You had the best of intentions, and tried to do everything right. Unfortunately, in modern times that just paints a bigger target on your back.
This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it's only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn't make it worth the time it took. The sky's the limit on the worst you can get.
The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.
Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.
I agree with you. My view now when approaching all (and similar) situations in life - is "Can someone with mild to average intelligence interpret this negatively against me and act upon that perception?"
Because let's be honest, that is Occam's razor most probabilistic outcomes.
So accurate. It's doom and gloom in that space, you either do it because you couldn't literally see yourself doing anything else - or for ego/cash. I'd argue there's much better ways to make cash in other engineering jobs, often skills in security overlap with SRE, admin and compliance roles.
It's the golden years for blackhats right now. And it has been for about 15 years, and I really don't see it changing at all any time soon.
I'm getting out of ops for the simple reason that it's way more lucrative to be called in after the fact rather than try to stop incidents ahead of time (whether by probing and disclosing or trying to build out a blue team without being paid a contract to do so).
Due to fear of retaliation I decided initially not to share this story, but enough time has passed, and I feel the security community should know how one of the largest banks treats security researchers.
Since they effectively banned you from Chase service, what other retaliations were you worried about? Honest question.
You might want to consider fighting it, though. It seems that it was a decision done at a pretty low level, or even automatically. Chase, like most US big banks, are under constant scrutiny and hate bad PR. Write to their top HR, say you are submitting a formal request to <pick a four-letter financial oversight agency> and send a copy to your congressman. What do you have to lose?
Thanks for sharing and sorry such a shitty action was the result.
More seriously, is it possible to get in writing that disclosure would not result in negative repercussions if there is no bounty program? Perhaps dealing with large banks in a security context requires a less forgiving mentality.
Did you have to return the $5k? At least maybe you gained that?
Why did you report it in the first place? What did you expect to happen? Let's say they did not terminate your accounts but sent a thank you letter, would that be satisfactory?
I'm interested in why do security researchers or bug hunters do this kind of work for free. It really devalues the proposition long term imo, but I don't have a horse in the race. My POV is megacorps with bottomless pockets and armies of highly paid engineers miss these critical security issues all the time, and the best reporters can hope is chump change (if not abuse).
edit: Even more specifically I'm wondering why can't the security community work together, denounce the current practice of exchanging bugs potentially worth $$$ for ~nerd cred? Make some high profile disclosure if that is what it takes to take the work seriously. Wouldn't it work out better in the long run?
Not long ago I worked at a big name tech company and with someone who interacted with folks who reported security concerns.
Half the time the security team was scrambling to prevent various people from sending legal on a crusade to attack the latest researcher who responsibly told them about a security issue. It only got better after legal was educated enough to not just shoot from the hip with threats... but really they were just acting like a firewall for much of the management team who saw any such disclosure as some sort of attack.
And this was a tech company, everything they did was technology, located in the valley... they still didn't get it.
Even just getting these researchers token recognition (many asked for almost nothing) was an uphill battle.
One of the challenges was that the folks on the security team were really passionate about doing the right thing and they didn't want to break relationships they had with researchers / the community. They were prone to leave companies who were bad at handling those relationships ... leaving bad companies with fewer such people and accordingly things would fester.
The security industry is full of straight up charlatans and legit people. The legit people are super sensitive about being associated with charlatans and thus the charlatans are often left to their own devices after the legit folks run for cover (elsewhere).
For the record this is my perception from working with security minded folks, and not actually working in that industry myself.
Wow. You did the best you could to let them know about the problem, returned the $5k, etc. And they chose to be arseholes and just close your accounts and pretend you don't exist.
This will have some amount of Streisand effect. I doubt they've really fixed the race conditions. And, the story itself is interesting enough to take off.
We need to pass laws that forbid retaliation against disclosure, and require bounty programs. It might even make sense to have disclosure go through a public agency to arbitrate, and bond companies to that agency, much like we do with contractors.
Since the people in charge are basically the same rich morons as (or in the pocket of) the ones doing this to researchers, I wouldn't hold my breath.
Best we can hope for is that the EU or some other trigger-happy regulators do the same for security as they tried to do for privacy: mandate a dedicated security contact that legally has to respond to your disclosure. Then at least we'll have some form of direct contact and not have to resort to twitter for "secure" disclosure.
Congratulations Chase. You've just increased the probability that the next security researcher who discovers a vulnerability says nothing to you, or worse sells the exploit on the black market.
