Gray Hat Hackers and the Gray Areas of Security Vulnerability Reporting

CybeRiskBlog, Cybersecurity

Gray Hat Hackers

While the criminal exploits of black hat hackers and the beneficial, officially sanctioned and/or independently commercial activities of white hat hackers gain a lot of attention and publicity, the work of those who ply their trade as independent security researchers and sometime contractors in the capacity of gray hats remains largely unsung – and often problematic.

Much of the difficulty lies in the fact that the work done by so-called gray hat hackers is largely unauthorized, and that the activities in which they engage – however well-meaning in intent or beneficial in effect – may stray into areas which actually contravene the letter of the law, or may be sufficiently contrary to the spirit of the law that they can complicate the processes of disclosure, and provide loopholes that prevent the taking of the remedial actions which their research and observations would seem to dictate.

Gray Hat Hackers – The Not So Great Thrill of Discovery

A “Gray Hat” Guide published by the Electronic Frontier Foundation (eff.org) poses the hypothetical dilemma of:

“A computer security researcher who has inadvertently violated the law during the course of her investigation [and] faces a dilemma when thinking about whether to notify a company about a problem she discovered in one of the company’s products. By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied.”

Not so hypothetical was the real-life drama from 2013, reported by the Canadian newspaper National Post. Ahmed Al-Khabaz, a 20-year-old student of Dawson College gained unauthorized access to an IT system – on which he had earlier discovered and reported a software vulnerability – to check if the situation had been remedied. His second benevolent hack was noticed by the software hosting company (Skytech Communications), which then notified Dawson College.

The result? Al-Khabaz was summarily expelled from the institution.

Reactions like this point to the ambiguous attitude held by institutional bodies with regard to the discovery and reporting of security flaws in their networks, computer systems, and infrastructure. On the one hand, knowing that vulnerabilities exist gives organizations the opportunity to take action to remediate them. On the other, the manner in which these weaknesses are brought to light may have consequences for the reputation or financial position of the institution – and legal implications for the researchers discovering the flaws, the institution, and its supply chain partners alike.

Gray Hat Hackers – The Legal Minefield

Existing legal frameworks certainly don’t encourage the gray hats to poke their heads above the parapet, or speak up. Security researchers may at any time find themselves in violation of any number of statutes, including copyright law, state and international laws, the U.S. Computer Fraud and Abuse Act, or the Anti-Circumvention Provisions of the Digital Millennium Copyright Act (DMCA).

Researchers may fall foul of any of these statutes through actions they perform while revealing security vulnerabilities – or they may become the targets of the very institutions that they’re trying to help, if officials of those organizations use interpretations of the laws to fire back rebuttals to the gray hat’s claims.

In such a precarious environment, gray hat hackers must often resort to indirect methods of reporting, to preserve their own legal positions.

Re-enacting the Crime

Having used unauthorized methods to access a system and discover flaws within it, the gray hat may – in order to protect his or herself from reprisals – re-stage the discovery by setting up a replica system of their own under controlled conditions, and re-enacting the steps they took to reveal the vulnerability. On the basis of this laboratory model, they can then reveal their findings with a reduced risk of exposure or prosecution.

Downplaying the Incident

Couching a security issue in general terms which reveal the nature of the vulnerability that was discovered, but without revealing the research path which led the gray hat to this conclusion is another form of reporting that can shield researchers from the threat of prosecution or civil claims. The problem here is that the lack of specifics may lead to crucial aspects of the problem being overlooked – and there remains no insurance that the problem will actually be fixed.

Employing a Whistle-Blower Surrogate

Using a lawyer or journalist as the broadcast medium for the security vulnerabilities revealed through unauthorized methods allows the gray hat’s research findings to be transmitted in their entirety, without revealing the identity of the researcher.

But with thorough forensic investigation, it’s still possible for organizations to infer the gray hat’s identity from clues in the published documents. And with a court order, or more draconian statutes in some jurisdictions empowering government agencies to demand full disclosure, even from lawyers, anonymity can’t really be guaranteed.

Gray Hat Hackers – Claiming the Bounty

One effective way around these complications is the establishment of “bug bounty” programs. Pioneered as a “Bugs Bounty” by the Netscape Communications Corporation in 1995, a vulnerability rewards program (VRP) or bug bounty is a scheme which rewards individuals for discovering and reporting software bugs. The program may be crowdsourced, or funded by an independent organization.

Large corporations such as Facebook, Google, Mozilla, Yahoo!, and Microsoft have bankrolled such schemes, paying out cash rewards to software security researchers and users who discover and report vulnerabilities with the potential to be exploited by more malicious hackers.

For the gray hats, these schemes can be a life-saver – and a source of viable income. Bug bounty payments have been increasing, with the most lucrative ones awarding researchers an average of $50,000 a month, and up to around $900,000 a year. Organizations like the Bugcrowd researcher community and the HackerOne Directory maintain comprehensive and updated lists of currently active bug bounty programs.

Policies for Vulnerability Reporting

To date, organizations really haven’t been helping themselves in the fight against cyber-assault and data breaches, by facilitating the process of reporting security incidents and software or system vulnerabilities. In an environment where subscribers, customers, and security researchers alike may be in a position to spot potentially disastrous security flaws, there are few official policies or procedures in place for these third-party observers to make their findings known.

When an actual breach has occurred, this situation may be exacerbated by actual compromise to the corporate systems themselves. Mail systems may be glitchy or inaccessible, and formalized channels of reporting and complaint may not have “security incident” factored into their framework.

Even those organizations that do have a security response mechanism in place may not possess the resources or talent to act upon these notifications in a sufficiently timely or efficient manner. And the figures aren’t good: A 2015 survey of the Forbes Global 2000 companies confirmed that only 6% percent had a public method for reporting security vulnerabilities.

Small steps in this direction may be made by encouraging institutions to include a security notifications section on their websites and consumer touch points, and establishing formalized procedures for incident response and vulnerabilities handling. Increasing the awareness that ISO standards for vulnerability disclosure (ISO 29147) and vulnerability handling processes (ISO 30111) already exist, may also help. But the idealized vision of a “see something, say something” policy for security in every establishment remains a distant dream.

There’s also the continuing tendency for organizations to give a knee-jerk response to any suggestion that their security may have been compromised or put at risk – and threaten the messenger with legal action.

Gray Hat Hackers and the Case for a Better Legal Framework

While unauthorized research is by no means the end-all solution for discovering new system and software vulnerabilities, there’s considerable value to be had in the work of the gray hat hackers – enough to make it worth considering an alternative legal approach to their activities.

Computer offense and disclosure laws could be more narrowly drawn and more clearly set out, so as to allow some leeway for legitimate security researchers to act without the fear of reprisals. Rather than shooting the messenger, it should be possible to enforce lighter regulations which provide clear guidelines and permit the gray hat hackers to continue their work of safeguarding security and privacy.

CybeRisk Recommendation?

More companies should adopt the “Bug Bounty” program detailed above.

Share this Post

Summary
Gray Hat Hackers and the Gray Areas of Security Vulnerability Reporting
Article Name
Gray Hat Hackers and the Gray Areas of Security Vulnerability Reporting
Description
The work of those who ply their trade as independent and well-intended security researchers (aka gray hat hackers) remains unsung - and often problematic.
Author
Publisher Name
CybeRisk Security Solutions
Publisher Logo