Conducting a guerrilla security research test – in which a hacker deploys an exploit for research purposes, without malicious intent, to prove the weaknesses of IT systems – is nothing new. In fact, the rational response for most enterprise IT security executives might be: “We really need to hire this guy.”
Yet, even as such efforts bring to light important flaws in IT security, guerrilla security research skirts ethics and the law. And if caught, the hackers can face serious fines or even jail time.
As Enterprise Efficiency editor in chief Sara Peters notes in her recent blog, Freshmen Need Computer Security Law 101:
These aren’t small transgressions like driving 10 miles per hour over the speed limit. These aren’t mere civil suits. These are felony charges. We’re not talking about small fines. We’re talking about fines that add up to tens of thousands of dollars. We’re not talking about community service. We’re talking about incarceration. And we’re not talking about 30 days in jail. We’re talking about 30 years in prison. Sometimes the people charged with these crimes have no idea they are committing a crime. Others know but don’t fully understand or appreciate the severity of the punishments they could face.
Of course, guerrilla security research is hardly restricted to talented computer science majors. In March 2013, an anonymous hacker released a report detailing a nine-month scanning project. The project, according to an Arstechnica article, “…found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open.”
The Arstechnica article goes on to note:
A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren’t intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.
The hacker’s resulting research report, “Internet Census 2012: Port scanning /O using insecure embedded devices,” was released into the public domain to encourage further study. According to the hacker’s report:
Two years ago while spending some time with the Nmap Scripting Engine (NSE) someone mentioned that we should try the classic telnet login root:root on random IP addresses. This was meant as a joke, but was given a try. We started scanning and quickly realized that there should be several thousand unprotected devices on the Internet.
This is pretty sobering, yet crucial, information. And it gets worse. According to the guerrilla security research, the vulnerable devices included pieces of enterprise IT infrastructure and even industrial control systems:
The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices. A group consists of machines that have the same CPU and the same amount of RAM. However, there are many small groups of machines that are only available a few to a few hundred times. We took a closer look at some of those devices to see what their purpose might be and quickly found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on. We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks.
Basically, the guerrilla security research found that insecure devices are everywhere on the Internet, not specific to any one ISP or country. The report concludes:
A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody’, there are at least 1000 people who did. Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million [sic] Webcams, or devices that have root as a root password. We would also like to mention that building and running a gigantic botnet and then watching it as it scans nothing less than the whole Internet at rates of billions of IPs per hour over and over again is really as much fun as it sounds like.
Ok, now that you’re done disconnecting every single Internet-connected device in your environment, let’s talk about the broader implications of this guerilla security research.
For starters, we know that this hacker broke multiple laws in multiple countries. Should authorities seek to prosecute him? Or would their time be better spent pursuing the bad actors who are taking advantage of the loopholes he exposes? I’d personally rather see my tax dollars spent on the latter, though history shows that the folks behind such guerrilla research tests are not immune from prosecution.
Beyond the law, is this type of guerrilla security research ethical? In his report, the hacker says he meant to do no harm. It’s hard not to see this report as serving the public good by bringing these glaring weaknesses to light. He also states that he took steps to ensure he did not interfere with any of the machines and ceased probing in any cases where he felt he was violating individual privacy or doing any harm. Assuming we can take his statements as truth, many would argue that his actions still skirt the ethics line. I’m personally in favor of this kind of research as long as no one is harmed because I feel it’s essential to enhancing Internet security.
What do you think? Share your opinions in the comments field below.
About the Author
Susan Nunziata is Director of Editorial for EnterpriseEfficiency.com, a UBM Tech community.Tags: Security,Technology