I once applied for an IT Security job at Citibank - as I’m walking to the conference room for the interview I notice that every single desk had a beat-up dog-eared copy of “Computer Security For Dummies” on it. It didn’t do them much good, a year later I read they had lost $60 million because you could go into their web banking system, and once authenticated you could access any retail bank account by changing the account number in the URL.
Years earlier I was at Chase Manhattan when they decided to hire at IT security role. The guy they selected was a tradesman who specialized in brickwork. Computer Security For Dummies was also his goto and it never left his hands. Most of our interaction with him was his trying to find “the NFS”. We told him several times that we didn’t use NFS but he was convinced we did and were hiding the NFS from him. He called all of us individually into meetings with him and our manager to try and get us to crack and admit where we had hidden the NFS but was unsuccessful - it was a conspiracy. He hired in a couple of consultants find where the NFS was but they couldn’t find it either. When I left he was having the network engineers trace all of the cables to see if we had hidden the NFS in a closet or under the floor.
about 5 years ago I took my infant son for a morning stroll and found an SSD drive laying in the grass next to a busy street (jamaicaway in JP). I picked it up and later looked to see what was on it because I wanted to know why someone would throw out a perfectly good SSD (they were still expensive back then).
Long story short, I found a bunch of mdb files with personal information about people's ambulance rides. I reached out to EMS and they were very nice and took the drive back with them.
A few weeks later I got a scary lawyer email asking me to submit all my computers for a search because I hacked their security to get the data.
It eventually turned out OK, but the moral of the story is that I will never again do the right thing if I happen to discover a problem that makes a large entity look bad.
Doing the right thing in these situations is like playing with fire. Lots of times nothing happens but you can easily get burned hard. Legal expense to defend yourself are no joke.
I heard a similar story years ago about a high school student finding an SD card. It was full of illegal underage pictures so he turned it into the school admins, told the story, and ended up getting charged for it.
Can someone please explain to me why companies make decisions like this? I have been on HN long enough to see many stories like this, but never once hear the suggestion of a rational line of human behavior.
Is it lawyers misunderstanding the value of security research?
In my experience, it's that people without experience with security researchers tend to think of security issues as having been fundamentally been created by the researchers themselves, rather than already existing in the system.
If you have no idea how someone finds such things, your first read is that the researcher has created the problem by finding it when it could have just never been found by anyone instead. It's cliché, but portrayal of hackers in films always implies that they could get into anything, with reasoning in a similar vein to if I knew all about windows and used that knowledge to smash the window of someone's house, then claimed it was a flaw I could get in that'd be on me.
Then, there is the problem of communication. An external person discovering such a flaw is already going out of their way to do something for the maker of the software, and I find that those being communicated with often find this interaction grating.
I think the psychology is complicated but it's somewhere between alarm that such a flaw was found, fear that the finding of such a flaw is a reflection on you, or your engineering team that will harm you and that researcher, unpaid and not expecting anything isn't there to hold their hand and reassure / explain such things. As a researcher, I want to spend the minimum time on this.
The only thing I'll insist on is that it gets fixed in time, and if this draws out for months I eventually get in a position where I have to make threats of disclosure or nothing will get done.
I can imagine that something like this happened:
1. Based on the disclosure, usage of multiple sessions was marked as possible fraudulent activity
2. When a new signal for fraudulent activity is added, accounts and transaction in the past are checked as well
3. OP's account comes up as fraudulent activities (ofcourse it does, he's the one who found it)
4. Nobody at Chase takes the effort to see what exactly happened here and that this account (or at least the specific transaction) should be excluded from positive results
Remember that Facebook reported the BBC to the police for telling them there was CP on their network [0]? I think something similar happened.
Company managers become upset because this makes them look bad. Most corporate security depts spend a lot of money on salaries, devices, etc. And then some hacker kid comes along and embarrasses them. They retaliate and try to 'kill the messenger' to save their reputation (internally) and continue to 'play security' with big budgets and vendor conferences. Really, all they do is CYA. That's all that matters to them.
Edit: This happened to me when I compromised a Windows Active Directory (got domain admin on all the domain controllers) and it has happened to my colleagues as well. The default corporate response is to threaten, marginalize or try to fire the security researcher.
Corporate managers and lawyers in particular have to constantly monitor for and defend against legal attacks, both legitimate and illegitimate. They have to stay on their toes about tricks and traps built into contracts and business deals and that sort of thing.
When a nerd comes to them to report a true fact about reality that will help them to know, we (the nerds) expect them to be grateful and cooperative.
