion unit of the fusion unit is designed specifically stepping in situations like this where there’s researchers with positive intentions for trying to help a company fix their security in a company doesn’t want any part of it Wheels turn FBI gets on a call with everybody involved on seems like a company’s taking it seriously and they say hey researchers, let’s take this offline so that we can get some legal paperwork behind here and discuss and maybe some compensation.
So that happens and then from there on out the researchers as pancake. This is great security companies doing the right thing. We’re going to see some monetary upside, which is great as well as But the company continues to ignore them give him the cold shoulder. It ends up in the researchers confronting the company at an event an alleged assault which may or may not have happened really depending on your definition of assault.
But again wasn’t there in a lawyer can speak to it and then now the company legally threatening action against the researchers. Now what I want to talk about in this episode though was that this is par for the course is a risk that a lot of researchers are taking they are trying to do the right thing.
They’re trying to responsibly disclose it for the most part. We’ve seen examples where people are not trying to do that are just trying to gain notoriety but they the most part when people are out in the public announcer on the white hat side of the equation they’re trying to do the right thing or try to help companies make better products customers to be protected a man to gain some credibility as a researcher in the industry the challenges unless there’s a published bug Bounty program laying out permissions.
They may in fact be breaking the law by conducting this type of research. This is why Call Donnie’s exist as wife third party organizations. I can help broker that relationship to help ease these illegal tensions and again, not a lawyer but we’re looking at the law in the UK and the Computer Fraud and Abuse Act.
Very similar language that basically says it’s illegal to use a computer or a computer system in any unauthorized manner. They don’t speak at all to the security of those systems to research exemptions to educational exemptions. It’s a flat-out. You cannot use a computer in a way that’s not authorized now authorization based on case law is determined by the people who owned the system which is why when you login you’ll see banners in the survey responses that say Hey, you need to be an authorized user on an employee of X.
And when you login sometimes the windows used to get that dialogue that is like a Government system Bubba Bubba Bubba D’s are all reminders and more legal than security to be able to point to say Hey, you knew what authorized usage was and you went beyond it is why we have terms of service is why we have user user license agreement to this potential misuse now reading through what the researchers did and the information they gathered is clear that they went further than just a simple packet to an IP address to see if it was online like a showdown.
That’s right. Shouldn’t pigs all these IP addresses and record the banner responses. It’s clear that in their own admission writing a file to the FTP the dam now access deeper into the systems and where that line is from a security researcher perspective is really hard to judge serve a case-by-case ethical or moral decision of how far you can probe into a system to see if it’s vulnerable or from the Lost perspective.
It’s Crystal Clear unauthorised use is anybody using the system in a way that the company who owns Under the Pier? Didn’t authorize ahead of time I am so you probably from the outside and then writing files to their system is in my opinion a clear on authorized use which is why exactly we have pentesting as a service.
We have been testing as an industry and there are clear contacts to identify the people doing the penetration testing. So they don’t fall under this exact legal challenge because now we have these researchers you were trying to do the best thing and that is my belief based on their their previous work based on the responses are social but what I wanted to highlight and why I’m making this video is because the responses I’m seeing on Twitter in the discussion around this everybody is siding with the researchers, which I totally get their trying to do a good thing and it’s easy to vilify corporations, but at the end of the day these researchers might be in serious significant legal trouble just because you found something at the hey, look we’re trying to help you doesn’t mean somebody needs to receive help and we’re seeing this unfortunately decently often wear companies have a negative reaction to this kind of vulnerability disclosure because when you take off your meal Set a timer for a minute and answer put yourself in the company’s perspective.
This is a danger to their business model. They are selling to some very I’m risk-adverse and security aware customers and from the tech report server believe they’ve got a crap job of it right is an absolute house of cards that can just be poked over and everything to Fall to Pieces because I’m sure the casinos do not want to explain to their customers why their private activity is being broadcast over the internet in the clear.
So this is a fundamental risk to the business model Here Comes ease to unknown researchers who say hey, we have good intentions trust us hears everything that’s wrong with your business. And if it leaks it could be absolutely catastrophic. Of course, the business is going to be very very defensive.
It’s rare that somebody company culture would allow the fortitude to say who you’re right. Let’s do the right thing here. They’re going to want to try to silence. Hopefully they silenced at me like a will pay you some money will sign some legal paperwork so that you can’t go speak about this not come back and attack but it is a risk and that’s what I wanted to raise.
Is that based on the letter of the This could be a risk for security researchers. It’s so even though they’re in the EU. This company is based in the states in the US law is pretty darn clear. We’ve seen some absolutely horrendous consequences based on walks with the Law’s the law until it changes.
This is what we have to deal with and how to change that to whole another thing. I wanted to create this video based on this event really did get this discussion going and I think it’s been massive stride, but I think we need to keep talking about it specially with coffin season starting up again.
I’d love to see this as a regular topic of discussion and saying that looks getting kicked off. Hit me up online at Mark NCAA in the comments down below and as always by email Mark and I’ll be at Mark n. CA tell me what you think. How are your experiences? What do you think of this issue? Let’s keep this discussion going.
Let’s take it to the next level and let’s try to get research on going and I’m in a much smoother Manor for everybody involved help raise everybody up by sharing our knowledge. So have a fantastic day and we’ll see you on the show.
