A software company issued a legal letter against a security researcher who published details of how to attack its school computer monitoring software.
Zammis Clark, a security researcher, has published proof of concept (POC) code on Github, demonstrating how to hack Impero's Education Pro software.
Impero Solutions Ltd's solicitors, Gateley Plc, emailed the letter to Clark, and has demanded he remove details of the exploit from the internet and social media by 17 July.
Education Pro is widely used in the education sector to provide a range of services including classroom computer management, remote control and support, patch management and power management. It also has modules for monitoring internet usage for e-safety purposes, an element of the package which Clark took exception to, describing it as “essentially a corporate/educational RAT”.
In a comment celebrating the publication of the exploit code, he said: “Oh yeah - free speech for the win... internet censorship is <insert some expletives here>, and so are any and all RATs.”
The full exploit code, written in PHP, has been posted on Github.
At issue is Impero's claim that Clark published the exploit without attempting to contact them first. The company also claims that Clark violated the software agreement, which he signed up to when he downloaded the software.
In an email, Nikki Annison, director of marketing at Impero, told SCMagazineUK.com that the exploit could allow a user to “run unauthorised programs and interfere with the clients on a network”. However, it could only be used if basic network security wasn't being used and the attacker had local network access. “To date there have been no reports of any customers being affected by this,” she added.
Impero is open to working with customers and non-customers on software improvements. “Should anyone wish to highlight security improvements directly we will make this a priority and engage accordingly, as we have done in the past,” she said.
However, after Clark found and published this weakness, the company threatened him with civil and criminal legal action under the Computer Misuse Act. A letter from the company's solicitors, a copy of which is available online, spells out the grounds for Impero's complaint including violation of the end-user licence agreement, copyright infringement, breach of contract, breach of confidence and damage caused by publishing the encryption key on the internet.
Annison said those who report flaws to Impero privately have nothing to worry about. “To confirm, we will not take legal action against people that identify security issues if ethical, private reporting practices are followed, so please don't be afraid to get in touch,” she said. “In this instance these practices were not followed.”
Impero does not run a bug bounty programme but has "a variety of channels through which these issues can be communicated and discussed," Annison said.
Peter Dalton, associate at law firm Kemp Little, told SCMagazineUK.com that, if Clark decompiled the source code or modified it, it would be a breach of the terms and conditions and would be likely to be unlawful.
“Some might see this as a heavy-handed response from Impero. Some larger software companies pay rewards (bounties) to hackers who identify security flaws, for example Google's successful ‘Pwnium' programme in respect of its Chrome browser, which can pay up to $50,000 [£30,000],” he said. “However, these always require any security flaw to be reported to the owner of the software. By publishing the encryption keys on social media for all to see, Impero may have felt it had little choice but crack down hard on this.”
Bug bounty programmes are not universal, Dalton said. “A lot of software developers and experts are aware of the bounty programmes run by some software companies and this has led to a view that these are routinely available. They need to be aware that these are still exceptions to the rule, and where such reward programmes are available, the rules need to be followed exactly.”
Dalton's advice to Clark is to take legal advice and consider cooperating with Impero. “Impero may be prepared to settle with Clark rather than taking him to court, especially if he cooperates from now on in helping limit the damage,” he said.
While there are various civil remedies that Impero could pursue to recover damages, its options don't end with the civil courts. “There are other legal arguments Impero might also run, including breach of legislation which prohibits the ‘cracking' of anti-piracy security measures, and potential criminal charges which could be brought under the Computer Misuse Act,” Dalton said.
Violation of trust?
Is the company being overly hostile toward a security researcher who is only trying to help, or has he violated the trust between researchers and software vendors?
Adam Winn, manager at OPSWAT, said that software writers should be given time to respond to vulnerability discoveries before they are made public. “If such notice was not given it could be argued that publishing the exploit was overly punitive,” he said, but added that even so, “it's better to find out about a vulnerability from a researcher than from an attack”.
Jared DeMott, principal security engineer and researcher at Bromium, argues that security researchers should not be expected to find flaws for free. “This sort of thing has been going on for a long time. I've even experienced it myself. If you have a bug, some claim the responsible action is to report it to the vendor for free. But not knowing how each vendor might interpret a sudden vulnerability report turns out it's often easier to sell the bug to someone like ZDI [Zero-Day Initiative],” he said.
Matt Hillman, head of research at MWR Labs, said disclosure is a big debate. “Many companies now publish how they want to interact with researchers, inviting them to send in details of flaws while at the same time laying down the boundaries they are comfortable with. This can go as far as offering bounties for certain kinds of issue,” he said. In a similar way, researchers often lay out their own disclosure policies. “Once good intentions are established, a more collaborative approach can emerge based on the complexities of a given bug,” Hillman said.
Wieland Alge, VM and GM EMEA at Barracuda Networks said, “Impero's response is quite an unusual one. Most security vendors started bug bounty programmes to attract security researchers to help them find issues before anybody else. Its statement – which declares it will deal appropriately with any attempts made to jeopardise pupils by illegally obtaining and publicising sensitive information – is wasted breath. The hackers know what they are doing is illegal. If they can see financial gain and an easy way in they will always take it.”
Jonathan French, security analyst at AppRiver, said the practice of bug hunting and bounties is still a growing area. “In this situation where the researcher, Zammis Clark, released the information publicly first, that kind of goes against the whole ethical point of bug hunting to help,” he said. “If he discovered the vulnerability and sent the information to the company first, this whole situation would have likely never happened for him.”
French believes the laws around bug disclosure are vague and that everyone needs to tread carefully. “Taking care of bugs is in everyone's best interest in the long run. But threatening legal action any time a bug is found can also possibly turn away any future researchers from disclosing a bug to a company. If a company gets a reputation for suing anyone that brings bugs to their attention, that could mean people start selling any bugs to malicious hackers online instead,” he said. “In this particular situation (public disclosure first and then legal action taken by the company) I think both parties could have chosen better ways to handle this.”
Pat Clawson, CEO of the Blancco Technology Group, understands Impero's irritation but warns that the response may not have been appropriate. “I can understand the company's frustration that the researcher chose to publicly publish details of the hack without first approaching them privately. After all this would have given them more time to develop an effective patch. However, this still seems a very heavy-handed way of treating an individual whose only intention was to alert people to a significant risk,” he said. “As an industry, we need to collaborate and share information better and to be honest about the true flaws and gaps in our systems in order to win consumers' trust.”