When Vulnerability Disclosure Gets Ugly

Slides:



Advertisements
Similar presentations
HIPAA Workforce Training
Advertisements

Secure Multiparty Computations on Bitcoin
The First Amendment guarantees people the right to express themselves through speech and writing – Allows everyone to hear opinions and ideas of others.
School of Risk Control Excellence Employee Use of Social Media The Impact of the Virtual World on Disciplining and Firing Employees Laura Lapidus, Esq.
Copyright Myths. "If it doesn't have a copyright notice, it's not copyrighted." This was true in the past, but today almost all major nations follow the.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Write True or False for the following questions #1-20
Online infringement of copyright - the Digital Economy Act June 2010 Robin Fry.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Stupid Whitehat Tricks HOPE X July 20, How it Started 2011.
LEGAL AND ETHICAL RESPONSIBILITIES. LEGAL RESPONSIBILITY THOSE THAT ARE AUTHORIZED OR BASED ON LAW.
What are a journalist’s ethics? Accuracy – as much as humanly possibly, a journalist must be accurate. How can you ensure accuracy  Investigate, research.
Security Problems at Colleges All materials posted at samsclass.info and free to use.
CODE OF CONDUCT TRAINING. We conduct our global business honestly, ethically and legally, believing that good ethics is good business. The Company’s Philosophy.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Department of Commerce & Consumer Affairs Business Registration Division Commissioner of Securities Office Investor Education Program PREDATORY TACTICS.
Adding Trojans to Apps Slides and projects at samsclass.info.
When Vulnerability Disclosure Gets Ugly For CNIT All materials posted at samsclass.info and free to use.
ETHICS AND LEGALITIES JOURNALISM. JOBS OF JOURNALISTS POLITICAL FUNCTION – WATCHDOG OF THE GOVERNMENT ECONOMIC FUNCTION – BUSINESS, FARMING, INDUSTRIAL.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
10 Big Myths about Copyright Explained Article by: Brad Templeton Presentation by: Oluwatoyin Adebona English 393 Section 501.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Legal and Ethical Dimensions of Sport Public Relations
When a collector calls:
Threat Scan (ETS) for Office 365
18 USC § 1030 Computer Fraud and Abuse Act
Cryptocurrencies by.
Information Security.
Skills for change Hot off the press! How to get media coverage.
Freedom Independence Transition
Distributed Systems for Information Systems Management
Open, Manage, and Reconcile
Blockchain beyond cryptocurrencies
So what is Blockchain anyway?
Cyber Insurance Overview
Blockchain Adrian Zaragoza.

STOP. THINK. CONNECT. Online Safety Quiz.
Data Security Team 1.
{ BLOCKCHAIN Technology. BSEtecBSEtec is a digital solution provider company which offers the best service with the implement of the latest technologies.
Article Source- Toll Free
START The way we trust is changing Presentation for Thursday at IAAO
Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web Lecture 4 This material was developed by Oregon.
Bitcoin and Why I See Bad Future for It
Reporting personal data breaches to the ICO
Cyber Issues Facing Medical Practice Managers
BLOCKCHAIN BASICS & LEGAL ISSUES
Disability Services Agencies Briefing On HIPAA
The First amendment Speech Press Religion Petition Assembly.
What is BankMobile? A process to select how to receive student refunds and student payroll payments It is fast, secure, and convenient. Go to:
Risk Management CSCE 489/689 (Software Security) Fall 2018
What You Need to Know About the LM-30
Did the truth come out in the trial?
Leading Through Crisis
Creative Media Pre-production Learning outcome 1.
Bitcoin Data Structures
Wokshop SAIS 2018 Dr. Meg Murray Kennesaw state university
Faculty Seminar Series Blockchain Technology
Blockchain Technology: A New Approach to Provenance
Vulnerability in an Android App I Found last November - Attack and Countermeasure - Ken Okuyama Sony Digital Network Applications.
What is a ‘Cryptocurrency’?
Campbell R. Harvey Duke University and NBER
Block Chain Technology in Agriculture
Legal and Ethical Responsibilities
Presentation transcript:

When Vulnerability Disclosure Gets Ugly Sam Bowne & Alex Muentz July 22, 2016 All materials posted at samsclass.info and free to use

Vulnerability Disclosures

Websmart, Inc. and 100,000 Vulnerable Websites

Results I notified vendor and some customers Customers ignored me Vendor demanded my silence, complained to CCSF, tried to get me fired Press ignored me My blog eventually pressured the vendor into admitting and fixing the problem

Pharma Infections at Colleges All materials posted at samsclass.info and free to use

19 Colleges Infected with Pharma Spam in 2014 5 Fixed within a few weeks 7 Fixed within 8 months 7 Still Infected on 7-19-14 http://samsclass.info/125/proj11/subtle-infect.htm#19more

Infections at UC Santa Cruz

UCSC cleaned their server Re-infected a week later NEED ROOT CAUSE ANALYSIS

Many More Pharma Infections Dozens of other schools, businesses, foreign sites, etc. http://samsclass.info/125/proj11/subtle-infect.htm#19more 70 more infected schools notified in May 2016 https://samsclass.info/125/proj11/hacked-schools-2016.htm

