Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
SAFE HARBORFOR HACKERS
APRIL 24, 2019
JASON HADDIXCHLOE MESSDAGHIDON DONZAL
PRESENTERS:
AGENDA
• Intro by Don Donzal, EH-Net Editor-in-Chief• Presentation by Jason & Chloe of Bugcrowd
• Bios• A Brief History of the Hacking Universe• Ethical Hacking – Huh?• Fields of Ethical Hacking• Pentester vs Security Researcher• An Organization’s Responsibility• VDP & VHP• Bringing It All Together• It Takes a Community... And an Industry Standard!
• Q&A• Post Game on EH-Net in the “Ethical Hacking” Group
INTRO
• Video will be made available on EH-Net• Style = Open Conversation!
• Q&A in question tab in GTW• Twitter using #EHNet
• Post Game in EH-Net “Ethical Hacking” Group: https://www.ethicalhacker.net/groups/ethical-hacking/
• Goal for today – Spark conversation. Advance your career!
OVERVIEW OF THE NEW EH-NET
• The Return of EH-Net• General Layout
• Magazine side - Columnists, Features, Global Calendar
• Community side – Members & Profiles, Activity, Forums, Groups, Community Articles
• Integrated UX• Building your “Personal Ethical Hacker
Network”• Articles to Reference
• Welcome to the EH-Net Relaunch• Hello world! – Get Published in the EH-Net
Community• Demo – See EH-Net Live! April 2018• Limited Time – All new members get a free pen
testing course from eLS!!
Who are you?
Poll Time!
Jason & Chloe - BIOS
Jason Haddix – VP of Researcher Growth Jason is the VP of Researcher Growth at Bugcrowd. Jason works with
Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include mobile
penetration testing, black box web application auditing, network/infrastructure security assessments, wireless network
assessment, binary reverse engineering, and static analysis.@jhaddix
Chloe Messdaghi – Security Researcher Advocate / PMSince entering cybersecurity space, she sees security as a
humanitarian issue. Humanitarian work includes advising as a UN Volunteer, serving as a board member for several humanitarian organizations. Chloe is also one of the WoSEC founders, heads
WoSEC SF Chapter, mentors and advocates for inclusion in InfoSec, and founded a nonprofit called Drop Labels.
@ChloeMessdaghi
DEF: HACK
A BRIEF HISTORY OF THE HACKING UNIVERSE
1939 Turing and The Bombe
1960 MIT Hackers
1969 APRANET
1971 1st
Military Tiger Team
1975-6 Microsoft,
Apple
1981 CCC Forms
(Germany)
1983 WarGames
1984 2600
1986• Cliff Stoll• US Computer
Fraud and Abuse Act
1988• Morris
Worm• DARPA
creates CERT
1993 DEF CON 1
1995• Mitnick• 1st Bug
Bounty Program (Netscape)
• “Ethical Hacking” Coined (John Patrick of IBM)
1998 L0pht visits
Congress
2002 Gary McKinnon
2010 Stuxnet
2013• Snowden• Yahoo 3
Billion records breached
2017 WannaCry
ETHICAL HACKING – HUH?
Performing computer security related activities with
permission.
• Oxymoron? Nope
• Media focus on crime = negative association
• More specific term for clarification
• Good guys using bad guys’ tools & techniques
• Umbrella term to include numerous specialties
• Only now being accepted
FIELDS OF ETHICAL HACKING
Ethical Hacking
Penetration Testing
Network WebApp Mobile
Forensics
System, OS Network
Incident Response
Dev
Exploit RE
PENTESTER VS SECURITY RESEARCHER
Hacking Skills
Pentesting Research
SAFEHARBOR
noun1.a harbor considered safe for
a ship, as in wartime or during a storm at sea.
2.any place or situation that offers refuge or protection.
AN ORGANIZATION’S RESPONSIBILITY
• To itself• It’s own people• Reputation• Mission
• To those it serves• Clients• Consumers• Community
“Overall, I’m willing to chalk this entire episode up to a complete lack of training in how to deal with the news media”
VDP & VHP
• Vulnerability Disclosure Policy• External• Public and easy to find line of
communication• Clear instructions on
reporting found vulns
• Vulnerability Handling Policy• Internal• Specific and defined roles• Communication of results
SO, WHAT’S WRONG?
