Approaching Admins About Discovered Vulnerabilities?

[nvemb3r]

Hello,

I've been lurking in these forums every now and then to read up on random discussion (fresh account, first post), and I need some advice here.

I'm attending a school to get my Associates Degree, and we have a sort of 'system' on campus that the students and staff use. I stumbled upon a way to exploit said system (not an issue of epic proportions, but still something that bothers me), and I would like to inform the I.T. staff so they can fix it. I just don't know how to approach them. Should I drop by in person, or email them? What if they don't care? What if they get pissed? Just, too many questions with very uncertian outcomes. Anyway, enough rambling. My question is this: How do I approach the right person about a security issue?

[Pwnd2Pwnr]

Let me phrase this up for ya... YOU, tested THERE systems. So, that in itself is, in fact (99.9% positive) you are violating their TOS. Colleges / Universities give strict guidelines to what can, AND can not be done. This system may be exploitable, but what is there to gain?

If some snot nosed kid (this is not referencing you, but this is a metaphor) told me my system is flawed, I would not only report you to the administrators, I would take all of the credit for "discovering" the exploit. You are in no position to tell them there systems are flawed... at least directly.

I would keep it to yourself, and who knows, maybe one day you will have enough rapport to discuss your concerns. Universities are usually pretty thick with security (Govt projects, etc), but local campuses sometimes have a novell type system that are usually pretty bad... but telling an admin they are not doing there job is pretty ballsy, to say the least.

What is the vuln? Could be an intentional vuln. Whinnie the Poo, anyone?

Edited September 6, 2012 by Pwnd2Pwnr

[nvemb3r]

I wouldn't say I "tested" anything. I just noticed how something works, and I came here for help about doing the right thing. Anyway, if blowing the whistle does end up upsetting everyone like you said, then I'll just keep my mouth shut about the whole thing. Thanks for your time though.

[Pwnd2Pwnr]

I would imagine a small percent would love the fact you showed the enthusiasm (I would be), but until you have rapport, they would probably be complete asses about it.

[digip]

Issues like this are touchy, because you're a student, same goes for am employee at a company who stumbles upon issues like this. From the outside world, when I find things, I email the site owners right away, but thats just me. If I found this at work, I would go to my manager, and let them notify the next higher up. In your case, you would need to find someone you respect and trust, such as a professor, faculty member, counselor or such, and let them know maybe(if you decide to go public).

Then there is the option, to find out if they have a system in place for reporting issues. They might actually have a policy for reporting issues like this, and that would make it even easier. Check the schools website, student handbook, or ask a teacher you know well enough to trust that they know you weren't doing anything of ill intent and only want to help notify the correct recipients.

Last resort, leave a physical note with no return address, and make sure it gets to the faculty IT department or such. If you feel paranoid enough that there may be repercussions, but the vulnerability is one that puts other peoples information at risk for example, then by all means, leave an anonymous tip for someone in charge that can make it known to whomever needs to know. Slipping a note under the door of say the Security Admins office after hours for example.

[nvemb3r]

I would imagine a small percent would love the fact you showed the enthusiasm (I would be), but until you have rapport, they would probably be complete asses about it.

Thanks man! Also, I can see why the guys at school would be like that (I have to admit that I'm like that sometimes).

Issues like this are touchy, because you're a student, same goes for am employee at a company who stumbles upon issues like this. From the outside world, when I find things, I email the site owners right away, but thats just me. If I found this at work, I would go to my manager, and let them notify the next higher up. In your case, you would need to find someone you respect and trust, such as a professor, faculty member, counselor or such, and let them know maybe(if you decide to go public).

Then there is the option, to find out if they have a system in place for reporting issues. They might actually have a policy for reporting issues like this, and that would make it even easier. Check the schools website, student handbook, or ask a teacher you know well enough to trust that they know you weren't doing anything of ill intent and only want to help notify the correct recipients.

Last resort, leave a physical note with no return address, and make sure it gets to the faculty IT department or such. If you feel paranoid enough that there may be repercussions, but the vulnerability is one that puts other peoples information at risk for example, then by all means, leave an anonymous tip for someone in charge that can make it known to whomever needs to know. Slipping a note under the door of say the Security Admins office after hours for example.

I can't say whether or not the vuln is epic or not (I know more than my fair share of computers, but I'm not what you would call an expert pen-tester), but I'll figure something out. I've looked up articles about past users who've blown the whistle, and then suffered repercussions. While I would rather not get expelled or arrested, I don't think it would be wise to let a vuln be kept secret so someone malicous decides to take advantage of it.

Edited September 7, 2012 by nvemb3r

[Jason Cooper]

I stumbled upon a way to exploit said system (not an issue of epic proportions, but still something that bothers me), and I would like to inform the I.T. staff so they can fix it. I just don't know how to approach them. Should I drop by in person, or email them? What if they don't care? What if they get pissed? Just, too many questions with very uncertain outcomes. Anyway, enough rambling. My question is this: How do I approach the right person about a security issue?

When answering questions like this I tend to find that all my paragraphs start with "If", mainly because we don't have much information. The first thing you should do though is to not touch the vulnerability again, as if things did turn out very bad and there was a disciplinary hearing of some sort then you would look a lot more guilty if they showed logs of you playing with it for months, rather than having to admit that the logs showed you stumbling across it and never touching it again.

If there is a person specifically responsible for their IT security then report it to them. They usually will listen and as they aren't responsible for the system they won't blame you for the issue. They will also have the power to make the person responsible for the system fix it.

