Paid Advertising
web application security lab

Legality of security auditing

After a weekend away I got an interesting email from one of my subscribers.  It was regarding some auditing that he was performing against a website, and that website had asked him to remove the offending information from his website.  Here’s a snippet from the email (I’m not going to post who it is unless he wants to talk about it more himself):

Does he have the legal right to ask such a thing, and If I didn’t remove
it, would anything happen because of it?

I’m no lawyer, honestly, but I really don’t think he has a legal right to get you top stop publishing your information unless it falls under one of three categories.  One of which is libel.  Libel is where you write something that is not the truth.  In this case, if it is true, it’s not libelous.  Slander is where you say something that is not true, and defamatory.  Clearly neither are true.
The second is more along the lines of a governmental issue, where you cannot insight riots, terrorism, etc…  I don’t think this falls under that one either.

The last one that comes to mind is DMCA.  The DMCA might hold true if you are reverse engineering the software to perform a security audit of it.  I’m not sure if there is actually and valid legal precedence for that claim, although Snosoft was nearly sued under it by HP for finding a vulnerability in their product a few years back.   After a huge uproar by the security community HP issued a press release and retracted the suit against Snosoft.

Now all that said, the legality in performing unsolicited penetration tests against live websites is pretty much getting to be risky business.  Regardless of your intentions any sort of unsolicited security penetration testing is tantamount to hacking.  Dmitry was pretty much screwed after finding an issue with Adobe’s products.  Then there was the kid who did a F5 “attack” by trying to get his classmates to DoS their school server by hitting refresh.  The amusing part of that attack is that it caused the attack to happen inadvertantly because it was Slashdotted later (my favorite comment on that one was, “I went to the website, but it was down, so I hit refresh, and it’s still down.”) It was later taken down by slashdot because of legal ramifications, I’m assuming.

It’s basically war on penetration testing and vulnerability assesments right now.  So good intentioned or not, watch your back.

3 Responses to “Legality of security auditing”

  1. Sven Vetsch / Disenchant Says:

    I also had this situation, that a company ask me to remove information from my website and don’t give some information about the vulnerabilities of their website to others. I’m not a lawyer too but I think you can get in trouble because it’s possible, that the customers of this company don’t want to work with them anymore because they want to buy products which are secure. I can’t say how this is in other countries but here in Switzerland, it’s AFAIK illegal.

  2. Luny Says:

    Yea, I was the one who emailed RSnake and asked this. I was unsure of the laws and legal sense of things regarding this type of situation. In the end tho, the owner of the site I audited was greatful and thanked me.

    Sven, I too can see how companys wouldn’t want to work with people who find these vulnerabilities, because if customers knew they paid $$ for a product only to find out its vulnerable and then have to go threw the whole process of updating & patching, plus the possibly users info was already obtained from said vulnerabilities. It’s a mess.

    Guess it’s just easier to silence the problem then fix it.

  3. Sven Vetsch / Disenchant Says:

    It’s always the same:

    security through obscurity