.

Security research and Black hats where does the bourder line

<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 16, 2012 7:48 am

Security research and Black hats where does the bourder line

I was just curious how does one do security research without breaking any laws?

You hear about new bugs being found in software but in order for someone to find that bug they must have been breaking a few rules.

Where does the line stop and start for security research? I have seen many articles about people finding sql injection on well know website but they must have been breaking the law so where can you draw the line from research to brkaing the law and being black hat ? What do people think ?
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Aug 16, 2012 8:01 am

Re: Security research and Black hats where does the bourder line

Following on from your SQLi example. I'd suggest it depends on the circumstances.

If you pick a random website you've got no authorisation to test and start throwing Burp/Nikto/etc. at it, not legal.

If you're legitimately using a site as a user, and your knowledge spots something that's a weakness, there should be no issue reporting this to the sec-ops guys. The difference is being professional enough not to 'just see'; for example error message pops up potentially indicating SQLi, don't then grab sqlmap.....

(I've reported issues a few times on different sites (sorry, NDAs....), and despite the urban horror stories my insight and suggestions has been both greatly recieved and rewarded by the effected site).
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Thu Aug 16, 2012 8:17 am

Re: Security research and Black hats where does the bourder line

As already mentioned it depends on the circumstances as well as the site. Companies such as http://www.facebook.com/whitehat/bounty/ and https://www.paypal.com/us/webapps/mpp/s ... ity-issues for example have bug bounties in place provided the research stays within the terms of bounty program.

The EFF have a small guide: https://www.eff.org/pages/grey-hat-guide which is worth a quick read.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 16, 2012 8:40 am

Re: Security research and Black hats where does the bourder line

ok then so you spot somthing do you report it ? as someone ethical you should but most people wont becasue the hassel that is involved.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Aug 16, 2012 8:42 am

Re: Security research and Black hats where does the bourder line

Most large software companies have a way to report bugs and will not pursue legal action unless you're acting in a malicious way. There are times when the researcher doesn't think the software company is acting "fast enough" which is when things get a bit messy. But for the most part in stand alone software as long as you're professional and follow the companies disclosure policy or bug reporting policy you'll be fine.

If you're poking and prodding on live websites on which you don't have permission to do so, you could get yourself into some trouble.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 16, 2012 9:19 am

Re: Security research and Black hats where does the bourder line

ok so here few senarios

you on site you enter your credit card details what get stored on the site. You then notice they being stored without puttin **** over the last 8 didgits do you report it ?


you using a website and your name is 0'neal this causing an sql injection do you report it ?

Your friend been messing with website trying hack it he tells you about a really bad bug would you report it ?

lets say you want do some research in orcel datasbe but they pretty expensive the only real way to do your research is to be a bit unethical what do you do ?

I also head that at defcon there was a presentation on hacking voip in hotel rooms how ethical is this ? trying hack voip phone in hotel to me is wrong you dont own it dont have permission but how many people would give you permission to do this sort of testing?
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Aug 16, 2012 9:31 am

Re: Security research and Black hats where does the bourder line

you on site you enter your credit card details what get stored on the site. You then notice they being stored without puttin **** over the last 8 didgits do you report it ?


Sure, this is just an observation.

you using a website and your name is 0'neal this causing an sql injection do you report it ?


If your name is really O'neal... then I would probably play stupid and report the "error" not even calling it a SQLi.

lets say you want do some research in orcel datasbe but they pretty expensive the only real way to do your research is to be a bit unethical what do you do ?


Not true, you can download oracle and use it free: http://www.oracle.com/technetwork/produ ... index.html

Also, I think you really know the answer to this if its unethical.

I also head that at defcon there was a presentation on hacking voip in hotel rooms how ethical is this ? trying hack voip phone in hotel to me is wrong you dont own it dont have permission but how many people would give you permission to do this sort of testing?


It's Defcon. Period.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 16, 2012 9:44 am

Re: Security research and Black hats where does the bourder line

I do know the answer but I trying get people view what do they count as ethical and unethical. As I think sometimes when people are doing security reasearch they sometimes cross the line and maybe at night slip into a black hat.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

MrTuxracer

User avatar

Newbie
Newbie

Posts: 47

Joined: Fri Dec 30, 2011 4:25 am

Location: Germany

Post Thu Aug 16, 2012 1:50 pm

Re: Security research and Black hats where does the bourder line

I think this really depends on how you "research" and how professional you report your findings.

If it sounds like you try to extort the website owner -> you'll get in trouble.

If you send a mail from your 1337haxxor@steal-your-cc.com mail account containing a responsible report, nobody would trust you -> you'll get in trouble.

If you provide the webmaster with his entire database -> you'll get in trouble.

I can say from my own experience that most webmasters are thankful for a responsible and professional reported vulnerability  8)

Regards.
eCPPT, HP ASE (Networking), LPIC-1, OSCP, WCSP
http://www.rcesecurity.com
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Aug 16, 2012 4:08 pm

Re: Security research and Black hats where does the bourder line

Yes I think I just trying to figure out how people do security research without breaking any rules. As I think sometimes it border line if you break the law or not of course there are some instances where its really obvious.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Fri Aug 17, 2012 3:20 am

Re: Security research and Black hats where does the bourder line

I saw an interesting talk at bsides London earlier in the year by Abraham Aranguren titled legal and efficient web app testing without permission:

http://blog.7-a.org/2012/05/legal-and-e ... sting.html

According to the talk "At least 48.5% (32 out of 66) of the tests in the OWASP testing guide can be legally * performed at least partially without permission".

Note he does have caveats "* Except in Spain, where visiting a page can be illegal"  and "* This is only my interpretation and not that of my employer + might not apply to your country!".

It's obviously advisable for anyone to establish their own legal position before following any of his advice should they wish to do so.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Aug 17, 2012 3:24 am

Re: Security research and Black hats where does the bourder line

I sadly missed that talk as i was at the CV place bet it was intresting.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Aug 17, 2012 3:29 am

Re: Security research and Black hats where does the bourder line

I found Abraham's talk quite enlightening, for me it was one of the more beneficial talks from BSides London this year. I'd also suggest taking a look at OWTF, the tool introduced and discussed during the talk.

For those not able to party with us, the BSidesLondon Youtube channel is where you need to be spending your Friday. Abraham's talk here.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Aug 17, 2012 3:36 am

Re: Security research and Black hats where does the bourder line

Did you attend the talk on html 5 Andew? I enjoy that talk.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Aug 17, 2012 3:53 am

Re: Security research and Black hats where does the bourder line

Missed that one (recording on my 'to watch' list); same reason, sat in CV clinic.
Next

Return to Opinions

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software