[ISN] Breach case could curtail web flaw finders
isn at c4i.org
Fri Apr 28 06:37:08 EDT 2006
By Robert Lemos
28th April 2006
Security researchers and legal experts have voiced concern this week
over the prosecution of an information technology professional for
computer intrusion after he allegedly breached a university's online
application system while researching a flaw without the school's
Last Thursday, the US Attorney's Office in the Central District of
California leveled a single charge of computer intrusion against San
Diego-based information technology professional Eric McCarty, alleging
that he used a web exploit to illegally access an online application
system for prospective students of the University of Southern
California last June. The security issue, which could have allowed an
attacker to manipulate a database of some 275,000 USC student and
applicant records, was reported to SecurityFocus that same month. An
article was published after the university was notified of the issue
and fixed the vulnerable web application.
The prosecution of the IT professional that found the flaw shows that
security researchers have to be increasingly careful of the legal
minefield they are entering when reporting vulnerabilities, said Lee
Tien, senior staff attorney for the Electronic Frontier Foundation, a
digital-rights advocacy group.
"I think the bottom line is that anybody that does disclosures of
security vulnerabilities has to be very careful (so as to) not be
accused of being a hacker," Tien said. "The computer trespass laws are
very, very tricky."
The case comes as reports of data breaches against corporations and
universities are on the rise and could make security researchers less
likely to bring flaws to the attention of websites, experts told
This week, the University of Texas at Austin stated that a data thief
attacking from an internet address in the Far East likely copied
197,000 personal records, many containing social security numbers. In
September, a Massachusetts teenager was sentenced to 11 months in a
juvenile detention facility for hacking into telecommunications
provider T-mobile and data collection firm Lexis-Nexis. And, in March,
an unidentified hacker posted on the Business Week Online website
instructions on how to hack into the admissions site of top business
schools using a flaw in the ApplyYourself admissions program.
Eric McCarty, reached on Friday at the cell phone number published in
the affidavit provided by the FBI in the case, said security
researchers should take note that websites would rather be insecure
than have flaws pointed out.
"Keep them to yourself - being a good guy gets you prosecuted,"
McCarty said during the interview. "I can say honestly that I am no
longer interested in assisting anyone with their vulnerabilities."
McCarty confirmed that he had contacted SecurityFocus in June, offered
information about the means of contact as proof, and waived the
initial agreement between himself and this reporter to not be named in
When the FBI came knocking in August, McCarty had told them
everything, believing he had nothing to hide, he said.
"The case is cut and dried," McCarty said. "The logs are all there and
I never attempted to hide or not disclose anything. I found the
vulnerability, and I reported it to them (USC) to try to prevent
McCarty admitted he had accessed the database at the University of
Southern California, but stressed that he had only copied a small
number of records to prove the vulnerability existed. The FBI's
affidavit, which states that a file with seven records from the
database was found on McCarty's computer, does not claim that the IT
professional attempted to use the personal records for any other
To other security researchers, the case underscores the asymmetric
legal power of websites in confronting flaw finders: Because finding
any vulnerability in a server online necessarily means that the
researcher had exceeded authorisation, the flaw finder has to rely on
the mercy of the site when reporting, said HD Moore, a noted
researcher and co-founder of the Metasploit Project.
"It is just a crappy situation in general right now," Moore said. "You
have to count on the goodwill of the people running the site. There
are cases when there are vulnerable websites out there, but unless you
have an anonymous web browser and a way to hide your logs, there is no
way to report a vulnerability safely."
Moore points to McCarty's case and the case of Daniel Cuthbert - who
fell afoul of British law when he checked out the security of a
charity website by attempting to access top-level directories on the
web server - as warnings to researchers to leave websites alone. In
October, Cuthbert was convicted of breaking the Computer Misuse Act,
fined £400, and ordered to pay £600 in restitution.
Other researchers should be ready to pay as well, Moore said. Anyone
who affects the performance of a server on the internet could find
themselves in court, he said.
"Even if you look at the port scanning stuff - which is not
technically illegal - if you knock down the server in the process of
port scanning it, then you are liable for all the damages of it being
down," Moore said.
Such legal issues are one reason for not testing websites at all, said
security researcher David Aitel, chief technology officer of security
services firm Immunity.
"We don't do research on websites," Aitel said, adding that the
increasing reliance of programs on communicating with other programs
has made avoiding web applications more difficult. "The more your
applications are interconnected the more difficult it is to get
permission to do vulnerability research."
