Articles by the cybersecurity community

Guest Post - Rajitha U. - Responsible Disclosure

Thank you to the highly respected infosec professional, Raj, for writing this article on responsible disclosure of exploitable vulnerabilities. This artilce highlights the reasons for being carefull how vulnerabilites are disclosed, adn the ethical approach to this disclosure.

                                                        ......... 

A few days ago, I saw one of the cybersecurity enthusiasts publish a post on how he found a brand-new vulnerability affecting a network security device. No doubt it’s cool when someone identifies a bug/security flow, and many followers congratulated him on his findings. It turned out the person found the flaw then within a few hours posted it straight to social media. 

Finding a security flaw/vulnerability is a fantastic thing. However, you must do a responsible disclosure too.


There are three ways of doing a disclosure:


Private disclosure

In the private disclosure model, the vulnerability is reported privately to the organisation. The organisation may choose to publish the details of the vulnerabilities, but this is done at the discretion of the organisation, not the researcher, meaning that many vulnerabilities may never be made public. The majority of bug bounty programs require that the researcher follows this model.

 

Public (or Full) Disclosure

The full details of the vulnerability are made public as soon as they are identified. This means that the full details (sometimes including exploit code) are available to attackers, often before a patch is available. The full disclosure approach is primarily used in response or organisations ignoring reported vulnerabilities in order to put pressure on them to develop and publish a fix.

 

Responsible or coordinated disclosure

Responsible disclosure attempts to find a reasonable middle ground between these two approaches. With responsible disclosure, the initial report is made privately, but with the full details being published once a patch has been made available (sometimes with a delay to allow more time for the patches to be installed).

In many cases, the researcher also provides a deadline for the organisation to respond to the report or to provide a patch. If this deadline is not met, then the researcher may adopt the full disclosure approach and publish the full details.

 

It’s clear that the responsible disclosure approach is designed to ensure the security researched / enthusiasts identify security flows/vulnerabilities where product owners/vendors fix them with a reasonable time. Also, this system enforces time limits on vendors to act; if not, the researcher can go for full disclosure. 

 

So why would people go with the full disclosure?


- Lack of understanding of Vuleneraility disclosure ethics.

- To gain public attention (to the person)

- Unavailability of a Proper vulnerability disclosure policy by the product vendor

 

Why you shouldn’t choose public disclosure as the first option

 

- The intention of finding a vulnerability is to fix them, so if we do a full disclosure in the first place, the attacker could easily exploit it or weaponised them and cause harm against general public systems.

- Someone else already did a responsible disclosure, and the product owner/vendor is already working on a fix (This time known as disclosure embargo).

- You may be violating the software use agreement and could face legal challenges.

- You may be breaking the ethics of cybersecurity. This will also may severely be impacting your career.

Suppose you ever found a vulnerability/security flow. In that case, the best thing you can do is do a responsible vulnerability disclosure, so you play your part in the fight against cybercriminals.  If you are unsure, get advice from a cybersecurity professional.


Further Reading

 

ASD ISMS guidelines on Vulnerability disclosure program -  https://www.cyber.gov.au/acsc/view-all-content/guidance/application-development

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 29147:2018, Information technology – Security techniques – Vulnerability disclosure, at https://www.iso.org/standard/72311.html

CISA Coordinated Vulnerability Disclosure (CVD) Process - https://www.cisa.gov/coordinated-vulnerability-disclosure-process

#cybersecurityFAQ - Does HTTPS mean the site is safe?

The Cybersecurity FAQ series, in the Demystify Cyber project's blog, looks at some commonly asked questions about cybersecurity and cybercrime. If you have a query you would like covered in a future blog post please contact Demystify Cyber via the contact form.

________________________________________


QUESTION: If the website has HTTPS does that mean it is safe?

ANSWER: HTTPS means the web traffic is encyrpted for data transmission security but does not mean the website is safe.

The Hypertext Transfer Protocol Secure (HTTPS),  first used in 1994,  places a layer of encryption over HTTP to help prevent sensitive data, like payment details, being eavesdropped or leaked. This means that a site using HTTPS is encrypted and private, however just because a website is using HTTPS does not mean the site is safe from being compromised, nor does it prevent a site from dropping malware on its visitors' computers or being used to phish for credentials. In fact criminals may purchase their own certificates to create malicious websites using HTTPS. 

Do not be lulled into a false sense of security when you see a site is using HTTPS, it may be encrypted but that doesn't mean the site is not being used by criminals.


10 cybersecurity essentials for individuals

If you use connected or connectable technology in any form it is essential you do what is in your power to help protect your information, finances and accounts. Although cyber security can seem daunting, it is just another avaneue of life we need to learn to be secure in. From a young age you may have learned about keys and locking doors, or looking both ways before crossing a street, let's make cybersecurity as easy to understand! 

Here is a list of some achievable basic cybersecurity essentials to consider.


  1. Keep software patched
  2. Use reputable and up to date antivirus software
  3. Use strong unique passwords – do not reuse passwords
  4. Use 2FA or MFA wherever possible
  5. Be vigilant about phishing, vishing and smishing scams, and those seeking to groom you or your children
  6. Protect your Personally Identifiable Infomration (often reffered to as PII) and understand how to help others protect theirs
  7. Be cautious what you download or on what links you click
  8. Back up data regularly and store offline
  9. Review online accounts and credit reports
  10. Take care what you post online about your job, accesses, location




cartoon picture of a green frog typoing , there is a speech bubble where the forg says it uses multi frog authenitcaiton ot keep its accouunts secure