Presentation is loading. Please wait.

Presentation is loading. Please wait.

When Vulnerability Disclosure Gets Ugly

Published byAnnabel Hill Modified over 6 years ago

Similar presentations

Presentation on theme: "When Vulnerability Disclosure Gets Ugly"— Presentation transcript:

1 When Vulnerability Disclosure Gets Ugly
Sam Bowne & Alex Muentz July 22, 2016 All materials posted at samsclass.info and free to use

2 Vulnerability Disclosures

3 Websmart, Inc. and 100,000 Vulnerable Websites

4 Results I notified vendor and some customers Customers ignored me
Vendor demanded my silence, complained to CCSF, tried to get me fired Press ignored me My blog eventually pressured the vendor into admitting and fixing the problem

5 Pharma Infections at Colleges
All materials posted at samsclass.info and free to use

6

7 19 Colleges Infected with Pharma Spam in 2014
5 Fixed within a few weeks 7 Fixed within 8 months 7 Still Infected on

8

9 Infections at UC Santa Cruz

10 UCSC cleaned their server
Re-infected a week later NEED ROOT CAUSE ANALYSIS

11 Many More Pharma Infections
Dozens of other schools, businesses, foreign sites, etc. 70 more infected schools notified in May 2016

12 All materials posted at samsclass.info and free to use
Android App Vulns All materials posted at samsclass.info and free to use

13 OWASP Top Ten

14 All vulnerable; green = fixed
M10: Code Modification All vulnerable; green = fixed

15 M10: Code Modification

16 Broken SSL Medical Apps
Slides and projects at samsclass.info

17 CERT found 265 Vulnerable Medical Apps

18 HIPAA

19 My Repeat of CERT Tests

20 GenieMD

21 LowestMed corporate

22 LowestMed Response Phone call to President of CCSF threatening a lawsuit After I contacted their lawyer, he told me that there is no PII in the app beyond this point, so it is not a covered entity under HIPAA

23 Broken SSL Testing New Apps
Slides and projects at samsclass.info

24 Blue Cross Blue Shield of North Carolina

25 Leaked Blue Cross Credentials
Also leaked Facebook, Twitter, and YouTube credentials

26 Fixed in Two Days New version refuses to use invalid SSL certificates

27 All materials posted at samsclass.info and free to use
HIPAA Violation at LSU All materials posted at samsclass.info and free to use

28 Open FTP Server with Medical Data

29 Reaction I notified them on June 17, 2014
No reply, but server was down 4 hours later Then on Aug

30 Reaction

31 John Poffenbarger

32 John Poffenbarger I encourage you to promptly investigate after publicly denouncing any such behaviors, as I would not expect an institution to accept, endorse, or tolerate any such actions. I would have to wonder how this would affect the moral judgment of your graduating students entering the workforce.

33

34 LSU Legal Notice

35 I Protested To the reporter To the CEO of his newspaper To the Feds, against LSU, for HIPAA whistleblower retaliation After a few days, it was clear that none of this was going to do any good

36 I Believed My actions were 100% lawful
Newspapers can't just publish complete lies and get away with it I enjoyed HIPAA whistleblower protection I'm in real trouble now, time to call a lawyer

37 Part 2: Alex Muentz

38 Why am I here? Who am I? Teller of good stories Law-talking-guy A lawyer has to think strategically about pressure and motivations

39 Here’s how I see the story
Sam informs UH Conway UH Conway’s compliance consultant informs local news Generalist outlet, so details simplified and incorrect But who cares, right? Anybody who cares can tell the difference

40 The story continues Infosec picks up the local story-
Reads between the lines Clickbait title Now we care. People who can affect Sam are now reading (and reacting to) this. CISSP pearl clutching

41 The right way, the legal way and the way we did it
Appeal to the good and virtuous in people Yep. The legal way Threaten litigation Can get expensive Repeats and reinforces the inaccuracy

42 The way we did it Goal- suppress story or change narrative
Can’t appeal to best in humanity to amend story Entrenched bureaucracy Busy journalists

43 Threats don’t work Defamation lawsuit == story is repeated (ad nauseum) Even the most underpaid flack becomes Woodward and/or Bernstein when freedom of press is implicated

44 What we did Most important coverage is trade rag
Trade rag has different motivations Depth and accuracy Exclusive with Sam is worthy chip Which is traded for links from original articles and corrections

45 Legal stuff Defamation Slander (spoken), Libel (written)
Publication (transmission to a third person) of untrue, negative statement which damages reputation

46 Untrue, negative statements
“Sam hacked the server in class” “Successfully accessed a server, affecting patient privacy” Not untrue, negative statements: “UH Conway stated that Sam hacked the server in class”

