US won’t prosecute ‘good faith’ security researchers under CFAA

Well, that clears things up? Maybe not


The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

The update clarifies that conducting security research for the purposes of finding flaws in devices or software, and then extorting the owners, "is not in good faith."

Hopefully, the policy changes will make security researchers' lives less stressful

"Computer security research is a key driver of improved cybersecurity," stated Deputy Attorney General Lisa Monaco. "The Department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The new policy clarifies CFAA language that prohibits accessing a computer "without authorization," but has long been criticized by security researchers and some lawmakers for not defining what the term means. Anyone charged with violating the law can face up to a long time behind bars.

Critics of the CFAA often point to the death of Aaron Swartz, who died by suicide in 2013 after federal prosecutors charged him under the computer-fraud law for downloading millions of research papers. Two earlier attempts at legislative reform, known as Aaron's Law, never made it out of Congress. And it's worth noting that the updated policy is not a legislative fix to the problem.

Lying on your dating profile: still OK

Under the new policy, the Justice Department says it won't prosecute researchers for accessing computer systems "without authorization" unless:

  • The defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization;
  • The defendant knew of the facts that made the defendant's access without authorization; and 
  • Prosecution would serve the Department's goals for CFAA enforcement.

These enforcement goals "are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems," the Department states.

Additionally, the updates clarify some hypothetical CFAA violations. For example, prosecutors won't charge you for embellishing an online data profile, using a pseudonym on a social networking site that prohibits fake names, or checking sports scores or paying bills at work.

While security researchers agree the updated policy is a step in the right direction, most contacted by The Register say the changes don't go far enough to protect them while they simply do their jobs.

New policy doesn't go 'nearly far enough'

The Electronic Frontier Foundation (EFF), which has long called for CFAA reform, noted it was "pleased" that the Department was recognizing the role that researchers play in making the entire internet more secure. 

"However, the DOJ's new policy does not go nearly far enough: by exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution," EFF Senior Staff Attorney Andrew Crocker told The Register

The agency policy isn't binding, and can also be changed at any time by a future administration, he added.

"And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators," Crocker said. "The policy is a good start, but it is no substitute for comprehensive CFAA reform."

Self-described hacker Nate Warfield, who previously worked as a senior security researcher for Microsoft, also called the changes a positive move.

"There are risks in doing security research in that depending on the research target, the response to one's findings may not be taken as being well intended," he told The Register, noting Aaron Schwartz, and, more recently the Missouri reporter who was threatened with prosecution after reporting social security numbers exposed on a State government website.

"It's a fine line to demonstrate what a malicious actor could do in an attempt to warn an organization," Warfield continued. 

"Think of it as if I walked up to your home, saw it was unlocked, let myself in and used your home phone to call you and let you know you'd left your house unlocked," he said. "While it was done with good intentions, in the eyes of the law it's breaking and entering." 

No protection at the state level

Additionally, the policy doesn't protect researchers from prosecution at the State level, nor does it shield them from corporations that decide to take action.

"I don't think this will address people being arrested, search warrants issued or their names being smeared in the public eye," Warfield said. "While they may eventually be cleared of any wrongdoing, the damage to their lives will have already been done." 

While the policy changes are an "improvement," Forrester security analyst Allie Mellen noted the "hacker community has a long and challenging history with the CFAA." 

Because of this, the phrase "good-faith research" and other vaguely worded sections in the policy leave a good amount of prosecutorial wiggle room, and "should give security researchers pause," Mellen told The Register. "It's important for researchers to keep records of any agreements made with the companies they are researching and any other relevant paperwork."

Ministry of good faith?

Hopefully, the policy changes will make independent security researchers'' lives "a little less stressful by giving them more freedom to work on bug hunting and responsible disclosure, without the overhanging threat of the legal system," added Kev Breen, Immersive Labs' director of cyber threat research. 

Still, this doesn't give independent bug hunters a free pass. "If they do find vulnerabilities and report them — especially if they tipped over the lines — they may still find themselves in hot water," Breen told The Register. "I urge them to still apply the same level of caution and ethics we would have expected from them before this announcement." 

And he, like several others, takes issue with "good faith," which Breen called "a bit of a fuzzy statement."

Full disclosure: Breen is British, but while he's not bound by US policy, he noted that the UK does have similar laws. 

"My nationality aside, it wouldn't make much of a difference for any security researcher that is working on behalf of an organization," he said.

Here's what Breen means: the first thing that he does when beginning a research project or responsible disclosure is to call up the company's general counsel, "especially when the organization sits outside of the UK," he said.

"This is to ensure I'm not straying too far from those virtual lines on the digital ground, but more importantly, I have some top cover if things go a little 'pear-shaped' or a company doesn't understand responsible disclosure," Breen explained. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022