Ethical hackers say government regulations put information at risk
TORONTO – Heartbleed – the recently discovered vulnerability in OpenSSL encryption software – has thrust cyber security into the spotlight.
Heartbleed was discovered by a team of researchers at Finnish security firm Codenomicon, with the help of a Google researcher; all considered “white hat hackers” by trade – the good guys, who work to find vulnerabilities and responsibly disclose them to those in charge.
In this case, the team alerted the OpenSSL community about the flaw and then went public with its findings to alert web users to the dangers of the flaw.
It’s because of work like this that many cyber security experts argue white hat hackers are vital to security research – but these hackers are sometimes leery of reporting vulnerabilities to government agencies and private companies. Mainly, its because of legalities.
“There is a real fear amongst the security community in Canada,” said Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs.
“Things like critical infrastructure can’t be tested in Canada – you can’t test the Canada Revenue Agency’s [website], you can’t test the mint’s new digital currency [for vulnerabilities]. That’s really problematic.”
Security researchers and ethical hackers are required to responsibly disclose any findings of security risks to the government and the vendors of the site to give them the opportunity to address the problem before making the information public.
But, according to Parsons, reporting those findings to vendors risks bringing on defamation or SLAPP (Strategic Litigation Against Public Participation) suits – a long and costly legal endeavour.
“Let’s say you discovered that there was vulnerability in something the CRA was running separate to Heartbleed – the CRA purchased that from a vendor, so the vendor would have an interest in that not becoming public because it could damage them,” he said.
“They will say if you disclose this we will sue you – and it might be a SLAPP case, but unless you are well-off financially the cost of defending yourself against a SLAPP suit could cost hundreds of thousands of dollars.”
Global News contacted Shared Services Canada, the agency responsible for IT infrastructures for all government departments, for comment regarding whether outside researchers would be allowed to report vulnerabilities found within government websites without risking legal action.
Shared Services Canada did not immediately respond to a request for comment.
When it comes to the government, experts say they are not always transparent with the public about breaches – leaving those who report the vulnerabilities between a rock and a hard place.
“We walk a thin line – self censor, engage in responsible disclosure and hope to get affected vendors to disclose publicly so that we can talk about it after the fact,” said Kevin McArthur, a web developer and security researcher specializing in e-commerce, who has reported security flaws to Canadian government bodies.
“In some cases, where the companies or governments refuse to disclose, we make a judgment call and do the disclosure ourselves at great personal risk.”
McArthur said that when it comes to the government’s own systems, researchers are seeing that they only like to tell the public about breaches when user data has actually been leaked – like the CRA’s recent security breach which resulted in 900 social insurance numbers being stolen from it’s website as a result of the Heartbleed bug.
But these types of vulnerabilities rarely leave forensic evidence of exploitation, leaving the scope of the breach covered up.
Security researchers are only able to prove if a hacker knew about the vulnerability they could have accessed information – testing the vulnerability to prove it could be done is illegal.
“It results in a tidy little catch 22 – without evidence of exploitation, by their logic, there is no breach,” said McArthur. “But if you create the evidence by exploiting the system, you’re an evil hacker heading for a jail cell. It’s a broken model and one that leaves Canadians at risk.”
In September 2012 McArthur began testing the security of electronic voting in the Halifax municipal elections.
He was limited to doing his research before the election – because watching a user cast their vote would be illegal – which prevented him from providing evidence that the outcome of the election and the confidentiality of users’ votes could have been compromised.
McArthur was only able to report the “presence of security issues and the potential for compromise” to the Canadian Cyber Incident Response Centre (CCIRC). It was later made public that the vendor mitigated some concerns, but not specifically which ones or what the fixes were.
In another case McArthur spoke to the Office of the Privacy Commissioner about vulnerabilities in merchant account software, but they would not act without evidence of a data breach involving real data and forwarded the issue to the CCIRC.
“[The] CCIRC would not warn the public, the mom and pop shops and their shoppers, about the vulnerabilities in the specific companies merchant account software, only posting a very technical information note for software developers to read. I was left to do the public notifications myself,” he said.
Global News contacted the CCIRC, but did not get a response by the time of publishing.
White hat hackers call for wider acceptance
McArthur believes that the government should be more accepting of ethical hackers, but noted that responsible researchers are still getting push-back from government bodies.
“It leaves us vulnerable to the black-hats who will do the research and keep the results secret or sell them on the black market – worse it leads the public to accept insecure technologies, like online voting, not because they are safe, but because no one will admit it when they fail,” he said.
© 2014 Shaw Media