Why information security is not simply a matter of black and white
Responsible disclosure – the difference between malicious and ethical hackers
by Giovanni Bajo (Developer Relations) and Gianluca Varisco (Cybersecurity)
Questo articolo è disponibile anche in italiano
The subject of our first post is not an easy one to discuss but it is the one that sits the closest to our hearts and has earned the first place in our manifesto (which you can find here in Diego Piacentini’s first post about the Digital Transformation Team):
Security and privacy are the most important tenets; the team never makes compromises in this regard.
First of all, what does security mean in the world of websites and software?
Security in the world of software
These days it is not uncommon to hear people talk about leaked credentials and stolen credit card numbers. There is no such thing as 100% secure software.
Security can’t be talked about in either-or dichotomies, it can’t be measured in terms of black and white. Its practicality must be constantly reassessed: even a previously secure software can suddenly prove itself totally inadequate, for example, in the case of attack by a malicious hacker. Security can only be measured in terms of levels and the security of a software depends on numerous factors, like the type of attacker or the budget available.
It is helpful to think of software in terms of a house that needs protection. One possible security system could be the use of an armored door. This would certainly be effective against a thief with a lock pick. But what about defending against someone armed with more sophisticated tools? Or a thief who plans to enter your house through the window?
Identifying and resolving software security bugs is a common and everyday practice. When users install updates on their browser or smartphone, they are usually helping to solve one or more security issues. These updates are essential for making software more resilient to attack. Without them, an attacker might be able to gain access to important personal information like passwords, emails, or text messages.
Software companies have started publicly disclosing the details of the security bugs resolved with each new release of their products. They have also begun to incentivize “responsible disclosure” from communities of so-called “ethical hackers” (good hackers, white-hat hackers). When these programs are paid, they are called “bug bounties” and they motivate ethical hackers to look for security bugs in the software, privately notify the company of potential vulnerabilities and wait for them to solve the problem before publicly disclosing the information.
It’s like offering a prize to every bank robber who can find his way into the vault without stealing anything and returns to tell the tale of how he did it.
It’s far better to reward ethical hackers for their work, and improve the security of the software in the process, than to stick one’s head in the sand and wait for a “black hat hacker” (a “bad” hacker) to discover the same problems and use them against you.
18app and a good example of responsible disclosure
A few weeks ago, an 18-year-old ethical hacker, Luca Milano, discovered and reported a few important security issues in 18app, the software that manages a cultural bonus of 500 Euros awarded to Italian citizens born in 1998 (to be used for books, movie tickets, theater performances, etc.). Luca was rigorous, correct and professional; before reporting his findings publicly, he communicated the vulnerabilities through responsible disclosure, and reported the information to the relevant CERT, the organization in charge of handling computer security incidents.
Sogei, the company of the Ministry of Economy that developed 18app, was able to promptly address the issues and release a fixed version in just a few hours. We can only congratulate CERT Nazionale, CERT-PA, and Sogei for having acted so promptly and efficiently, and thank Luca for his good work. For more details on the story, you can read the article on his technical blog, published after the problems were solved.
A virtuous example overseas: Hack the Pentagon
Last spring, the U.S Department of Defense launched an experiment called “Hack the Pentagon”: a thirty-day bug bounty program, during which 1,400 hackers were invited to identify security vulnerabilities within several government websites. Their numerous reports helped to resolve 138 different security issues and the efforts were compensated with $75,000 in rewards, a relatively modest budget considering the improvements in security for both the websites and the citizens who use them.
Aside from the obvious concrete benefits, the “Hack the Pentagon” program also served to confirm the existence of a community of ethical hackers willing to collaborate with the government to improve national security. Here we quote two statements from U.S Government officials, which were released at the end of the program.
We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and nation safer.
Ashton B. Carter – Secretary of Defense
What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation’s security, but lack a legal avenue to do so.
Eric Fanning – Secretary of Army
We are very pleased to hear that the European Parliament has also recently launched (on December 1st) a program to improve cybersecurity.
A national program of responsible disclosure
As Italian Digital Team, we firmly believe in responsible disclosure as the primary tool for communicating with Italian and international communities of ethical hackers, especially when our security, privacy, and personal information is at stake. We also believe that those who are able to identify a problem and communicate it in a timely and private manner – disclosing the details only once the problem has been solved – should be compensated.
A program of responsible disclosure must also facilitate the quick resolution of security problems and minimize the risks for citizens. Resolving flaws in a timely manner is crucial to reducing the exposure of our software to malicious attackers.
It is with the intention of creating such a program that we have begun discussions with CERT Nazionale and CERT-PA to define and publish a national policy for responsible disclosure. We are also investigating the technical and normative frameworks (including legal protection of those who make the disclosures) to verify the requirements for the launch of the program, which may also, eventually, include a bug bounty. Instead of creating a framework from scratch, we will compare the technical strategies of successful institutions to create the best normative framework possible. This framework will take into account everyone’s best interests and ensure that the privacy of citizens remains forever protected.
And we won’t do it alone: all policy drafts will be publicly shared so we can discuss them with those who are interested. In the meantime, if you would like to contact us with questions or information, you can email us here, or leave your contact in this form and we will get back to you as soon as we are able to.
We would like to thank all the security experts, bloggers and technical journalists who proposed ideas and constructive solutions from their blogs and newspapers.
We will keep you updated on this channel.
