Monday, May 18, 2015

Bug Bounties: Wild West of Information Security

How the West was Pwned

While "bug bounty" programs are a license to ill for digital gunslingers, they must survive a wild west of shoot-first lawmen and a hacker hysteria that wants to hang 'em high.

Information Security "Bug Bounties" are a fairly new thing. They reward security researchers ("hackers", if you prefer) for privately disclosing vulnerabilities, giving developers and engineers time to fix security bugs before they become widely known. [1]

Many of these programs offer financial (or equivalent) incentives, cultivating a growing community of researchers actively seeking-out vulnerabilities.

This partnership has been very beneficial for both parties. Companies who run networks and make software get a chance to fix bugs before Bad Guys have a chance to exploit them to steal money and cause mayhem. [2]

For hackers, what was previously a closeted and thankless (even punishable) pastime is becoming a legitimate, productive application of obscure talents.

If you think you've got the moves, strap-on your six-guns and saddle your horse...

But you might want to have your affairs in order first. Just in case you don't come back.

The Good, the Bad and the Ugly

Over the years, I've watched the term "hacker" traverse the following definitions in popular culture:
  1. Amateur or unconventional engineer, programmer or Unix geek. Often a prankster.
  2. Specialist in disabling copy protection (when used as synonymous with "cracker").
  3. Specialist in exploring, exploiting or penetrating networks or computers.
  4. Criminal programmer.
There are those who still hold that only the first is accurate, but many old-timers (myself included) ceded that argument long ago. The mainstream has had its way the with word, and it now tends more than ever toward the fourth, most insidious definition.

You may want to hide that spell book
In the current mythology, "Hacker" is some sort of witch doctor: Half witch, half doctor, an "other than us" with mysterious incantations that have equal power to harm or heal.

Where in this taxonomy does the Bug Bounty Hunter - "security researcher" - reside?

And how do modern witch doctors ward-off the evil spirits, without incurring the wrath of the fearful - and with it the dreaded stake?

I Shot the Sheriff [3]

A crucial subtlety of this matter that is obvious only to the most technical is that until its very last step, "hacking" and "security research" are utterly indistinguishable. This applies to both the activities involved and to the digital artifacts (evidence, when it comes time) that result.

Many activities deemed hacking are exactly like those of ordinary (if unusual) computer users. Even simple operator error can generate precisely the same operations (and indeed can have the same effects) as what is now commonly referred to as hacking.

While working in Information Security, I have many times observed a complete 5-alarm response to activity initially considered an attack (or reconnaissance) - which on closer analysis turned-out to be mis-configured network devices, bad code, or a developer "experiment".

The line between ordinary computer activities and "hacking" is probably not as clear as you think. A few keystrokes is all that distinguishes you from The Unforgiven.

A (Fairly) Real Life Example

Logging-in to Social Thing, you typo a quote ( ' ) instead of the "p" in your username. You press enter too quickly, accidentally using "Otter'ops" instead of "OtterPops". You see the error message...

     User "Otter
          syntax error at line 31 : ' '' unmatched
     ops" not found

...and laugh because you recognize the error: It happens when a Unix Shell script has a quote on one side of something but not the other, and has happened with your own scripts.

The errant quote in your username ended-up breaking the syntax, and the error was inserted in the output, such that "User OtterPops not found" came out "User Otter (shell error output) ops not found".

The implications are obvious: Somewhere back at Social Thing, whatever you enter as username is being handled - at some point - by a Unix Shell script not too unlike your own. We're seeing the resulting error.

Really getting into this cowboy theme.
To the untrained eye, this sort of thing is just obscure Geek Trivia of the worst sort. 

But to a hacker, it is the trembling hand of a yellow-bellied greenhorn.

In our example, a variety of obscure features offer the opportunity to "insert" commands into the username, which will be executed on the server back at Social Thing.  The "system exec tick" (also known as the "back tick") could be used to determine its operating system:

     Otter`uname -a`ops

     User "Otter
          Linux SocialThingCloud73 3.11.10-311.fc20.x86_64 #1 
          SMP Thu Dec 1 12:01:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
     ops" not found

Or to dump some of its important security configuration...

     Otter`cat /etc/sudoers`ops

     User "Otter
          # SocialThingCloud Sudo Config by MarkAdmin2
          Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
          %wheel ALL=(ALL) ALL
     ops" not found

It only gets worse from there, I'm sure you get the idea.

