[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] another good guy is charged

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] another good guy is charged
Date: Wed, 26 Apr 2006 13:19:51 -0700

Eric McCarty uncovers a SQL Injection vulnerability in USC's website [1], collected a small amount of data to prove an exposure existed, and disclosed the issue with the assistance of SecurityFocus [2]. For his trouble he now faces computer intrusion charges [3]. This story is similar to that of Daniel Cuthbert's from last year [4]. The big difference seems to be that Eric actually gained access to sensitive information, although likely because USC initially didn't understand the issue until proof was shown.

"USC administrators initially claimed to SecurityFocus that an analysis of the system and log files indicated that only two database records could be retrieved using the SQL injection flaw. After additional records were provided to the administrators, the university acknowledged that the entire database was threatened by the flaw."

For all we know Eric was not the first person to find the issue, just the first to disclose it. Without the disclosure, the data of 280,000 applicants could very well still be at risk. More caution should have been exercised. Though it doesn't change the fact that the risks for security researchers of public websites, as opposed to software, are much greater. Finding a new vulnerability in an operating system does not immediately give a person access to the sensitive data of thousands. You can safely and legally test on systems you own. Maybe its time the (webappsec) industry begin discussing "responsible" disclosure practices with regards to real website hacks as was done with RFPolicy [5].

We all know that the vast majority of websites are vulnerable, its just a matter of someone looking. So if the good-guys become unwilling or unable to disclosure, and the bad-guys certainly aren't going to, where does that leave us?


Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.

-----

[1] Flawed USC admissions site allowed access to applicant data
http://www.securityfocus.com/news/11239

[2 ] Breach case could curtail Web flaw finders
http://www.securityfocus.com/news/11389/1

[3] Man charged with accessing USC student data
http://www.securityfocus.com/brief/191

[4] Tsunami appeal site 'hacker' found guilty
http://news.zdnet.co.uk/0,39020330,39226548,00.htm).

[5] Full Disclosure Policy (RFPolicy) v2.0
http://www.wiretrip.net/rfp/policy.html

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] another good guy is charged
  - From: Argeniss

Prev by Date: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by Date: RE: [WEB SECURITY] another good guy is charged
Previous by thread: [WEB SECURITY] useful industry links
Next by thread: Re: [WEB SECURITY] another good guy is charged
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site