US won’t prosecute ‘good faith’ security researchers under CFAA

Well, that clears things up? Maybe not


The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

The update clarifies that conducting security research for the purposes of finding flaws in devices or software, and then extorting the owners, "is not in good faith."

Hopefully, the policy changes will make security researchers' lives less stressful

"Computer security research is a key driver of improved cybersecurity," stated Deputy Attorney General Lisa Monaco. "The Department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The new policy clarifies CFAA language that prohibits accessing a computer "without authorization," but has long been criticized by security researchers and some lawmakers for not defining what the term means. Anyone charged with violating the law can face up to a long time behind bars.

Critics of the CFAA often point to the death of Aaron Swartz, who died by suicide in 2013 after federal prosecutors charged him under the computer-fraud law for downloading millions of research papers. Two earlier attempts at legislative reform, known as Aaron's Law, never made it out of Congress. And it's worth noting that the updated policy is not a legislative fix to the problem.

Lying on your dating profile: still OK

Under the new policy, the Justice Department says it won't prosecute researchers for accessing computer systems "without authorization" unless:

  • The defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization;
  • The defendant knew of the facts that made the defendant's access without authorization; and 
  • Prosecution would serve the Department's goals for CFAA enforcement.

These enforcement goals "are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems," the Department states.

Additionally, the updates clarify some hypothetical CFAA violations. For example, prosecutors won't charge you for embellishing an online data profile, using a pseudonym on a social networking site that prohibits fake names, or checking sports scores or paying bills at work.

While security researchers agree the updated policy is a step in the right direction, most contacted by The Register say the changes don't go far enough to protect them while they simply do their jobs.

New policy doesn't go 'nearly far enough'

The Electronic Frontier Foundation (EFF), which has long called for CFAA reform, noted it was "pleased" that the Department was recognizing the role that researchers play in making the entire internet more secure. 

"However, the DOJ's new policy does not go nearly far enough: by exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution," EFF Senior Staff Attorney Andrew Crocker told The Register

The agency policy isn't binding, and can also be changed at any time by a future administration, he added.

"And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators," Crocker said. "The policy is a good start, but it is no substitute for comprehensive CFAA reform."

Self-described hacker Nate Warfield, who previously worked as a senior security researcher for Microsoft, also called the changes a positive move.

"There are risks in doing security research in that depending on the research target, the response to one's findings may not be taken as being well intended," he told The Register, noting Aaron Schwartz, and, more recently the Missouri reporter who was threatened with prosecution after reporting social security numbers exposed on a State government website.

"It's a fine line to demonstrate what a malicious actor could do in an attempt to warn an organization," Warfield continued. 

"Think of it as if I walked up to your home, saw it was unlocked, let myself in and used your home phone to call you and let you know you'd left your house unlocked," he said. "While it was done with good intentions, in the eyes of the law it's breaking and entering." 

No protection at the state level

Additionally, the policy doesn't protect researchers from prosecution at the State level, nor does it shield them from corporations that decide to take action.

"I don't think this will address people being arrested, search warrants issued or their names being smeared in the public eye," Warfield said. "While they may eventually be cleared of any wrongdoing, the damage to their lives will have already been done." 

While the policy changes are an "improvement," Forrester security analyst Allie Mellen noted the "hacker community has a long and challenging history with the CFAA." 

Because of this, the phrase "good-faith research" and other vaguely worded sections in the policy leave a good amount of prosecutorial wiggle room, and "should give security researchers pause," Mellen told The Register. "It's important for researchers to keep records of any agreements made with the companies they are researching and any other relevant paperwork."

Ministry of good faith?

Hopefully, the policy changes will make independent security researchers'' lives "a little less stressful by giving them more freedom to work on bug hunting and responsible disclosure, without the overhanging threat of the legal system," added Kev Breen, Immersive Labs' director of cyber threat research. 

Still, this doesn't give independent bug hunters a free pass. "If they do find vulnerabilities and report them — especially if they tipped over the lines — they may still find themselves in hot water," Breen told The Register. "I urge them to still apply the same level of caution and ethics we would have expected from them before this announcement." 

And he, like several others, takes issue with "good faith," which Breen called "a bit of a fuzzy statement."

Full disclosure: Breen is British, but while he's not bound by US policy, he noted that the UK does have similar laws. 

"My nationality aside, it wouldn't make much of a difference for any security researcher that is working on behalf of an organization," he said.

Here's what Breen means: the first thing that he does when beginning a research project or responsible disclosure is to call up the company's general counsel, "especially when the organization sits outside of the UK," he said.

"This is to ensure I'm not straying too far from those virtual lines on the digital ground, but more importantly, I have some top cover if things go a little 'pear-shaped' or a company doesn't understand responsible disclosure," Breen explained. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022