How Not to Find and Report Security Problems

Have you ever discovered a security problem with a system foreign to your network? If so, how did you find that problem, and how did you handle the discovered information? Did you find the problem with a port scan and subsequent probes, or did you discover something about a site's use of Web forms? Did you report the problem to the site operator, post it publicly, or notify the media first? Did you offer to help fix the problem for a fee?

Many different situations can occur when you discover a security risk, and staying out of trouble isn't always easy, especially if you intend to profit from your work. A good example is the true story of a young man who was arrested last year for port scanning. About a year ago, I received a phone call from an attorney who wanted me to testify as an expert witness on behalf of his young client who was being prosecuted under computer crime laws somewhere in the United States. Apparently, the young man had tested the basic security of an ISP without its written consent, and the ISP didn't take the incident lightly. The man was a developer tasked with putting a site online and ensuring that site's security. To do so, he thought it would be prudent to perform a simple port scan of the ISP's network from the outside looking in. Seems harmless enough, doesn't it? Well, the ISP didn't see the situation that way.

After the man instigated the port scan, the ISP's monitoring systems noticed the activity and alerted the security team who promptly contacted the young man to find out his motives. The man explained his situation and assured the ISP that he was only trying to learn what the basic exposure was to his client's site as it sat inside the ISP's network. The ISP took note of his comments and ended the call; the man thought nothing more of the incident. However, soon after, the ISP pressed criminal charges against the man for performing the unauthorized port scan. He wound up in jail and his equipment was confiscated.

I don't know how the case turned out because, for various reasons, I didn't testify on his behalf, but I want to point out this case to demonstrate how touchy some network operators are about their networks' security. And frankly, I don't blame them. But I do think this particular ISP grossly overreacted to an apparent case of simple port scanning. To me, infrequent port scanning isn't any different than walking down the street to see whether anyone left a door or window open. To further that analogy, I think it's OK to look, but we shouldn't go inside unless invited. But sometimes the temptation proves too great, and people intrude anyway, and it usually leads to trouble.

Every few months, I receive email messages that point out a problem someone has discovered in another person's system—usually in reference to a public Web site. Most of the time, the details I receive attempt to prove the discovered problem is exploitable: a link is usually included that I can test myself. But I'm always hesitant to try such links because they can lead to unwanted trouble. I'm more inclined to contact the site operators and explain what I know about the matter. But some people, once they receive such information privately or from a public site, can't resist the temptation to peek inside a system. Is that a wise thing to do? I can understand the temptation to verify a problem, but if it's not on your system, maybe it's not such a good idea to poke around uninvited. Another case in point: Wyndham International, a giant hotel chain, recently was discovered to have a huge security problem with its Web site.

The Arizona Republic newspaper ran a story about Wyndham last week. A man trespassed into the company's public Web site after finding a security problem with that site's Web forms. The man discovered that he could view other people's private account information by simply changing an account number on a Web form and resubmitting it to the server. It's an age-old bad oversight that apparently still afflicts many aspiring Web developers.

According to the news report, upon learning of this vulnerability the man sent email to Wyndham, which read in part, "Want to know how I did it, and how I can help you fix this problem with no press and no legal fees? The purpose of this email is not to hold any of your dta (sic) hostage, as I don't care who your customers are, although I'm sure (sic) your competition does. What if any other hotel chain gets a hold of this data?" Not very smart, was it? After receiving the email, Wyndham contacted the FBI, who then arrested the man and confiscated all of his computer equipment.

I think it's natural for someone to think that a company might pay an unsolicited discoverer to help plug a security hole. But that rarely happens, so forget about it!

Before I sign off this week, I want to let you know that over the past few weeks, I've received feedback that asked whether I know about any personal firewall comparative reviews, and as it turns out, I do. Sean Boran wrote a comparative review for SecurityPortal that covers numerous personal firewalls and intrusion-detection systems. Be sure to take a look—it's good stuff. Until next time, have a great week.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.