All materials posted at samsclass.info and free to use Android App Vulns All materials posted at samsclass.info and free to use

OWASP Top Ten

All vulnerable; green = fixed M10: Code Modification All vulnerable; green = fixed

M10: Code Modification

Broken SSL Medical Apps Slides and projects at samsclass.info

CERT found 265 Vulnerable Medical Apps

HIPAA

My Repeat of CERT Tests

GenieMD

LowestMed corporate

LowestMed Response Phone call to President of CCSF threatening a lawsuit After I contacted their lawyer, he told me that there is no PII in the app beyond this point, so it is not a covered entity under HIPAA

Broken SSL Testing New Apps Slides and projects at samsclass.info

Blue Cross Blue Shield of North Carolina

Leaked Blue Cross Credentials Also leaked Facebook, Twitter, and YouTube credentials

Fixed in Two Days New version refuses to use invalid SSL certificates

All materials posted at samsclass.info and free to use HIPAA Violation at LSU All materials posted at samsclass.info and free to use

Open FTP Server with Medical Data

Reaction I notified them on June 17, 2014 No reply, but server was down 4 hours later Then on Aug. 28...

Reaction

John Poffenbarger

John Poffenbarger I encourage you to promptly investigate after publicly denouncing any such behaviors, as I would not expect an institution to accept, endorse, or tolerate any such actions. I would have to wonder how this would affect the moral judgment of your graduating students entering the workforce.

LSU Legal Notice

I Protested To the reporter To the CEO of his newspaper To the Feds, against LSU, for HIPAA whistleblower retaliation After a few days, it was clear that none of this was going to do any good

I Believed My actions were 100% lawful Newspapers can't just publish complete lies and get away with it I enjoyed HIPAA whistleblower protection I'm in real trouble now, time to call a lawyer

Part 2: Alex Muentz

Why am I here? Who am I? Teller of good stories Law-talking-guy A lawyer has to think strategically about pressure and motivations

Here’s how I see the story Sam informs UH Conway UH Conway’s compliance consultant informs local news Generalist outlet, so details simplified and incorrect But who cares, right? Anybody who cares can tell the difference

The story continues Infosec picks up the local story- Reads between the lines Clickbait title Now we care. People who can affect Sam are now reading (and reacting to) this. CISSP pearl clutching

The right way, the legal way and the way we did it Appeal to the good and virtuous in people Yep. The legal way Threaten litigation Can get expensive Repeats and reinforces the inaccuracy

The way we did it Goal- suppress story or change narrative Can’t appeal to best in humanity to amend story Entrenched bureaucracy Busy journalists

Threats don’t work Defamation lawsuit == story is repeated (ad nauseum) Even the most underpaid flack becomes Woodward and/or Bernstein when freedom of press is implicated

What we did Most important coverage is trade rag Trade rag has different motivations Depth and accuracy Exclusive with Sam is worthy chip Which is traded for links from original articles and corrections

Legal stuff Defamation Slander (spoken), Libel (written) Publication (transmission to a third person) of untrue, negative statement which damages reputation

Untrue, negative statements “Sam hacked the server in class” “Successfully accessed a server, affecting patient privacy” Not untrue, negative statements: “UH Conway stated that Sam hacked the server in class”

Damage to reputation Plaintiff (Sam) must either show economic harm Contracts or business lost because of statement Doesn’t have to be believed Per Se Defamation Accusation of crime Professional reputation Loathsome Disease

But the law cuts both ways… Was Sam obeying the law? 18 USC 1030/CFAA Unauthorized/exceeding authorized access Networked computer Obtaining information

Bitcoin & Blockchains

Why Should We Care? Bitcoin itself is not very interesting Scams Pyramid schemes High-risk investment Money laundering

My Evolving Position

Blockchains The technology behind Bitcoin Everyone has a copy of the complete ledger Very difficult to lie or cheat Enables business dealings with people you don't trust No trusted central authority Bank, government, regulator, ...

How Bitcoin Works Blocks are signed by miners with a SHA-256(SHA-256(block)) hash The hash must start with 69 bits of zero Difficulty is adjusted to keep the time between successes near 10 min. This makes forging signatures very difficult Miners get an award (currently 25 bitcoins) plus transaction fees Link Bitcoin 8

Bitcoin's Importance Bitcoin is a real-world test of blockchain technology A bunch of rebels, criminals, scammers, and suckers Demonstrated how well blockchains work AND THEY WORK

Merkle Tree Designed to "allow efficient and secure verification of large data structures" -- Link Bitcoin 2

Block A block is a public ledger of all bitcoin transactions Every computer running the full bitcoin software has a copy of the entire blockchain Every 10 minutes, the Bitcoin transactions are gathered together into a block and finalized by miners with proof of work A hash value that's very difficult to compute, but easy to verify Each mined block produces 25 new bitcoins (soon this value will halve)

Blockchain Voting Vote at samsclass.info

Blockchain Voting Every stakeholder has the complete blockchain Voters can verify that their voted were counted Anyone can verify the totals at any time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.