47 Damage to reputation Plaintiff (Sam) must either show economic harm
Contracts or business lost because of statement Doesn’t have to be believed Per Se Defamation Accusation of crime Professional reputation Loathsome Disease

48 But the law cuts both ways…
Was Sam obeying the law? 18 USC 1030/CFAA Unauthorized/exceeding authorized access Networked computer Obtaining information

49 Bitcoin & Blockchains

50 Why Should We Care? Bitcoin itself is not very interesting Scams
Pyramid schemes High-risk investment Money laundering

51 My Evolving Position

52

53

54 Blockchains The technology behind Bitcoin
Everyone has a copy of the complete ledger Very difficult to lie or cheat Enables business dealings with people you don't trust No trusted central authority Bank, government, regulator, ...

55

56

57

58

59 How Bitcoin Works Blocks are signed by miners with a SHA-256(SHA-256(block)) hash The hash must start with 69 bits of zero Difficulty is adjusted to keep the time between successes near 10 min. This makes forging signatures very difficult Miners get an award (currently 25 bitcoins) plus transaction fees Link Bitcoin 8

60 Bitcoin's Importance Bitcoin is a real-world test of blockchain technology A bunch of rebels, criminals, scammers, and suckers Demonstrated how well blockchains work AND THEY WORK

61 Merkle Tree Designed to "allow efficient and secure verification of large data structures" -- Link Bitcoin 2

62 Block A block is a public ledger of all bitcoin transactions
Every computer running the full bitcoin software has a copy of the entire blockchain Every 10 minutes, the Bitcoin transactions are gathered together into a block and finalized by miners with proof of work A hash value that's very difficult to compute, but easy to verify Each mined block produces 25 new bitcoins (soon this value will halve)

63 Blockchain Voting Vote at samsclass.info

64 Blockchain Voting Every stakeholder has the complete blockchain
Voters can verify that their voted were counted Anyone can verify the totals at any time

Download ppt "When Vulnerability Disclosure Gets Ugly"

Similar presentations

HIPAA Workforce Training

HIPAA Workforce Training
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
The First Amendment guarantees people the right to express themselves through speech and writing – Allows everyone to hear opinions and ideas of others.

The First Amendment guarantees people the right to express themselves through speech and writing – Allows everyone to hear opinions and ideas of others.
School of Risk Control Excellence Employee Use of Social Media The Impact of the Virtual World on Disciplining and Firing Employees Laura Lapidus, Esq.

School of Risk Control Excellence Employee Use of Social Media The Impact of the Virtual World on Disciplining and Firing Employees Laura Lapidus, Esq.
Copyright Myths. If it doesn't have a copyright notice, it's not copyrighted. This was true in the past, but today almost all major nations follow the.

Copyright Myths. "If it doesn't have a copyright notice, it's not copyrighted." This was true in the past, but today almost all major nations follow the.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Write True or False for the following questions #1-20

Write True or False for the following questions #1-20
Online infringement of copyright - the Digital Economy Act 2010 29 June 2010 Robin Fry.

Online infringement of copyright - the Digital Economy Act June 2010 Robin Fry.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat

Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Stupid Whitehat Tricks HOPE X July 20, 2014. How it Started 2011.

Stupid Whitehat Tricks HOPE X July 20, How it Started 2011.
LEGAL AND ETHICAL RESPONSIBILITIES. LEGAL RESPONSIBILITY THOSE THAT ARE AUTHORIZED OR BASED ON LAW.

LEGAL AND ETHICAL RESPONSIBILITIES. LEGAL RESPONSIBILITY THOSE THAT ARE AUTHORIZED OR BASED ON LAW.
What are a journalist’s ethics? Accuracy – as much as humanly possibly, a journalist must be accurate. How can you ensure accuracy  Investigate, research.

What are a journalist’s ethics? Accuracy – as much as humanly possibly, a journalist must be accurate. How can you ensure accuracy  Investigate, research.
Security Problems at Colleges All materials posted at samsclass.info and free to use.

Security Problems at Colleges All materials posted at samsclass.info and free to use.
CODE OF CONDUCT TRAINING. We conduct our global business honestly, ethically and legally, believing that good ethics is good business. The Company’s Philosophy.

CODE OF CONDUCT TRAINING. We conduct our global business honestly, ethically and legally, believing that good ethics is good business. The Company’s Philosophy.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.

Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Department of Commerce & Consumer Affairs Business Registration Division Commissioner of Securities Office Investor Education Program PREDATORY TACTICS.

Department of Commerce & Consumer Affairs Business Registration Division Commissioner of Securities Office Investor Education Program PREDATORY TACTICS.

Similar presentations

Ads by Google