Congratulations! You have just discovered a security bug - a "User Input Validation Defect", specifically.  The resulting vulnerability provides "Remote Execution": The ability to run arbitrary commands on the remote machine at a level of access sufficient to do just about anything you want. [4]

You are now a hacker. Or security researcher. 

Which one in particular may be subject to the whims of popular hysteria - and to arbitrary, unpredictable criminal definitions and enforcement.

Lonely Are the Brave

Would it surprise you to learn that logging-in to Social Thing with the username of "Otter`uname -a`ops" could land you in prison?

Criminally, the definition and application of "computer crime" is vague and even arbitrary. 

Many actions that were mundane in the early days of the internet are now considered the domain of hacking. "spidering" a website, for example, was simply a geeky thing to do. Today, many web application firewalls will consider this a prelude to an attack.

Somewhere at Social Thing, a screen shows a tiny yellow flag. Follow that up with enough other "suspicious" behavior, and that flag could turn red.

The face of pure evil? I'm skeptical.
The uneven hand of computer crime enforcement is nowhere more painfully evident than in the case of Aaron Swartz, victim of over-zealous prosecution for activities even less obtrusive than spidering. In 2011, Swartz was hit with 11 violations of the Computer Fraud and Abuse Act in connection with a script he wrote to download academic articles from JSTOR. Facing time in Federal prison, Swartz committed suicide - prompting outrage from the civil and digital rights communities. [5]

Back at Social Thing, the yellow flag gradually turns red.

For those with the necessary technical insight, a cavernous gulf is evident between the sorts of activities that raise yellow (or even red) flags, and the burden of proof expected in every other facet of society before something is deemed criminal.

Experts throughout Information Security as well as in human and digital rights are now increasingly calling for reform in "cybercrime" laws. 

If deemed so by authorities, the few little pokes you took at Social Thing could probably constitute a violation somewhere in the tangle of laws employed when a hacker ends up on the sh*t list.

Your crimes include:
  1. You have "taken control" of a remote system (causing it to do your bidding)
  2. You retrieved confidential data (the error, and knowledge of its shell script)
  3. You are "in possession" of proprietary assets (the "sudoers" output, still in your browser cache)
You might be (should be) pretty shocked by this, because many of these operations are so close to innocuous (if not completely innocent) things that ordinary people might do. 

I'm not suggesting it is a "normal use" of Social Thing to purposely enter symbols in your username: But it's not exactly planting cyanide in the city water supply, is it? 

I wouldn't be at all surprised if ordinary people, being curious and intelligent, found themselves drawn down the rabbit holes that lead to these bugs - momentarily becoming hackers without even realizing they had crossed that invisible line. It is simple curiosity - not malice - that drives most hackers, too.

Wanted Dead or Alive

A comical illustration of this aqueous state of affairs is seen in the unveiling today of United Airline's Bug Bounty.

United's program is a bit more cautious than some - as one might expect from an airline. How cautious? As the program details warn:
"Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation."
It continues by listing offending activities, which include:
  • Brute-force attacks
  • Code injection on live systems
  • Disruption or denial-of-service attacks
  • Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
  • Vulnerability scans or automated scans on United servers
As I've shown in the preceding discussion, many of these distinctions can be difficult to make. It is entirely possible to violate them accidentally, in the course of testing.

It is extremely difficult, for instance, to complete modern vulnerability testing without resorting to some (often custom) tools. The wrong error - such as an accidental "tight loop" - in such a tool can easily generate the same activity as an automated scan. Or mis-typed commands could accidentally target the wrong accounts.

Bugs are, by their very nature, unpredictable: One can't make reliable assumptions about their scope until they are fully understood. That all makes engaging United's bounty even dicier than it already would be, being an airline.

But to really grasp the full irony of their announcement, we must rewind a few weeks to April 15th, 2015.

On that day, noted security researcher (hacker, if you prefer) Chris Roberts was removed from United flight 1474 in apparent response to humorous in-flight Tweets referencing - in typically obscure geek speak - auxiliary plane systems:
Mr. Roberts is a well-known researcher who has spoken many times at industry events and has publicly warned of vulnerable airline systems for years. The story has since grown more convoluted, with United banning him and the FBI confiscating his gear.

Whatever the final disposition, it nonetheless stands as another illustration of a field fraught with peril. One writer hints at what I believe are the early stages of full-blown Hacker Hysteria:
"The mere thought that someone could be on a plane and use their technical skills to control it might cause some to resist flying. Or at least, to check their flight for anyone who looks like they might know how to hack into a computer."  - Chris Matyszczyk, CNET

I applaud United for their bounty program. At least they have an email address.

