May 16, 2014

If you’re taking an exam to test your skills as an Internet security professional, do you get extra credit for schooling the organization that hosts the test? If that organization is the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam — the answer is “no,” but you might get a nice ‘thank you’ from the head of the organization.

isc2-2

Last month, I heard from Alex Holden, a security consultant who is quite gifted at quickly identifying security holes in Internet-facing things. Holden was visiting the site to pay his annual CISSP membership dues, and was getting ready to fork over the $85 annual fee when he noticed a glaring weakness in the organization’s checkout page: The URL listed all of his registration information in plaintext.

The site hadn’t yet requested his credit card, but Holden found that he could skip the payment process merely by changing the $85 amount in the URL produced by the checkout page to a negative number. Clicking submit after that change was made produced an email congratulating him on his successful renewal.

Holden said he was surprised to find that a security organization like ISC2 would fail to take the basic precaution of encrypting all form data submitted on its site. He noted that, while he didn’t attempt further tests, the same method likely would have worked to check out without paying for other items on (ISC)²’s site, including (ISC)² conference registrations and the CISSP exam, which (ISC)² exclusively administers.

“My personal habit, anytime I submit an electronic payment, is to look at the URL to see if it is HTTPS and on a site that I expect to be (vs fake sites),” Holden said, explaining how he discovered the embarrassing bug.

(ISC)² Executive Director W. Hord Tipton said the vulnerability Holden reported also was discovered internally in the organization’s annual penetration tests, but that the bug was erroneously flagged as ‘non-exploitable.’

In any case, although some 2,000 security professionals register with the site to take the CISSP exam each month, (ISC)² found no indications that anyone else had previously exploited this weakness to avoid paying for the organization’s events or certifications. (ISC)² thanked Holden for reporting the bug, and noted that the URL at checkout is now using encrypted values instead of plain text.

“We’re a highly security-conscious outfit, but sometimes we aren’t as secure as we ought to be,” Tipton said.


62 thoughts on “White-Hat Hacker Schools Security Pro School

  1. Caleb

    Great article, Brian. I think you have a typo in bottom of the second to last paragraph: “plain test” instead of “plain text”.

  2. Debi

    Yes, great article Brian! And, Caleb, you need a “the” between “in”and “bottom”. 🙂

    1. Rob

      The fact that no one else noticed the unsecured data plaintext URL is a bit of an indictment of, what was it, 2,000 visitors per month, ALL of them “high-level” security consultants? Or is it even worse in that they ARE all the high-level security consultants?? Ouch. China! Russia! Cuba! Iran! NSA! Are you paying close attention?

      The fact that no one else noticed that Mr. Krebs has now spelled “plaintext” two ways, the other being “plain text” is a bit of an indictment too, but a much less serious one. Not worried, but much idly curious.

      So Brian, which one is correct? If you and Bruce Schneier were to publicly agree on one over the other, I’m sure the rest of the world would quickly follow on rather than be made to look like a gigantic minority.

      1. Sjsk

        The fact that you think this certification means that someone can penetration test the website shows your ignorance in the security community. The certification literally covers the basics of many different areas within the security space. It does not dig deep into any. It is literally an associate level security certification.

        Your comments actually sound like someone who is bitter and probably lost an opportunity because those outside of the security space, Human Resources, have elevated it to something other than what it is.

        1. Andy

          Lots of people simply don’t look at the address bar. You would have to do it to notice a problem. Certification material is a good place to learn a substantial amount of material in the area. The ones who incessantly complain about them feel threatened by their worth.

      2. Hackme Oysters

        Unfortunately until someone “tested” the site and made it public they made a change this was brought to their attention at least by myself a ways back. This is the problem with this org. it is not for “security” professionals. It is just for theory only all the answers test your ability to “manage” security people not actually do the work but the industry is sipping the CISSP kool-aide so we must all drink.

        I myself think that the real security certs are from companies like SANS that actually test your ability to adapt and actually perform the security side tasks. Just my two cents…and YES I am a CISSP. and Yes I did tell them no I didn’t test the link though because it would be a violation of their ridiculous moral turpitude clause…

    2. John

      @Debi. I think you are missing a space after “in” and before “and.”

      Seriously, great article as usual Brian. And I am glad the typo police are out today. I was worried.

  3. KFritz

    Please compare the following statements:

    “We’re a highly security-conscious outfit, but sometimes we aren’t as secure as we ought to be,”

    “We’re firemen, but occasionally we forget to bring hoses or water to the job.”

