Security Watch

To Protect and Secure the Web

Security group wants to change law that prevents most forms of Web penetration testing. Plus: on the wrong side of leaky P2P.

• By Russ Cooper
• 08/01/2007

It really boils down to whom do you want to perform your penetration testing? Criminals are likely to do it regardless of what the law says. Others, possibly without criminal intent, may do it to make a name for themselves, their products or their company. Will they inform you first? Possibly, but without a contract there’s no guarantee. Some might claim to be doing it to secure the Web -- yet, in reality they may be feeding the information they glean over to criminals. Finally there are the legitimate researchers whose only intent is discovering an issue and bringing it to your sole attention. Unfortunately, in this day and age, this last group is among the minority.

On the other hand, you could simply purchase code reviews and penetration testing from a reputable firm and know what they discover with a contract to ensure that the information remains confidential. This, together with educated coders and a determined security policy, and you’ll likely ensure the security of your visitors without the aid of others.

The CSI position is fraught with dangers. If there were laws to protect “research,” no doubt they would be abused by criminals or those seeking to profit from your failure in one fashion or another. The problem lies largely in what it takes to determine precisely what some uninvited hacker has actually done or discovered. Governance issues make it mandatory that a company fully investigate any breach to determine the extent of information loss or leakage, and notify people accordingly. Should unrestricted “research” be allowed to cause a company to incur a forensic bill? If credit card numbers were taken, even in the name of “research”, should companies be exempt from notifying those customers that the event occurred? And if not, then shouldn’t the company have legal recourse against those who forced them to incur such a bill?

Leaky P2P Searches
An interesting study has been conducted and was recently presented at the Workshop on the Economics of Information Security conference. The study examined searches related to 30 banking institutions, their suppliers, and their products via P2P networks. The study intended to try and determine to what extent P2P usage leads to sensitive data disclosure. From more than 400,000 searches with potential to match the researcher’s criteria, they filtered the results down to more than 12,000 individual files to be manually analyzed. From this, some 1,700 documents were found to be unique and relevant, ultimately limiting that set to 1,412 unique documents.

There’s no doubt that P2P network usage by corporate systems, including systems that are used at home for both corporate and personal use -- as well as those used by third parties such as suppliers and service providers -- represents a threat to your IP. It is worth noting that the most popular P2P environment, BitTorrent, is excluded from this survey because, according to the authors, it is too difficult to monitor.

Pfizer Deflated by P2P Hack
In case you needed an example of why P2P is bad when corporate data is involved: A Pfizer employee, using a corporate system at home, installed a P2P application on their system contrary to their company’s policies. Subsequently others on the P2P network accessed files stored on the Pfizer system, including name and Social Security numbers of some 17,000 Pfizer employees. Pfizer alerted its employees of the leak.