Some private companies encourage responsible reporting of vulnerabilities and security issues through bug bounty programs, but this is different for other software developers and public bodies. The concept of ethical hacking does not exist in our country, at least at the regulatory level. Cyber attacks are the order of the day because the data held by companies, the Public Administration (PA), professionals, and individuals are gold for criminals.
There is industrial espionage, and there is still the will to damage a competitor by assuming the inadequacy of its disaster recovery plans. Still, the goal of cybercriminals is much more often that of stealing personal data and sensitive information to directly profit from it by reselling everything to other subjects or, for example, asking for a ransom to unlock data encrypted with a strong algorithm (that cannot be factored) and a key that is hidden from the victim (how ransomware works ).
Algorithms like RSA-2048 and RSA-4096, which use 2048 and 4096-bit cryptographic keys, respectively, have not been factored in and will not be factored for many years, even considering the progress that is being made in the use of computational resources involving, for example, batteries of high-end GPUs, now easily available on the cloud, and quantum computers which are being talked about more and more often and with growing interest.
We know what a cyber attack is, how it arises and how often the problem that generates the incident with the consequent violation of personal data ( data breach ) originates within the company or public body targeted by the attack. We’ll talk about it later.
Web Security Vulnerabilities: When A Platform Becomes Open To Attack From The Outside
The Open Web Application Security Project ( OWASP ) is a project that took shape more than twenty years ago, in 2001. It aims to create guidelines, tools, and methodologies to improve application security. In other articles, we have seen that the threat to data integrity, confidentiality, and availability can come from within the organization itself.
If user privileges are not assigned correctly, if they are shared that they shouldn’t be, if the network is not intelligently segmented, if security tools are not used at a centralized level, a malware running on a single workstation (for example, activated unknowingly by an employee or a collaborator, even connected remotely via VPN) could start moving sideways.
Diffusion in the local network can therefore cause serious damage and allow remote subjects to take control of the infrastructure by taking possession of the data managed therein. Sometimes security vulnerabilities also afflict the Web platforms used by companies and PAs: gaps in development can allow unauthorized subjects to take possession of confidential information or damage the managed data.
The OWASP Top Ten is a globally recognized ranking that aims to raise awareness of programmers, business people, decision-makers, and the public about securing applications by identifying some of the most critical risks. When we talked about DevOps, we saw how increasingly important the DevSecOps software development philosophy is today: the aspects related to security have assumed an increasingly central role.
By carefully carrying out the safety checks during the development phase, clear benefits are obtained in terms of costs because the risks of subsequent accidents can be prevented or, in any case, reduced to a minimum. At the end of 2021, OWASP highlighted the following issues as the most relevant ones during the development of any software:
- Broken Access Control: Poorly designed or imperfectly implemented access control mechanisms can allow users to access resources they shouldn’t see with the rights they do have. These security gaps typically lead to unauthorized disclosure of information, modification or destruction of data, and execution of functions that should be unavailable to the user.
- Data encryption problems: When developing an application, it is necessary to evaluate the need to protect data in transit and at rest (with this second term, we refer to data saved on a storage unit, also for backup needs). Passwords, credit card numbers, medical records, personal information, and business secrets require additional protection, especially if the data falls under the regulation of specific laws such as the General Data
- Injection: Attacks of this type, which are also very common, can occur when the data provided by the user is not validated, filtered, or sanitized, for example, by removing any characters that can be used to alter the application’s behavior by sending a normal client request. Serious problems arise when the input data is handled directly by the application running on the server (think of SQL code or specific commands). Attackers performing injection attacks examine the structure of URLs, and the sequence of operations performed using GET/POST requests via JavaScript.
- Unsafe design: Insecure design refers to a broad category that encompasses several security weaknesses. A secure application design can have implementation flaws that lead to vulnerabilities that attackers can exploit. An insecure design cannot be fixed without perfect implementation because the necessary security controls have not been implemented.
- Errors in security configurations: OWASP security misconfiguration refers to the failure to use appropriate security measures in any part of the application stack or improperly configured permissions on cloud services. In this case, unnecessary features are enabled or installed (for example, unnecessary ports, services, pages, accounts, or privileges), default accounts are active and have default passwords, security settings are used in application servers, frameworks, libraries, in databases that do not ensure an adequate level of protection. In this category of vulnerabilities, some can be connected to software that is not updated with the application of security patches or web servers that send unsafe headers or directives.
- Use of outdated components: OWASP draws attention to the need to audit all software components used in various projects. Using operating systems, web servers, DBMSs, applications, APIs, execution environments, and libraries that are not updated with all the latest patches can show the side to possible attacks, especially if the attack surface is particularly exposed. A recent example is a vulnerability discovered in the Log4j component, widely used in multiple projects and companies.
