Security research and Black hats where does the bourder line

[Jamie.R]

I was just curious how does one do security research without breaking any laws?

You hear about new bugs being found in software but in order for someone to find that bug they must have been breaking a few rules.

Where does the line stop and start for security research? I have seen many articles about people finding sql injection on well know website but they must have been breaking the law so where can you draw the line from research to brkaing the law and being black hat ? What do people think ?

[Andrew Waite]

Following on from your SQLi example. I'd suggest it depends on the circumstances.

If you pick a random website you've got no authorisation to test and start throwing Burp/Nikto/etc. at it, not legal.

If you're legitimately using a site as a user, and your knowledge spots something that's a weakness, there should be no issue reporting this to the sec-ops guys. The difference is being professional enough not to 'just see'; for example error message pops up potentially indicating SQLi, don't then grab sqlmap.....

(I've reported issues a few times on different sites (sorry, NDAs....), and despite the urban horror stories my insight and suggestions has been both greatly recieved and rewarded by the effected site).

[m0wgli]

As already mentioned it depends on the circumstances as well as the site. Companies such as http://www.facebook.com/whitehat/bounty/ and https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues for example have bug bounties in place provided the research stays within the terms of bounty program.

The EFF have a small guide: https://www.eff.org/pages/grey-hat-guide which is worth a quick read.

[Jamie.R]

ok then so you spot somthing do you report it ? as someone ethical you should but most people wont becasue the hassel that is involved.

[cd1zz]

Most large software companies have a way to report bugs and will not pursue legal action unless you're acting in a malicious way. There are times when the researcher doesn't think the software company is acting "fast enough" which is when things get a bit messy. But for the most part in stand alone software as long as you're professional and follow the companies disclosure policy or bug reporting policy you'll be fine.

If you're poking and prodding on live websites on which you don't have permission to do so, you could get yourself into some trouble.

[Jamie.R]

ok so here few senarios

you on site you enter your credit card details what get stored on the site. You then notice they being stored without puttin **** over the last 8 didgits do you report it ?


you using a website and your name is 0'neal this causing an sql injection do you report it ?

Your friend been messing with website trying hack it he tells you about a really bad bug would you report it ?

lets say you want do some research in orcel datasbe but they pretty expensive the only real way to do your research is to be a bit unethical what do you do ?

I also head that at defcon there was a presentation on hacking voip in hotel rooms how ethical is this ? trying hack voip phone in hotel to me is wrong you dont own it dont have permission but how many people would give you permission to do this sort of testing?

[cd1zz]

you on site you enter your credit card details what get stored on the site. You then notice they being stored without puttin **** over the last 8 didgits do you report it ?

Sure, this is just an observation.

you using a website and your name is 0'neal this causing an sql injection do you report it ?

If your name is really O'neal... then I would probably play stupid and report the "error" not even calling it a SQLi.

lets say you want do some research in orcel datasbe but they pretty expensive the only real way to do your research is to be a bit unethical what do you do ?

Not true, you can download oracle and use it free: http://www.oracle.com/technetwork/products/express-edition/overview/index.html

Also, I think you really know the answer to this if its unethical.

I also head that at defcon there was a presentation on hacking voip in hotel rooms how ethical is this ? trying hack voip phone in hotel to me is wrong you dont own it dont have permission but how many people would give you permission to do this sort of testing?

It's Defcon. Period.

[Jamie.R]

I do know the answer but I trying get people view what do they count as ethical and unethical. As I think sometimes when people are doing security reasearch they sometimes cross the line and maybe at night slip into a black hat.

[MrTuxracer]

I think this really depends on how you "research" and how professional you report your findings.

If it sounds like you try to extort the website owner -> you'll get in trouble.

If you send a mail from your 1337haxxor@steal-your-cc.com mail account containing a responsible report, nobody would trust you -> you'll get in trouble.

If you provide the webmaster with his entire database -> you'll get in trouble.

I can say from my own experience that most webmasters are thankful for a responsible and professional reported vulnerability 

Regards.

[Jamie.R]

Yes I think I just trying to figure out how people do security research without breaking any rules. As I think sometimes it border line if you break the law or not of course there are some instances where its really obvious.

[m0wgli]

I saw an interesting talk at bsides London earlier in the year by Abraham Aranguren titled legal and efficient web app testing without permission:

http://blog.7-a.org/2012/05/legal-and-efficient-web-app-testing.html

According to the talk "At least 48.5% (32 out of 66) of the tests in the OWASP testing guide can be legally * performed at least partially without permission".

Note he does have caveats "* Except in Spain, where visiting a page can be illegal"  and "* This is only my interpretation and not that of my employer + might not apply to your country!".

It's obviously advisable for anyone to establish their own legal position before following any of his advice should they wish to do so.

[Jamie.R]

I sadly missed that talk as i was at the CV place bet it was intresting.

[Andrew Waite]

I found Abraham's talk quite enlightening, for me it was one of the more beneficial talks from BSides London this year. I'd also suggest taking a look at OWTF, the tool introduced and discussed during the talk.

For those not able to party with us, the BSidesLondon Youtube channel is where you need to be spending your Friday. Abraham's talk here.

[Jamie.R]

Did you attend the talk on html 5 Andew? I enjoy that talk.

[Andrew Waite]

Missed that one (recording on my 'to watch' list); same reason, sat in CV clinic.