GDI.Foundation
A safer Internet for everybody & everywhere
Blog : GFCE 2016 ( Hungary)
Global approach: Responsible Disclosure, Hacking and Cross Border cooperation/ initiatives. On the 23th of march 2016 we were honoured to be invited to tell about our work at GFCE 2016. With this blog we want to share the experience we had as ethical hackers and to keep you updated what’s been achieved and further actions taken. So what’s GFCE all about? This was t he first meeting in Budapest to bring together professionals from a range of countries, private sector, academia and tech community to share lessons learned, good practices and challenges in understanding responsible disclosure or coordinated vulnerability disclosure policies and the broader topic of ethical hacking ( program ).
With other words: to make the Internet safer for all of us. And that’s pretty cool.
Lesson Learned and future challenges During the conference the “ lesson learned” and issues were exchanged and made us think how GDI.Foundation we can help in the next challenges: ❖ Who to report the Responsible Disclosure when more parties and countries are involved? A example was the hacking of the software of a car. Do you send the RD to the car factory, the company of the software or the company that installed the software & data. This also raise the question what if the driver doesn’t wait for the necessary update of software, starts driving and has an accident a/o causes an accident.
❖ How to involve ethical hackers in controls (e.g. testing) and how to reward? Is money an option and how much is reasonable. Or is recognition in “ Hall of Fame ” more worth for the ethical hacker. And what is the benefit of a bug bounty program and how much to pay? It seems that in 1
the private sector they all have a different approach and depends on the business. For example, a company stopped with the bug bounty programs because it didn’t have added value at a certain point in time (lot of false positives and low risk vulnerabilities). However another company uses the bug bounties and gives high rewards with a maximum. The question how to involve ethical hackers/ persons that send a RD and rewarding them is still an open question.
❖ How to make sure that the research information/ RD is only known to them who needs to know? Especially in the case of a found vulnerability that is applicable for more organisations and countries it’s hard to know who “ needs to know” and need to be informed. Another challenge is who and when to bring out the information in the open (news). Communication, timing and a central coordination is probably needed to limit potential damages.
❖ Is a specific law needed about ethical hacking & Responsible Disclosure? Every country has got his own regulation, law and culture. Despite the differences everybody felt that there is a lack between ethical hacking, RD’s and law but seemed not willing to prosecute an ethical hacker as long as the intention is to help. They all commit to the manifest and are taken steps to involve the lawmakers in this process. As ethical hacker we were able to show that over the last 17 years Victor has reported more than 4.700 Responsible Disclosures worldwide and has never been prosecuted by any government a/o organisation. We use the guideline Responsible Disclosure of the Dutch NCSC to backup us in the do’s and dont’s when we ever get confronted in court. Besides that we started a foundation to safeguard our intention. However we have to make sure our work is auditable and organisations can trust as in our intention and work despite the (lack of) law or regulation. This is an action for me, as exauditor, to be “in control” of.
❖ What to do with Responsible Disclosures in outsourcing and (legacy) contracts? Outsourcing IT activities and services is quite common in the ICT environment. However nowadays we all get confronted with vulnerabilities and the financial cost of fixing the vulnerability. In the worst scenario the vulnerability is not fixed because it’s not financially covered between the parties and the vulnerability is wide broad known. Maybe splitting the costs is for now the best option for the community (..).
❖ Does it stop after fixing a Responsible Disclosure or is it the beginning? The chance of more vulnerabilities and receiving Responsible Disclosures is hudge. Not alone the complexity of ICT, the legacy but also the growth of connectivity of things and “time to market” is putting great pressure on security, testing and the profits of organisations. Getting a Responsible Disclosure has not only got impact on those who receive them in solving the vulnerability but also needs a learning process to minimize vulnerabilities in the future. What’s the cause of the vulnerability, do we have to adjust the change management process, is our testing outdated and does it need to be adjusted? Till now I haven’t seen a process or role in the organisation who is accountable for this issue and that can be shared with others to learn. However for now, the next generation and to prevent a free and open Internet this is a fundamentally aspect. Learning and sharing the knowledge is essential.
2
Our experience It was good to meet so many people over the world who share the same goal as we do, achieving a safer Internet for all of us and next generation. The private sector, academia and governments really put effort to make the meeting into a success. The openness of all the actors about their experience about responsible disclosure, bug bounties and ethical hacking also gave us insight information about their views and impact of Responsible Disclosure. In the 3 days that we were there, Victor was continuously working to help others and send out a couple of RD’s (even at 3 in the morning). In the presentation it gave us the opportunity to actually show a RD concerning a organisation in Hungary. This specifically RD was send in the morning and was fixed within one hour. And that’s fast! What really helped us is the openly spoken back up for our work (e.g. CISCO, NCSC, NCSIR Romania, Belgium and others) and the need of our work in the total spectrum of security and vulnerabilities. Meeting everybody, the appreciation and backup we’ve got about the work we have done so far is encouraging us to continue and hope to be a part in it. Besides that it was pretty cool to get a signed book of A. Friedman. Especially written for GDI. Foundation. I now I feel obliged to read the all those 350 pages. I hope it’s got a summary…:)
3
GDI.Foundation and next steps GFCE After the presentation we got several invitations and shared information how we can help each other ( workshop, presentations, procedures etc. ). We hope that this initiatives are really going to happen and we will be able to share our knowledge and start a community in sharing the same interest and information in what’s needed for now and the next generation.
We honestly hope and think our presentation about our foundation and the work we have done so far will to make the next steps and we are looking forward to help in accomplishing these steps. We especially want to thank Hungary, the NCSC and the Dutch ministry of Foreign Affairs who made it possible for us to come over and tell our story. But overall we want to thank all the members of GFCE 2016, the openness to share lessons learned and the experiences that has been shared! If you’ve any suggestions, advice etc. after reading this blog please let us know.
http://www.thegfce.com/news/news/2016/03/21/announcementdakarmeeting
4