But in fact they are trying to figure out what the angle is, or if not, what the angle could possibly be. One nerd's helpful security disclosure is a corporate lawyer's extortion attempt: "Nice corporation you got there. Too bad about this critical security vulnerability that may or may not constitute fiduciary negligence, but would definitely harm customer trust in your financial institution. Maybe we can help each other out, friendly like..."
So when someone comes at you like that, what do you do? If you're a hardass corporate lawyer you posse up, lock down, stonewall, shut off any practical ability for the person to have any further interaction with you, use all legal means at your disposal to get them to shut up about the issue now and forever. After all, this person just proved they have the ability and probably the willingness to discover vulnerabilities and extort you with them. Maybe. Why risk it?
That's the story I made up about it. I think it's a combination of incentives in the legal landscape and a huge culture clash.
IT is a cost center to them and they want to build/maintain their software as cheaply as possible. Short term it's cheaper to sweep this under the rug than to actually build a culture where security and best practices are important. Long term it doesn't matter because the senior management will have moved on.
Remember Chase is the bank where your passwords couldn't contain special characters and were limited to 12 characters up until 2017-2018 (I lost track, don't quote me). I wouldn't hold my money there if they paid me.
I dont think this behaviour is reserved only to banks. I once worked for a tech company which treated a security researcher who found a vulnerability with the same hostility, They had an "easter" egg in the code saying "F* you <name of the researcher>". Needless to say I left that place soon after this incident. It baffles me why companies wont reward these people for doing the testing for them instead of taking these disclosures as act of war against them.
One would think that banks, who are the prime target for every person that "wants to hack", would be leading the way in terms of bug bounty programs and benefiting from smart people finding gaping holes in their systems.
This bank could have gotten into serious trouble with regulators if a bad actor exploited this bug and stole millions.
Don't expect them to adjust their behavior any time soon, but the "HN effect" might make them undo this action to avoid bad PR and make a few vague promises about "fixing the issue to avoid it happening in the future".
It is interesting that the only way to draw attention to this issue was via Twitter DM. For many big companies this seems to be the one place where you can hope to get a response.
For example, a year ago I was in a pinch and ended up booking a flight on Delta via Twitter DM.
The problem with this is that the escalation chain and documentation to go along with it is unclear. The author could only hope that he was being connected with the right people. Likewise, I was just crossing my fingers that there was, indeed, a ticket waiting for me.
This is why the so called responsible disclosure isn't a silver bullet. I believe, in cases when there is no bounty program and no substantial risk for the users' data or resources, one should go with full, anonymous disclosure.
This is very hard because the actual research required you to use real accounts, and you would need to contact them to correct your account after you proved it was indeed an issue.
Interesting that the bounty program is only mentioned in the text screenshot and not the article. While it’s unfortunate that this happened, randomly pen-testing a bank then presumably asking for money is not something I would advise.
[+] [-] Communitivity|5 years ago|reply
This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it's only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn't make it worth the time it took. The sky's the limit on the worst you can get.
The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.
Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.
[+] [-] czbond|5 years ago|reply
Because let's be honest, that is Occam's razor most probabilistic outcomes.
[+] [-] Mandatum|5 years ago|reply
So accurate. It's doom and gloom in that space, you either do it because you couldn't literally see yourself doing anything else - or for ego/cash. I'd argue there's much better ways to make cash in other engineering jobs, often skills in security overlap with SRE, admin and compliance roles.
It's the golden years for blackhats right now. And it has been for about 15 years, and I really don't see it changing at all any time soon.
[+] [-] packetlost|5 years ago|reply
https://shadowrun.fandom.com/wiki/VITAS
[+] [-] sneak|5 years ago|reply
“My boss told me to do it” is not a defense against criminal charges.
https://www.techdirt.com/articles/20200131/11153743831/crimi...
[+] [-] whatsmyusername|5 years ago|reply
I'm getting out of ops for the simple reason that it's way more lucrative to be called in after the fact rather than try to stop incidents ahead of time (whether by probing and disclosing or trying to build out a blue team without being paid a contract to do so).
[+] [-] ic4l|5 years ago|reply
[+] [-] ptero|5 years ago|reply
You might want to consider fighting it, though. It seems that it was a decision done at a pretty low level, or even automatically. Chase, like most US big banks, are under constant scrutiny and hate bad PR. Write to their top HR, say you are submitting a formal request to <pick a four-letter financial oversight agency> and send a copy to your congressman. What do you have to lose?
[+] [-] irjustin|5 years ago|reply
More seriously, is it possible to get in writing that disclosure would not result in negative repercussions if there is no bounty program? Perhaps dealing with large banks in a security context requires a less forgiving mentality.