- Identification and Authentication Failures: User identity verification, authentication, and session management are essential to protect against attacks. Attacks can occur if the application allows automatic attacks such as credential stuffing (the attacker has a list of valid usernames and password pairs). Data security and integrity are also undermined when the application is vulnerable to brute force attacks or other automated attacks, with predefined passwords, insecure mechanisms for recovering forgotten passwords, passwords in clear text, or weak hashing functions. Problems can arise if the session identifier is exposed if this data is reused after a successful login, if the user’s session and authentication tokens are not invalidated after logout or if a certain period of inactivity has elapsed.
- Failure to verify the integrity of the software: The services provided by the software can base their operation on resources from multiple locations. If the software uses resources provided by untrusted sources (which can therefore be modified by attackers), the security of the entire application can be broken.
- Security Logging and Monitoring Failures: When verifiable events such as logins, failed logins, and important transactions are not logged, warnings and errors do not generate logs; the use of the logs is managed only locally, and no useful measures are taken to promptly report attack attempts in real-time. The application may be more exposed to attack attempts.
- Server-Side Request Forgery: This vulnerability (SSRF) occurs whenever a web application retrieves a remote resource without validating the user-provided URL. The attacker can force the application to send a request to an arbitrary address even when a firewall, VPN, or ACL mechanism for network access is used. AgID itself publishes the guidelines for the development of secure software.
Also Read: Open The Window For Hybrid Work And More Security
Responsible Reporting Of Vulnerabilities
Major companies have long launched bug bounty programs to incentivize researchers to report security vulnerabilities responsibly and privately. Scholars who inform developers about previously unknown software vulnerabilities are paid varying amounts of money.
It is a win-win approach that allows the developer company to have the material time to fix a security vulnerability and the researcher to obtain adequate monetary recognition for the time spent identifying the new vulnerability. The platforms used by the Public Administration also suffer from vulnerabilities that can sometimes lead to the compromise of personal data or at least to the disclosure without the knowledge of the directly concerned.
The problems underlying this type of incident are essentially those highlighted by OWASP and are attributable to serious “lightness” committed in the various stages of development and testing of applications. It can, therefore, still happen today that by altering one or more data present in a URL or transmitted following a GET or POST request, one has access to confidential information that should not be obvious.
Those researchers who deal with security and participate in private bug bounty programs wonder how they should behave in the case of platforms developed or otherwise managed by the PA. The answer is that, unfortunately, the State does not encourage responsible reporting of security vulnerabilities discovered in applications and platforms of public bodies.
Given that, unlike what happens in the private sector, any economic remuneration from the State – as occurs in the case of bug bounty programs – could open the way to other problems, we believe that anyone who discovers security problems in the platforms used by the PA should be helped and encouraged to do so.
What is happening in Italy today? That whoever discovers vulnerabilities in PA sites or makes the problem public by cashing in a complaint for violation of information systems or turns away, fearing legal retaliation (article 615-ter of the criminal code). Result? Whoever discovers serious flaws tends to keep everything for himself or, worse still, resells the information on the black market, exposing other people’s data, which should instead be protected, to the risk of aggression.
The concept of ethical hacking, with the consequently responsible dissemination of details on security vulnerabilities, is not currently recognized in our country and recalls, among many others, the case of a researcher who had discovered a vulnerability in the software.
After reporting the problem to the developer software house and then contacting an association that protects consumers only following the manufacturer’s inaction in correcting the vulnerability, the researcher was called to court with the opening of a proceeding against him for violation of information systems and defamation.
As observed by Sarzana, the defendant’s lawyer, the Judge closed the proceeding, noting that it is ” a consolidated practice for company owners to notify them of the presence of bugs (system errors) within their equipment by who knows about it. ”
The archiving decree also states that ” the suspect sent a series of letters to the staff of the developer company and only following the inertia of the same to want to correct the vulnerability of the system, it was decided to disclose, to protect of consumers, the presence of a similar error one month after its notification.
The conduct, therefore, does not integrate, based on what has been clarified, the crime referred to in Article 615-ter of the Criminal Code, as it falls within the common methodology of the responsible disclosure since the suspect himself first contacted the company involved precisely to allow it to amend the error within a period, which can vary from thirty days to In other words, the Judge cited explicit references to ethical hacking and shared its fundamental aspects.
Still, as Sarzana underlined well, the “responsible disclosure” of vulnerabilities in Italy leads to the initiation of legal disputes in the vast majority of cases. With all the expense, stress, and risks the suspect faces.
At the dawn of the birth of the new National Cybersecurity Agency, directed by Roberto Baldoni ( Cybernetic Security Agency ), an important piece needs to be included. The Agency will deal with the prevention and mitigation of incidents related to IT security ( data breach; in concert with the CSIRT, which is in turn integrated into the new Italian reality), with international collaboration and cooperation for cybersecurity, with the enhancement of skills as a system Country, of technological independence of Italy and Europe.
What is the piece of the puzzle that we believe is missing? Just an intervention by the legislator that introduces the concept of ethical hacking and clearly and authoritatively establishes the methods and tools that researchers can use to responsibly report vulnerabilities and security problems discovered in platforms created by private individuals or by/for the Public Administration.
Also Read: Cybersecurity And Digitalization: Is It Mission Impossible?
