SAFE HARBORFOR HACKERS

APRIL 24, 2019

JASON HADDIXCHLOE MESSDAGHIDON DONZAL

PRESENTERS:

AGENDA

• Intro by Don Donzal, EH-Net Editor-in-Chief• Presentation by Jason & Chloe of Bugcrowd

• Bios• A Brief History of the Hacking Universe• Ethical Hacking – Huh?• Fields of Ethical Hacking• Pentester vs Security Researcher• An Organization’s Responsibility• VDP & VHP• Bringing It All Together• It Takes a Community... And an Industry Standard!

• Q&A• Post Game on EH-Net in the “Ethical Hacking” Group

INTRO

• Video will be made available on EH-Net• Style = Open Conversation!

• Q&A in question tab in GTW• Twitter using #EHNet

• Post Game in EH-Net “Ethical Hacking” Group: https://www.ethicalhacker.net/groups/ethical-hacking/

• Goal for today – Spark conversation. Advance your career!

OVERVIEW OF THE NEW EH-NET

• The Return of EH-Net• General Layout

• Magazine side - Columnists, Features, Global Calendar

• Community side – Members & Profiles, Activity, Forums, Groups, Community Articles

• Integrated UX• Building your “Personal Ethical Hacker

Network”• Articles to Reference

• Welcome to the EH-Net Relaunch• Hello world! – Get Published in the EH-Net

Community• Demo – See EH-Net Live! April 2018• Limited Time – All new members get a free pen

testing course from eLS!!

Who are you?

Poll Time!

Jason & Chloe - BIOS

Jason Haddix – VP of Researcher Growth Jason is the VP of Researcher Growth at Bugcrowd. Jason works with

Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include mobile

penetration testing, black box web application auditing, network/infrastructure security assessments, wireless network

assessment, binary reverse engineering, and static analysis.@jhaddix

Chloe Messdaghi – Security Researcher Advocate / PMSince entering cybersecurity space, she sees security as a

humanitarian issue. Humanitarian work includes advising as a UN Volunteer, serving as a board member for several humanitarian organizations. Chloe is also one of the WoSEC founders, heads

WoSEC SF Chapter, mentors and advocates for inclusion in InfoSec, and founded a nonprofit called Drop Labels.

@ChloeMessdaghi

DEF: HACK

A BRIEF HISTORY OF THE HACKING UNIVERSE

1939 Turing and The Bombe

1960 MIT Hackers

1969 APRANET

1971 1st

Military Tiger Team

1975-6 Microsoft,

Apple

1981 CCC Forms

(Germany)

1983 WarGames

1984 2600

1986• Cliff Stoll• US Computer

Fraud and Abuse Act

1988• Morris

Worm• DARPA

creates CERT

1993 DEF CON 1

1995• Mitnick• 1st Bug

Bounty Program (Netscape)

• “Ethical Hacking” Coined (John Patrick of IBM)

1998 L0pht visits

Congress

2002 Gary McKinnon

2010 Stuxnet

2013• Snowden• Yahoo 3

Billion records breached

2017 WannaCry

ETHICAL HACKING – HUH?

Performing computer security related activities with

permission.

• Oxymoron? Nope

• Media focus on crime = negative association

• More specific term for clarification

• Good guys using bad guys’ tools & techniques

• Umbrella term to include numerous specialties

• Only now being accepted

FIELDS OF ETHICAL HACKING

Ethical Hacking

Penetration Testing

Network WebApp Mobile

Forensics

System, OS Network

Incident Response

Dev

Exploit RE

PENTESTER VS SECURITY RESEARCHER

Hacking Skills

Pentesting Research

SAFEHARBOR

noun1.a harbor considered safe for

a ship, as in wartime or during a storm at sea.

2.any place or situation that offers refuge or protection.

AN ORGANIZATION’S RESPONSIBILITY

• To itself• It’s own people• Reputation• Mission

• To those it serves• Clients• Consumers• Community

“Overall, I’m willing to chalk this entire episode up to a complete lack of training in how to deal with the news media”

VDP & VHP

• Vulnerability Disclosure Policy• External• Public and easy to find line of

communication• Clear instructions on

reporting found vulns

• Vulnerability Handling Policy• Internal• Specific and defined roles• Communication of results

SO, WHAT’S WRONG?