But there is zero chance that I will engage it. The possibility of an errant bit of disastrous hacker luck inspiring a visit from the FBI is enough to turn me to safer hobbies. Like BASE jumping.

Go Kill Everybody and Come Back Alone [3]

In the days before Bug Bounties, we commonly discovered vulnerabilities in apps and simply kept them to ourselves. Reporting them was an optional but usually futile exercise: I'd as often been interrogated in response as been simply ignored. Rare indeed was the appreciative response followed by a fix. 

In one exceptional instance, I was treated to a dinner (thanks, Digi!).

Bug Bounties are a fantastic change in the times, but the old ways haven't died out yet.

I have this moment a 3-page vulnerability report regarding a server in the network of a major name brand conglomerate. I've had no success, despite multiple attempts, in delivering it safely to their security teams. Not only do they not have a bounty program, they do not even have a published security contact, anywhere.

What should I do with this report, detailing a wide-open entry point into their content management system? 

I am under no illusions that being any manner of "security professional" will protect me from either intentionally heavy-handed application of computer crime law, or from hacker hysteria in general.

I keep that file very near the data shredder. I may need to get rid of it in a hurry. [6]

This Is Thunderdome?

Perhaps I should have used a Mad Max theme for this article. It would have been timely.

For the moment, the field of "security research" (or "hacking" if you prefer) bears a striking resemblance to Max's unforgiving, every-man-for-himself wasteland.

One wrong move, and you may find yourself under the wheels of a death machine.

Yeah. I should have gone with Mad Max. Damns.


[1] HackerOne, Portrait of the Bug Bounty Community

One of the most popular venues in the field, HackerOne operates a sort of clearing house and talent market for bug bounties offered by individual companies. Cummutively, member researchers have discovered and reported over 8,000 vulnerabilities across 88 products or systems - many of them involving popular sites and apps you rely on every day. HackerOne reports combined awards of $2.88m for its members since its inception, who compete not just for financial reward but for the very real esteem associated with demonstrably "elite" hacking skills.

[2] Google Bug Bounty Program: The Gold Standard?

Google's own Bug Bounty program is one of the most influential and arguably the most successful. In 2014, they awarded over $500k USD to hundreds of researchers who reported an average of 1.5 new bugs, each. Google notes that the rate of new discoveries is slowing, from which they conclude that the program has been effective in an overall hardening of their products. I'm inclined to agree - it is increasingly difficult to find serious weaknesses in products that fall under the program's umbrella.

[3] Anti-Violence Disclaimer

Due to current press controversies about citizens and law enforcement, I disclaim that I've used Clapton's lyric here only because it is thematically suited. I have neither shot the sheriff nor advocate shooting no deputy.

While we're at it, yes, all of the subtitles in this article (except the first and last) are the names of classic cowboy flicks - even "Go Kill Everybody and Come Back Alone". Westerns were brutal.

[4] Discussion: Command Ejection

You may be skeptical that it is really that simple: And in some ways, systems are indeed much more resilient than they were when I first encountered "Command Injection" in 1997. But these and similar flaws are still found just about everywhere.

The scenario I describe above is almost exactly how I once found myself with root access to a device specifically designed to secure access to network devices, within 30 minutes of booting it. This was before Bug Bounties, but declaring that the vendor had failed my assessment before they left the building was reward enough. It should concern you when I relate that the product had already passed a DoD Security Assessment.

Variations on this theme continue to manifest wherever humans provide input to a computer, no matter what platforms or programming languages are used: Any where a user input is processed on a remote system, the potential for poisoning that input exists.

 I've simplified the mechanisms a bit here for a general audience (ignoring encoding or escaping trickery, for example) but those are the trivia - the underlying mechanism remains are unchanged in decades. I found (and reported) just such an issue in a popular app from a name you would recognize, last December. It has yet to be addressed.

[5] Our Dangerously Confused Hacking Laws

The bulk of today's current "cybercrime" law is based on the "Computer Fraud and Abuse Act", originally penned in 1986. No, that's not a typo - when this law was written, even I was too young to drink. This law was used for the Swartz prosecution and continues to be at the center of most U.S. hacker trials.

[6] I'm kidding...that would be a pointless security measure. My computer just erases itself unless it is booted in precisely the right way.