    1. SeymourB

      We’re firemen, but we like to order pizza instead of cooking healthy meals at the firehouse.

      1. David Gerard

        “We’re firemen, but – oh, THAT fire in the back of the firehouse. Yeah, we should probably have noticed that.”

  4. coderaptor

    Well, what else do you expect of ISC2? Its time to give them a boot – they have fooled enough people already selling dubious security certifications.

  5. Spacerog

    Does Holden realize that by manipulating the URL in this fashion he has violated the CFAA? This is the same action that Andrew Auernheimer was sent to jail for. Something security researchers need to keep in mind when they are looking for security vulnerabilities.

  6. Jadgate

    C’mon, let’s not pile on to ISC2. Web application security has yet to achieve the sort of perfection some of the comments that have been made seem to imply. Sh@t happens. Having another set of eyes find stuff is a good thing, that’s how things get fixed. The question is: are you going to part of the solution by identifying this sort of stuff, or just point fingers at the problem and blame others.

    1. BrianKrebs Post author

      “The question is: are you going to part of the solution by identifying this sort of stuff, or just point fingers at the problem and blame others.”

      Err..reporting this to them and getting it fixed isn’t part of the solution?

      1. finewithme

        I think Jadgate’s comment refers to fellow commenters, not Alex Holden. I could be misreading it, however.

      2. Chris

        When I read the comments I was hoping for something more than a list of the typos in the article and people putting the boot into the guy who reported the issue and security company that had it.

        My take on it is:
        1. If more people were a little more observant and did what Alex Holden did, then the internet would be a better place.
        2. You don’t punish people for being part of the solution.
        3. It’s a reminder that we’re all human and make mistakes (thinking ISC here)
        4. It’s a gentle reminder that it doesn’t take much for the wheels to fall off the security wagon…

      3. jadgate

        Brian-

        My comments were not directed at you or Alex, but at the other commenters who seem to be taking great delight and playing “gotcha”.

        Later,

        Jim

  7. JCitizen

    Ingrates! Doesn’t give me much confidence in the schooling over there either! :/

  8. SeymourB

    URL-based form submission seems so HTML 3.2 to me.

    Hell, I don’t even like when session cookies are encoded into the URL, which was done to avoid customers running around like chickens with their heads cut off because sites don’t work with browser cookies disabled.

    1. Anura

      It doesn’t matter if it was GET or POST; the security hole exists regardless. It’s rule #1 of web development: never ever, ever, ever trust user input, and anything transmitted in the HTTP request is user input.

  9. Walt

    What does that say for all of us CISSP’s that used this vulnerable website for the past few years.

    Good opportunity to review OWASP Top 10 2013-A4-Insecure Direct Object References

    1. Stephen

      and after reading them update your CPE’s do reflect the same 😉

    2. Marty

      “What does that say for all of us CISSP’s that used this vulnerable website for the past few years. ”

      I don’t think it says anything at all. As a CISSP who used the website, I always check website URLs to ensure the credit card data I provide is protected and the amounts charged are correct. From my read on this, the vulnerability did not impact member/customer information, only the internal workings of the website.

      Exploiting this vulnerability would only impact ISC2 in the form of someone defrauding the ISC2 by not properly paying for goods/services. I would expect the ISC2 financial audits would have caught any exploitation (the article stated that ISC2 found that there was no exploit of this vulnerability).

      I find the more interesting part of the article being that the ISC2 knew of the vulnerability and decided not to fix it as they erroneously considered it “non-exploitable”. Was that “error” intentional or unintentional? Did someone at ISC2 make the risk decision to not fix this vulnerability based on the “small” likelihood of someone exploiting (i.e. the cost of fixing website vs. likelihood that a “trusted” ISC2 member/customer would exploit this vulnerability to defraud the ISC2)?

      1. Rick

        “I find the more interesting part of the article being that the ISC2 knew of the vulnerability and decided not to fix it as they erroneously considered it “non-exploitable”. ”

        If ISC2 is anything like a certain company I know, the people reviewing the pen test results don’t have the technical expertise to catch a mislabeled finding like this; Instead, they blindly trust the consultant doing the test and writing the report.

      2. Cody

        Or we can put up hacking detectors on web sites and computers

      3. Cody

        Credit cards are easily hacked but I have an idea mabie we can stop it by using a tumb scaner on it that is made out of a material that leaves no finger print on it so if every time you scan it would also warn for black hats it would help the stock stalk market also.