Did you have to return the $5k? At least maybe you gained that?
[+] [-] nijave|5 years ago|reply
[+] [-] rbarnes01|5 years ago|reply
[+] [-] crusso|5 years ago|reply
[+] [-] a_imho|5 years ago|reply
I'm interested in why do security researchers or bug hunters do this kind of work for free. It really devalues the proposition long term imo, but I don't have a horse in the race. My POV is megacorps with bottomless pockets and armies of highly paid engineers miss these critical security issues all the time, and the best reporters can hope is chump change (if not abuse).
edit: Even more specifically I'm wondering why can't the security community work together, denounce the current practice of exchanging bugs potentially worth $$$ for ~nerd cred? Make some high profile disclosure if that is what it takes to take the work seriously. Wouldn't it work out better in the long run?
[+] [-] duxup|5 years ago|reply
Half the time the security team was scrambling to prevent various people from sending legal on a crusade to attack the latest researcher who responsibly told them about a security issue. It only got better after legal was educated enough to not just shoot from the hip with threats... but really they were just acting like a firewall for much of the management team who saw any such disclosure as some sort of attack.
And this was a tech company, everything they did was technology, located in the valley... they still didn't get it.
Even just getting these researchers token recognition (many asked for almost nothing) was an uphill battle.
One of the challenges was that the folks on the security team were really passionate about doing the right thing and they didn't want to break relationships they had with researchers / the community. They were prone to leave companies who were bad at handling those relationships ... leaving bad companies with fewer such people and accordingly things would fester.
The security industry is full of straight up charlatans and legit people. The legit people are super sensitive about being associated with charlatans and thus the charlatans are often left to their own devices after the legit folks run for cover (elsewhere).
For the record this is my perception from working with security minded folks, and not actually working in that industry myself.
[+] [-] nerdponx|5 years ago|reply
[+] [-] tyingq|5 years ago|reply
This will have some amount of Streisand effect. I doubt they've really fixed the race conditions. And, the story itself is interesting enough to take off.
[+] [-] okl|5 years ago|reply
[+] [-] Schiendelman|5 years ago|reply
[+] [-] ic4l|5 years ago|reply
It's always a scary experience.
The funny thing is according to them I was the only contributor from 2016 to the end of 2017. So they must not get many reports.
Since then they did develop a disclosure program, but it would be great to hear from anyone else that reported things to them after the end of 2017.
[+] [-] swiley|5 years ago|reply
[+] [-] whiskeykilo|5 years ago|reply
[+] [-] franga2000|5 years ago|reply
Best we can hope for is that the EU or some other trigger-happy regulators do the same for security as they tried to do for privacy: mandate a dedicated security contact that legally has to respond to your disclosure. Then at least we'll have some form of direct contact and not have to resort to twitter for "secure" disclosure.
[+] [-] chenpengcheng|5 years ago|reply
[+] [-] DevX101|5 years ago|reply
[+] [-] xvector|5 years ago|reply
[+] [-] zxcvbn4038|5 years ago|reply
Years earlier I was at Chase Manhattan when they decided to hire at IT security role. The guy they selected was a tradesman who specialized in brickwork. Computer Security For Dummies was also his goto and it never left his hands. Most of our interaction with him was his trying to find “the NFS”. We told him several times that we didn’t use NFS but he was convinced we did and were hiding the NFS from him. He called all of us individually into meetings with him and our manager to try and get us to crack and admit where we had hidden the NFS but was unsuccessful - it was a conspiracy. He hired in a couple of consultants find where the NFS was but they couldn’t find it either. When I left he was having the network engineers trace all of the cables to see if we had hidden the NFS in a closet or under the floor.
[+] [-] rootcage|5 years ago|reply
[+] [-] mkoryak|5 years ago|reply
Long story short, I found a bunch of mdb files with personal information about people's ambulance rides. I reached out to EMS and they were very nice and took the drive back with them. A few weeks later I got a scary lawyer email asking me to submit all my computers for a search because I hacked their security to get the data.
It eventually turned out OK, but the moral of the story is that I will never again do the right thing if I happen to discover a problem that makes a large entity look bad.
[+] [-] ciabattabread|5 years ago|reply
In 2008, in London, a commuter found top secret counterterrorism documents on the train. That person was smart enough to go to a BBC reporter.
[+] [-] wil421|5 years ago|reply
I heard a similar story years ago about a high school student finding an SD card. It was full of illegal underage pictures so he turned it into the school admins, told the story, and ended up getting charged for it.