• ANTI-HACKING LAWS NOT CREATED WITH THE CONCEPT OF GOOD FAITH, AND ARE UNLIKELY TO CHANGE SOON

• CFAA was enacted in 1986 after Ronald watched the movie WARGAMES and freaked out

• It hasn’t changed since, and global + state anti-hacking law has been modelled off it

• “Burglars” are represented in the law, but “locksmiths” are left out

BRINGING IT ALL TOGETHER

Law EnforcementLegal Community

What do we need?

• Standardized, easily readable safe harbor language that can serve as a strong incentive to good-faith hackers

• Reduced ambiguity around potential conflicts between any existing terms and those specific to security research

• Increased visibility for security research programs that include explicit safe harbor status

Industry

IT TAKES A COMMUNITY... AND AN INDUSTRY STANDARD!

disclose.io

Simple, safe, standardized vulnerability disclosure.

A quick summary of disclose.io

Why?

Accelerate the creation of a safer

digital world by removing the legal

risks involved in productive

conversation between good-faith

hackers and the organizations that

need their input.

How?

Provides easily readable safe harbor

language for good-faith security

research as well as a directory of

companies with security research

programs—aka “The List”

What?

A collaborative safe harbor

framework for both companies and

researchers

Our framework is designed to balance:

Requirements

In order to leverage disclose.io for any given authorized security research program,

organizations must have the following items clearly defined within the context of each

disclose.io compliant program:

● Scope

● Rewards

● Official Communication Channels

● Disclosure Policy

See more here: https://github.com/disclose/disclose/blob/master/README.md#requirements

Requirements: Disclosure Policy cont.

● Coordinated Disclosure: Vulnerability details may be shared with third parties

after the vulnerability has been fixed and the program owner has provided

permission to disclose or after 90 days from submission, whichever is sooner.

● Discretionary Disclosure: Vulnerability details may be shared with third parties

only after requesting and receiving explicit permission from the program owner.

● Non-Disclosure: Vulnerability details (and the existence of the program itself if

private) cannot be shared with third parties.

Expectations

When working with us according to this policy, you can expect us to:

● Extend Safe Harbor for your vulnerability research that is related to this policy

● Work with you to understand and validate your report, including a timely initial

response to the submission

● Work to remediate discovered vulnerabilities in a timely manner

● Recognize your contribution to improving our security if you are the first to report a

unique vulnerability, and your report triggers a code or configuration change.

Ground Rules

Such as…

● Report any vulnerability you’ve discovered promptly

● Avoid violating the privacy of others, disrupting our systems, destroying data, and / or harming user experience

● Use only the Official Channels to discuss vulnerability information with us

● Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure

Policy

● Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope

● Do not engage in extortion

Safe Harbor Language

When conducting vulnerability research according to this policy, we consider this research to be:

● Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we

will not initiate or support legal action against you for accidental, good faith violations of this policy;

● Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for

circumvention of technology controls;

● Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and

we waive those restrictions on a limited basis for work done under this policy; and

● Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

Who wants to be on the A-Team? #ItTakesATeam

Check out the latest list and send us any that are missing or any suggestions you have.

Safe Harbor Language

The List: A Directory for Hackers

So… What’s next?

2nd Poll!

BUILDING YOUR SKILLSET – JASON & CHLOE’S RESOURCE LIST

• Bugcrowd U

• Web Hacking 101

• WebApp Hacker’s Handbook

• BURP

• The Ethical Hacker Network– Resources

– Every Business Needs a Vulnerability Disclosure Policy. Every. Single. Business.

• Disclose.io

+

Advanced

Intermediate

New

● Experience – Employment, Home lab, CtFs, Non-profits, Open source projects, etc.

● Soft Skills – Writing, Speaking, Teaching, Volunteering @ Local Con, et al.

● Practical Training – eLearnSecurity Training Paths (NIST-NICE Role-based Training)

https://www.elearnsecurity.com/course/

HOW DO I GET THERE?

What you can do next:

Check out and star/fav the disclose.io Github repo

Contribute to the list on disclose.io (adds, changes, deletions)

and get credited for your help!

Talk to your organization about starting a VDP

If you already have a VDP, implement safe-harbor!

THANK YOUFOR JOINING

www.ethicalhacker.netteam@ethicalhacker.net

Follow us:

Q&APOST GAME IN EH-NET GROUPS