  10. Sterling Augustine

    I would have expected ISC2 to have awarded Mr. Holden a lifetime membership for free testing for being honest and reporting the vulnerability. It isn’t like it would cost ISC2 anything and the PR would be great for ISC2.

    1. Gary Deutschendorf

      Lifetime is a bit much… maybe a free year or something. Finding a web flaw isn’t really cutting edge discovery or anything.

  11. Ashes

    I was going to say the same thing as Spacerog. Shouldn’t the ISC2 strip Alex Holden of his CISSP because he “hacked” the website without their permission? Isn’t this part of the agreement you have to sign with ISC2 to stay certified? So much for consistency.

    1. Gary Deutschendorf

      One of the worst things they could do is to penalize someone for performing “white hat” hacking. That would be counterproductive and may incite additional negative light to the organization. I’d assume that is something they would not necessarily want that to happen.

  12. William Morris

    Why would a security pro host his website (http://www.holdsecurity.com/) on a service that needs Javascript enabled to view anything at all and, when enabled, loads hundreds of KB of scripts (1.3MB total load, 40 seconds)?

  13. David

    Does anyone else find it a bit sad that Brian’s typo is such a big deal to so many people? I have not performed any official scientific studies on the comments of “Krebs on Security” postings, but it sure seems that their are a bunch of people with their priorities out of whack and with too much time on there hands.

    (And yes, I intentionally used “their” and “there” inappropriately so you, of whom I am speaking, will be interested in my comment.)

    1. Larry McP

      Well it certainly worked! Your a smart guy and I didn’t loose interest; the comment was better then some of the others which are to long.

      1. Skippy

        I gotta think that this reply is a test…

        “Your” –> “You’re”
        “loose” –> “lose” ? (not sure about this one)
        “then” –> “than”
        “to” –> “too”

          1. Chris

            100%? Pathetic. “which are too long” is clearly parenthetical, not restrictive, so it requires a comma. 🙂

    2. nope

      Brian has a site that is visited by many people
      People see Brain as a professional
      Spelling mistakes don’t look professional
      Proof reading is not hard

      1. PW

        Hmmm… You spelt Brian wrong… Proof reading isn’t hard huh? Please guys, get a life, I’m sure there are sites dedicated to spelling mistakes on the web.. Visit those.

      2. NotMe

        Many if us read for a living, and poor Brian does not have an editor to torment him properly. We should be considered crowd source editors. The story is about lax practice at a certification site, how interested are we in that when we can pick away at the article itself?

        I meet many CISSP folks who are clueless about security practice, but they sure can pass a test and pay a membership fee.

        We all specialize in something, perhaps some of us specialize in passing tests.

  14. FARO

    Visited the “Security Consultant” link above with Internet Explorer 8 and get alert “message from web page stack overflow at line:0”. No issue with Firefox. Still able to view page. Source is all JavaScript calls and a bit buggy.

  15. mbi

    Its an object lesson of hubris in any organization.

  16. Richard Steven Hack

    I always like the way Chris Nickerson starts his talks: he displays a blank PowerPoint and says “these are my certifications”… Then he shows someone else’s CISSP which he copied off the Internet and modified to put his name on it.

    CISSP is the equivalent of an A+ certification. It’s the butt of endless jokes at infosec conferences.

  17. John Tracy

    He is fortunate he is not being prosecuted CFAA the way things are going these days.

  18. JE

    Since it sounds like we have to give up the certification unless we point out every observed vulnerability on the organization’s web site, how about we talk about a real issue that affects the security of the site?

    Password reset requires only the member’s email address, and then a temporary password is sent in plain text. The member is not required to change that temporary password after they first log in.

    Now there’s a real vulnerability. Some hacker might steal a member’s password, log in as them, pay their Annual Maintenance Fees and record (or delete, since that’s an option) CPE for them.

    This comment was checked for grammar and spelling by the finest products Microsoft has to offer.

  19. Steve Kalman

    Well, certainly embarrassing for any organization. Having said that, not every employee of ISC2 is a CISSP, so tying the cert to the vulnerability is comparing apples to rocks.

    Also, there are 10 subject matter areas (domains). The requirements are 5 year’s experience (or 4, plus a bachelor’s degree) in any two of them. A lawyer working as a risk manger would qualify, but is not someone I’d expect to be able to diagnose or fix that vulnerability.

    Finally, “White Hat Hacking” requires (!) permission. Good intent is not part of the definition. He should consider himself lucky that he’s not facing charges. Many organizations would have handled it far less graciously.

