A Lesson on why Reporting Security Problems can be Dangerous
After the increasing public and market awareness over the last few years of the need for efficient handling of reported security vulnerabilities and related issues, it is still distressing to see reports of companies, government agencies, and educational institutions that persist in attacking those who report vulnerabilities.
If a vulnerability has been discovered through malicious activity or intentional probing, then there may be grounds to criticise the vulnerability reporting, but if it has been discovered by accident or other unintentional activity criticism can drive the well-intentioned discoverer away from reporting issues.
A recent case in Oregon serves as a warning to those who are looking to report issues that they have found. When a student journalist stumbled across an intriguing file on a public share and took a look inside it, thinking he had found information about a part of the University, he was surprised to find that it contained sensitive personal data on former students of Western Oregon University.
By downloading the file so that the student paper he worked for could publish an article about the lapse in security, the student almost found himself expelled from the University. This took place, even though he was the one to report the incident to the University.
Not only did the student face a disciplinary hearing (where he was not expelled but ended up with a permanent entry on his record), but the student paper's advisor was dismissed for having mishandled the file and not having properly advised the students about the University's computer policies. The relevant section of the computer use policy that was breached related to prohibiting access to confidential files that might have been inadvertently made available publicly (though how you can tell without actually looking hasn't been made clear). In addition to the permanent entry on his record, the student involved is to publish an article in the student paper about the importance of computer policies, but the paper will not be required to actually publish the article.
The dismissed advisor indicated that she wouldn't have changed anything about her actions regarding the incident, even if she had been fully aware of the minutiae of the computer usage policy. Leaving a disk containing the confidential file in an unlocked office and allowing it to be taken off the University campus are two actions that probably should be changed if the process was to be repeated. Just because you know you have a confidential file obtained from a source that shouldn't have exposed it doesn't absolve you from the need to apply appropriate handling and protection to the file.
When University IT staff conducted a search of the paper's computers, without informing the paper's staff, it added to the building resentment over how the incident has been (mis)handled. There are some concerns that this activity might have been illegal under Oregon law, where there are numerous restrictions on how searches of newsrooms (which the paper might be classed as) can be conducted by authorities.
9 October 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.