• ANTI-HACKING LAWS NOT CREATED WITH THE CONCEPT OF GOOD FAITH, AND ARE UNLIKELY TO CHANGE SOON
• CFAA was enacted in 1986 after Ronald watched the movie WARGAMES and freaked out
• It hasn’t changed since, and global + state anti-hacking law has been modelled off it
• “Burglars” are represented in the law, but “locksmiths” are left out
BRINGING IT ALL TOGETHER
Law EnforcementLegal Community
What do we need?
• Standardized, easily readable safe harbor language that can serve as a strong incentive to good-faith hackers
• Reduced ambiguity around potential conflicts between any existing terms and those specific to security research
• Increased visibility for security research programs that include explicit safe harbor status
Industry
IT TAKES A COMMUNITY... AND AN INDUSTRY STANDARD!
disclose.io
Simple, safe, standardized vulnerability disclosure.
A quick summary of disclose.io
Why?
Accelerate the creation of a safer
digital world by removing the legal
risks involved in productive
conversation between good-faith
hackers and the organizations that
need their input.
How?
Provides easily readable safe harbor
language for good-faith security
research as well as a directory of
companies with security research
programs—aka “The List”
What?
A collaborative safe harbor
framework for both companies and
researchers
Our framework is designed to balance:
Requirements
In order to leverage disclose.io for any given authorized security research program,
organizations must have the following items clearly defined within the context of each
disclose.io compliant program:
● Scope
● Rewards
● Official Communication Channels
● Disclosure Policy
See more here: https://github.com/disclose/disclose/blob/master/README.md#requirements
Requirements: Disclosure Policy cont.
● Coordinated Disclosure: Vulnerability details may be shared with third parties
after the vulnerability has been fixed and the program owner has provided
permission to disclose or after 90 days from submission, whichever is sooner.
● Discretionary Disclosure: Vulnerability details may be shared with third parties
only after requesting and receiving explicit permission from the program owner.
● Non-Disclosure: Vulnerability details (and the existence of the program itself if
private) cannot be shared with third parties.
Expectations
When working with us according to this policy, you can expect us to:
● Extend Safe Harbor for your vulnerability research that is related to this policy
● Work with you to understand and validate your report, including a timely initial
response to the submission
● Work to remediate discovered vulnerabilities in a timely manner
● Recognize your contribution to improving our security if you are the first to report a
unique vulnerability, and your report triggers a code or configuration change.
Ground Rules
Such as…
● Report any vulnerability you’ve discovered promptly
● Avoid violating the privacy of others, disrupting our systems, destroying data, and / or harming user experience
● Use only the Official Channels to discuss vulnerability information with us
● Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure
Policy
● Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope
● Do not engage in extortion
Safe Harbor Language
When conducting vulnerability research according to this policy, we consider this research to be:
● Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we
will not initiate or support legal action against you for accidental, good faith violations of this policy;
● Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for
circumvention of technology controls;
● Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and
we waive those restrictions on a limited basis for work done under this policy; and
● Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
Who wants to be on the A-Team? #ItTakesATeam
Check out the latest list and send us any that are missing or any suggestions you have.
Safe Harbor Language
The List: A Directory for Hackers
So… What’s next?
2nd Poll!
BUILDING YOUR SKILLSET – JASON & CHLOE’S RESOURCE LIST
• Bugcrowd U
• Web Hacking 101
• WebApp Hacker’s Handbook
• BURP
• The Ethical Hacker Network– Resources
– Every Business Needs a Vulnerability Disclosure Policy. Every. Single. Business.
• Disclose.io
+
Advanced
Intermediate
New
● Experience – Employment, Home lab, CtFs, Non-profits, Open source projects, etc.
● Soft Skills – Writing, Speaking, Teaching, Volunteering @ Local Con, et al.
● Practical Training – eLearnSecurity Training Paths (NIST-NICE Role-based Training)
https://www.elearnsecurity.com/course/
HOW DO I GET THERE?
What you can do next:
Check out and star/fav the disclose.io Github repo
Contribute to the list on disclose.io (adds, changes, deletions)
and get credited for your help!
Talk to your organization about starting a VDP
If you already have a VDP, implement safe-harbor!