  20. IA Eng

    I think they should wave his yearly fee for the rest of the CISSP period he is active in. Its a small gesture that could have saved the company thousands of dollars.

    I am sure ISC2 did a sanity check to see if any current or past transactions were done in the same manner. A sanity check, if anything else.

    Small things like this can put an organization on their backside. All a miscreant would have to do is fill up every seat at every conference and test for the next few months, and it would take many a people-hour to try and determine which ones were valid and which were bogus. It could have been a terrible mess.

  21. Oliver

    Those certificates are not worth the paper they are printed on!!
    Same as MCSE: Must Choose Something Else.

    Cheers, Oliver

  22. Skullcracker

    Pretty disappointed with the comments on this article.

    Brian writes an article to shed light on a vulnerability discovered by Dave which leads to…

    ISC2 is worthless, careless, reckless
    Dave should be stripped of his CISSP for discovering the vulnerability
    Dave has spellcheck issues
    Dave’s site is poorly secured

    All you armchair quarterbacks who do nothing more than pontificate about how bad everyone else is at what they do…what exactly are you contributing to the community?

    Next time just say “Thank you” to the people who are being helpful and informative – then move along.

    1. Skullcracker

      Before I get bodyslammed – Dave=Alex

      Know a Dave H. and not sure why I mixed up the two names. If I could edit it I would…

  23. zareff

    This is priceless. Security professionals really have no sense of humor…

  24. Ben Wheeler

    This is also a failure to maintain the cart on the website and error check the user submitted data. Encrypting the submission won’t save you from a user who changes the data to say, ” I already paid for that!”

  25. Steve

    Just a minor point, in the UK what Alex did is considered as hacking. Under the Computer Misuse Act 1990, as he made the IT system do something that the owners had not intended – he edited the price of his renewal.

    Having spotted the issue he should have reported it without exploitation. What he sought to do was perform an unauthorized penetration test (hack) and seek lots of PR from it.

    While there may not have been a long term intent to circumvent the payment process, there was a guilty act.

    So as an (ISC)2 member he broke their code of ethics (required part of being a CISSP), broke the Law and did all this for gain (PR).

    He doesn’t sound like a kind of person that I would want testing my systems, sounds like a loose cannon that would test outside his remit, test systems out of scope (the (ISC)2 system was out of scope) and potentially break other critical systema – plus he might break his NDA and leak any vulnerabilities to the press – like he has with this one.

    – not impressed really

  26. Jackie

    It is a bit ironic that a computer security training website would have these types of errors on their website. It is also a little shocking that it took this long for someone to notice when the types of people who are registering on their websites usually are somewhat trained in computer security. Holden did the (ISC)2 a huge favor by pointing out this flaw. It is likely that in the future several other people would notice this flaw and get away with hacking their system.

  27. Paco Hope

    I write exam questions for the CISSP. I know some stuff about how this works. There are a bunch of mistakes made both by Krebs and commenters.
    1. The exam does not test your “skills” or your “ability” to do something. It tests knowledge and your ability to demonstrate what you know. It is not a certification that says you know how to DO anything. It is a certification that you KNOW things, and we hope that the things it tests are important, interesting, and difficult to acquire without actually being knowledgeable. But there are limits to what a standardised test can do.
    2. (ISC)2 is not “a training web site.” The certification recognises what you know. How you acquire that knowledge is orthogonal to the test. Unlike, say, a university degree which largely recognises what THAT university taught you, the certification simply shows that you acquired the knowledge somehow and demonstrated that knowledge by taking a standard test under standard conditions. Now, (ISC)2 has a training arm, but the two sides of that organisation are actually strongly separated.
    3. The (ISC)2 code of ethics, which everyone agrees to when they accept an (ISC)2 certification, is quite small. The most important point for this discussion is “Act honorably, honestly, justly, responsibly, and legally.”. If (ISC)2 pressed charges and the individual was found to have broken the law, then perhaps he would have violated the code of ethics. Otherwise, it seems like he did act honestly and responsibly. I don’t think the vulnerability reporter acted in violation of the code of ethics.
    I speak for myself as someone who volunteers with (ISC)2 sometimes. I am not speaking for the organisation itself.

    1. Walt

      Excellent points Paco. I believe the recommended avenue for responsible disclosure would be to inform US-CERT, or ISC2, or both. Changing the amount due would not be appropriate, as I doubt Holden had a rules of engagement agreement. ISC2 demonstrated forbearance; Intel did not with Randal Schwartz, even though he was a contract system admin for Intel. http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case

Comments are closed.