Moreover, such a legal landscape does not benefit the internet
companies, Aitel stressed. While companies may prefer to not know
about a vulnerability rather than have it publicly reported, just
because a vulnerability is not disclosed does not mean that the
website is not threatened.
"If this is an SQL injection flaw that Eric McCarty can find by typing
something into his web browser then it is retarded to think that no
one else could do that," Aitel said.
The US Attorney's Office alleges that McCarty's actions caused the
university to shutter its system for 10 days, resulting in $140,000 in
damages. The university had provided investigators with an internet
address which had suspiciously accessed the application system
multiple times in a single hour, according to the affidavit provided
by the FBI in the case. The information allowed the FBI to execute a
search warrant against McCarty, discover the names of his accounts on
Google's Gmail and subpoena those records from the internet giant, the
court document stated. Among the emails were messages sent from an
account - "ihackedusc at gmail.com" - -to SecurityFocus detailing the
vulnerability, according to the affidavit.
The US Attorney's Office declined to comment for this article. A
representative of the University of Southern California also declined
to comment except to say that the school is cooperating with the
"It wasn't that he could access the database and showed that it could
be bypassed," Michael Zweiback, an assistant US Attorney for the US
Department of Justice's cybercrime and intellectual property crimes
section, said last week after his office announced the charge. "He
went beyond that and gained additional information regarding the
personal records of the applicant. If you do that, you are going to
face - like he does - prosecution."
The case has aspects similar to the prosecution of Adrian Lamo, dubbed
the Homeless Hacker, for breaching systems at the New York Times. Lamo
would frequently seek out vulnerabilities in online systems, exploit
the vulnerabilities to gain proof of the flaws, and then contact the
company - and a reporter - to help close the security hole. In 2004,
Lamo pleaded guilty to compromising the New York Times network, served
six months under house arrest and had to pay $65,000 in restitution.
In the University of Southern California case, McCarty identified the
vulnerability in the USC system when he decided to apply to the school
and, before registering, used a common class of flaws known as
structured query language (SQL) injection to test the site, he said
during last week's interview. Such attacks exploit a flaw in the code
that processes user input on a website. In the USC case, special code
could be entered into the username and password text boxes to retrieve
applicants' records, according to the FBI's affidavit.
USC administrators initially claimed to SecurityFocus that an analysis
of the system and log files indicated that only two database records
could be retrieved using the SQL injection flaw. After additional
records were provided to the administrators, the university
acknowledged that the entire database was threatened by the flaw. The
FBI's affidavit contains the email that McCarty allegedly sent to
SecurityFocus with two additional records from the database.
The events outlined in the affidavit indicated that McCarty tried to
act responsibly, said Jennifer Granick, a cybercrime attorney and
executive director of the Stanford Law School's Center for Internet
"Here is a guy who didn't use the information, he notified the school
- albeit through a third party - what was he supposed to do
differently?" Granick said. "It's a Catch-22 for the security
researcher, because they have arguably broken a law in finding the
The case does underscore that researchers will have to become more
savvy about dealing with the legal aspects of their craft, said David
Endler, director of security research for 3Com subsidiary
"Finding a vulnerability in a website is a bit different than finding
a vulnerability in a product. You can do a lot of things to a product
that won't affect users. You shouldn't poke around a website unless
you have permission or have been hired to do it...it's just not worth
As the creator of two vulnerability-buying programs, Endler is
familiar with the contorted legal issues that can sometimes face
vulnerability researchers. He believes that cases, such as McCarty's
prosecution, will likely lead to researchers either allying themselves
with one of the flaw-bounty programs or declining to disclose any
Already, the influence of corporate legal teams had reduced the
significance of the vulnerability disclosure movement, Immunity's
"The peak of disclosure has long past us," he said. "Who out there is
really giving away bugs these days? The disclosure movement passed us
by more than two years ago and people have gone underground with their
And having fewer security researchers looking over the shoulders of
website administrators and internet software makers will only mean
less pressure to fix vulnerabilities and weaker security for sites on
the internet, the EFF's Tien said.
"There is an under-disclosure of vulnerabilities and weaknesses, and
that is bad thing for security, because the less people know about
security problems, the less pressure is put on companies to improve
security," Tien said.
Author's note: As described in the article, the FBI's affidavit
supporting the charge against Eric McCarty of computer intrusion
alleges that he was the source for an article published on
SecurityFocus by the author. The author did not cooperate with the
FBI's investigation nor was he asked to do so. In an interview
conducted on Friday and in an email exchange, McCarty provided proof
that he was the author's source and waived the condition of anonymity
that he requested for the original article.
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus
More information about the ISN