A cybersecurity expert who discovers a security vulnerability that might, say, give hackers access to customers’ banking or medical information should not hesitate to report it, right?
Unfortunately, the expert runs the risk of facing legal ramifications, accused of being a malicious hacker.
IEEE Member Sam Bowne, a professor of computer networking and information technology at City College of San Francisco, learned that the hard way. He teaches classes on cybersecurity and incorporates his research on common security vulnerabilities into his lessons. While doing research in 2014, he discovered that more than 100 servers used by a variety of companies had been hacked. One of them publicly exposed medical information from thousands of patient records at a major health care provider.
Bowne reported his findings to the health care provider the very next day; two months later, it sent a legal notice that told the affected patients that their records had been exposed. And it accused “a professor of computer science at City College of San Francisco” of hacking the server during an in-class demonstration. What’s more, SC Magazine, an online publication for IT professionals, ran an article echoing the claims. One reader who figured out that Bowne was the professor in question filed ethical complaints against him with the college.
In an attempt to clear his name, Bowne hired Alex Muentz, a lawyer in Philadelphia who specializes in information security. Bowne offered to pay him, but Muentz took the case on a pro bono basis. The two gave a talk about their experience, “When Vulnerability Disclosure Turns Ugly,” in July at the 11th HOPE conference, the latest biannual Hackers on Planet Earth event, in New York City.
WHAT WENT WRONG
Bowne says he discovered the compromised server at the LSU (Louisiana State University) Healthcare Network, in New Orleans, not by hacking but through a simple Internet search.
“I found a strange file, named ‘w0000000t,’ on a public FTP server, and then used Google and discovered that 110 other servers had the same file,” he said during the talk. In other words, someone had hacked, accessed, and uploaded text files on several institutions’ FTP servers. “They were apparently just tags, like graffiti, showing that the hacker had gained file upload privileges,” Bowne explained. That’s when he noticed the server at LSU contained confidential medical records that were exposed to the public.
In the United States, medical records are protected by the Health Insurance Portability and Accountability Act. The vulnerability that Bowne found was a HIPAA violation. He emailed LSU’s HIPAA compliance office on 17 June 2014 to alert them of the problem. The office took down the FTP server and fixed the problem within a few hours.
Two months later, however, Conway Health System, which LSU owned at the time, sent a legal notice to its patients, notifying them their information might have been compromised. After getting wind of the situation, journalist Adam Greenberg wrote the SC article, which ran with the headline “Professor Hacks University Health Conway in Demonstration for Class.” Following its publication in August, one reader complained to City College about what Bowne had done and demanded he be fired.
That’s where Muentz came in. “The magazine wrote a story that was defamatory,” he said at the HOPE conference. “They were trying to find some real cowboy stuff to make the story seem more interesting.”
Instead of suing SC Magazine, Bowne filed a formal HIPAA complaint with the U.S. Health and Human Services (HHS) Office for Civil Rights, which handles HIPAA violations. Bowne stated in the complaint that LSU illegally retaliated against him for reporting the vulnerability by alluding to his identity in an official notice and falsely stating that students were involved. Muentz then advised Bowne to send an email message addressed to LSU as well as to politicians and news outlets in California and Louisiana to explain his side of the story. “I did not ‘hack’ anything or ‘demonstrate’ anything in a class—I was not even teaching any classes at this time,” he wrote.
SC Magazine ran a correction, and it published a second article explaining what Bowne had done, clarifying that rather than hacking the Conway system he had found its vulnerability through a Google search.
The HHS office rejected his whistleblower complaint on procedural grounds: His original notice was sent to the local HIPAA compliance office of LSU, instead of to the federal HHS office—a mistake that exempted him from whistleblower protection.
“I was lucky because no one tried to prosecute me for ‘hacking’ the LSU server,” he says, “so it didn't do me any lasting harm.”
For those who make the effort to report vulnerabilities, legal protection is not guaranteed in the United States. Whistleblowers can be accused of hacking under the Computer Fraud and Abuse Act (CFAA), which makes it illegal for people to knowingly access unauthorized computers or servers.
Bowne isn’t new to finding and reporting flaws. “I’ve found vulnerabilities in hundreds of websites including those of major banks, insurance companies, stock traders, and colleges,” he says. But his reports often go unheeded.
“In general I find that about 20 percent of companies I notify actually fix the problems,” he says. “I suspect that’s because they have no cybersecurity team, and no one has any idea what to do about a vulnerability report.
“I used to notify affected companies about SQL injections I found, but I stopped doing that on the advice of my attorney,” he says. A SQL injection can give an attacker the ability to enter a code and access a password-protected database. “That’s an extremely serious vulnerability,” Bowne says, “but the CFAA makes it unwise for me to warn companies about it. To avoid legal risk, the correct action is to say nothing and let the companies be hacked.”
Bowne has abandoned security research on public Web servers and moved on to testing Android apps, which the CFAA does not cover.
“I’ve recently found vulnerabilities that would allow an attacker to counterfeit an Android app or allow encrypted data to be stolen from a wireless network,” he says. The techniques he uses to spot vulnerabilities are “nothing revolutionary,” he says, adding, “I find them by using research techniques I learned from textbooks.
“The legal risks of security research are far greater than I realized. Unless a company has a bug bounty program [in which websites and software developers compensate people for reporting flaws], or they have contracted with you for this service, almost all security research is technically illegal.
“The only thing that protects researchers is a good reputation, which may cause prosecutors not to press charges—and a good legal team to mitigate the risks of being charged with hacking.”