[+] [-] outworlder|5 years ago|reply
Did you actually have to do that?
[+] [-] chairmanwow1|5 years ago|reply
Is it lawyers misunderstanding the value of security research?
[+] [-] zemnmez|5 years ago|reply
If you have no idea how someone finds such things, your first read is that the researcher has created the problem by finding it when it could have just never been found by anyone instead. It's cliché, but portrayal of hackers in films always implies that they could get into anything, with reasoning in a similar vein to if I knew all about windows and used that knowledge to smash the window of someone's house, then claimed it was a flaw I could get in that'd be on me.
Then, there is the problem of communication. An external person discovering such a flaw is already going out of their way to do something for the maker of the software, and I find that those being communicated with often find this interaction grating.
I think the psychology is complicated but it's somewhere between alarm that such a flaw was found, fear that the finding of such a flaw is a reflection on you, or your engineering team that will harm you and that researcher, unpaid and not expecting anything isn't there to hold their hand and reassure / explain such things. As a researcher, I want to spend the minimum time on this.
The only thing I'll insist on is that it gets fixed in time, and if this draws out for months I eventually get in a position where I have to make threats of disclosure or nothing will get done.
[+] [-] A_Venom_Roll|5 years ago|reply
Remember that Facebook reported the BBC to the police for telling them there was CP on their network [0]? I think something similar happened.
[0] https://gizmodo.com/bbc-tells-facebook-about-child-porn-on-t...
[+] [-] _wldu|5 years ago|reply
Edit: This happened to me when I compromised a Windows Active Directory (got domain admin on all the domain controllers) and it has happened to my colleagues as well. The default corporate response is to threaten, marginalize or try to fire the security researcher.
[+] [-] pmichaud|5 years ago|reply
Here's what I made up in my head:
Corporate managers and lawyers in particular have to constantly monitor for and defend against legal attacks, both legitimate and illegitimate. They have to stay on their toes about tricks and traps built into contracts and business deals and that sort of thing.
When a nerd comes to them to report a true fact about reality that will help them to know, we (the nerds) expect them to be grateful and cooperative.
But in fact they are trying to figure out what the angle is, or if not, what the angle could possibly be. One nerd's helpful security disclosure is a corporate lawyer's extortion attempt: "Nice corporation you got there. Too bad about this critical security vulnerability that may or may not constitute fiduciary negligence, but would definitely harm customer trust in your financial institution. Maybe we can help each other out, friendly like..."
So when someone comes at you like that, what do you do? If you're a hardass corporate lawyer you posse up, lock down, stonewall, shut off any practical ability for the person to have any further interaction with you, use all legal means at your disposal to get them to shut up about the issue now and forever. After all, this person just proved they have the ability and probably the willingness to discover vulnerabilities and extort you with them. Maybe. Why risk it?
That's the story I made up about it. I think it's a combination of incentives in the legal landscape and a huge culture clash.
[+] [-] lukeramsden|5 years ago|reply
I would've thought it would be more likely some middle manager who doesn't understand tech and just knows this person was ""abusing"" their system.
[+] [-] wefarrell|5 years ago|reply
[+] [-] exabrial|5 years ago|reply
[+] [-] dhanvantharim1|5 years ago|reply
[+] [-] wdb|5 years ago|reply
If they write you off as a client for accounts/credit cards, why not also for the mortgage/loans?
[+] [-] 1vuio0pswjnm7|5 years ago|reply
To read without Javascript:
[+] [-] phantom_oracle|5 years ago|reply
This bank could have gotten into serious trouble with regulators if a bad actor exploited this bug and stole millions.
Don't expect them to adjust their behavior any time soon, but the "HN effect" might make them undo this action to avoid bad PR and make a few vague promises about "fixing the issue to avoid it happening in the future".
[+] [-] webel0|5 years ago|reply
For example, a year ago I was in a pinch and ended up booking a flight on Delta via Twitter DM.
The problem with this is that the escalation chain and documentation to go along with it is unclear. The author could only hope that he was being connected with the right people. Likewise, I was just crossing my fingers that there was, indeed, a ticket waiting for me.
[+] [-] jakobdabo|5 years ago|reply
[+] [-] ic4l|5 years ago|reply
[+] [-] rhexs|5 years ago|reply
[+] [-] superfunny|5 years ago|reply
[+] [-] athenot|5 years ago|reply
[+] [-] offtop5|5 years ago|reply
This is the type of thing to test in a QA environment, not in real life with your real money.