If there isn't a person specifically responsible for security then see if you can then report it to them as an error, "When I do this it falls over". Error reports usually get logged and people are less inclined to feel you are attacking their system when you file a bug report.

If it is something that you can't word as bug then you have reached the stage where you need to decide if you are going to report it as a security issue or not report it. If you decide to report it and you already know the admins and get on well with them, then you might feel comfortable reporting it in person. If you don't feel comfortable reporting it in person then report it via email (paper trails can be a life saver and help you prove what you reported when). Take your time when composing the email "Dude's your system sucks and I can crack it!!!" is much more likely to get someone back up than "I don't know if this is an issue but when I accidentally mistyped my username when logging in I included an apostrophe at the end, rather than reporting an invalid login it let me in but under another users account."

And the final "If" is: If they fix it good, if they don't then that is their decision your responsibility for the vulnerability passed on when you informed them of it.

[Pwnd2Pwnr]

I love it.

I was faced with a similar issue when I worked at a small, family oriented company, Atoyot. or something like that.

ANYWAYS, all of their PCs had stickers located on the bottom of the monitors. I like stickers as much as the next guy; but when each sticker had its authentication names/passwords for that unit, I thought there may have been an issue. I heard the IT guy there was a complete ass all of the time and half assed everything. Did I bring this up? A small part of me wanted to, but, being a Japanese owned company, I would have got canned... no second thoughts; "WE DON'T PAY YOU TO THINK, WE PAY YOU TO BE A ROBOT!".

[nvemb3r]

Ok. I asked my professor about who to talk to, and he pointed me out to the school's Help Desk. I sent them an email explaining my findings, and they said that they would forward it to the appropriate department. All I have now is to see what happens, and face the consequences.

Also, thanks for your help guys. This kinda felt like a burden to me, plus this topic makes for good discussion.

[bobbyb1980]

Next time I would keep it to yourself, wait untill you graduate then approach the school as a pen tester offering your services. Your classmates, the people you'll be working with in the future, might find it hard to trust someone who reports everything, but good initiative on your part.

[Pwnd2Pwnr]

(JAWS THEME)... the help desk is a good start, but wait until the man who set the computers up gets a hold of your findings. You have a big bag of ifs, but you did what you thought w foas right. I think you are ballsier than I, that is for sure. You probably won't get a badge or a key to the city, but still, I respect how you handled it, bud.

Cheers, this shots for you!

[nvemb3r]

(JAWS THEME)... the help desk is a good start, but wait until the man who set the computers up gets a hold of your findings. You have a big bag of ifs, but you did what you thought w foas right. I think you are ballsier than I, that is for sure. You probably won't get a badge or a key to the city, but still, I respect how you handled it, bud.

Cheers, this shots for you!

I wouldn't say I had balls, but thanks though. While there are a bunch of things that could happen if I came to them, there are also a bunch of ifs with keeping my mouth shut. What if someone like me stumbles upon this? What if a trained threat is able to use this vuln to very, very bad ends.

Reminds me of a talk from my old high school principal about "doing the right thing". The talk itself revolved around school violence, not computer security, but the message sent was that if you see a problem, tell someone about it. If someone malicous decides to use this vuln to cause an epic disaster, and I kept quiet about the whole thing, I would be just as guilty as the guy commiting the crime.

Edited September 7, 2012 by nvemb3r

[Pwnd2Pwnr]

As that may be, we may never know. But, if you feel very convicted about this, then by all means, don't let me/us tell you what to do. I find it admirable, but a lot of people out there are dealing with kids at home, wives cheating, hell, even having there job on the line everyday because of internet criminals. I don't enjoy destroying things, I enjoy improving things. Sure, I may not be an author of a bad ass http://www.attack-scanner.com, like Digip, but I do know integrity. We all live everyday to learn. Our perceptions and convictions are what make us, and if you are sincere that this is a serious breach of security (vital information, SS#, DoB, etc), then you will make the right decision.

Good luck, and let em know Hak5 sent ya! lol... don't do that.. :) ..

[nvemb3r]

Thanks! :)

Anyway, I hope the school's helpdesk finds the info I gave them useful, and I hope that some other person in a similar situation finds this post.

[AshiOni]

I agree with Pwnd2Pwnr on this one - I would have just kept it to myself - true story - I had to take a basic windows admin class as a pre-req a few years ago when I was working on my homeland security cert - I refuse to test out of classes like this because no matter how much you think you know, you will always learn something (never hurts to renew your basics either) at any rate this class was using vmware virtual machines hosted locally on the windows 7 workstation - while working on my VM I hit windows+r to bring up the run command and typed regedit - I went about my day following the directions of the class session until I couldn't find something in the registry that was supposed to be there. It then dawned on me I was in the local workstation registry and NOT the VM's registry - at that point I raised my hand and said hey prof, I just figured out that I've been mistakenly editing the local registry and not the registry of the VM, you might want to make sure no one else made the same mistake AND you might want to pass along to the helpdesk that for some reason normal users have access to edit the registry in areas they shouldn't. A few days later I received a disciplinary warning letter from the school stating I had broken the terms of use policy. As I thought this was surprisingly short sighted and stupid I felt the need to fight them because it was a simple mistake that it turns most of the entire class had done as well. To get this "warning" stricken from our student files we had to go in front of a board to explain the problem. I personally have a lawyer on retainer (everyone should have one of those guys) and sent her in my place...