Put your imagination caps on folks, it’s scenario-imagining time. What if someone were to break into your home, steal your belongings and leave them somewhere with a sign in front stating “Stolen Goods”? Someone else walks by, sees the stuff and takes it all despite the Stolen Goods warning. No blurred lines here — clearly the second Mr. or Mrs. Sticky Fingers broke the law. At least in the U.S., the receipt of stolen property may be a federal offense.
Ashley Madison: A Real-World Data Problem
You can take your caps off now and we’ll take a look at a real-world scenario. Hmm, what about the massive data breach affecting the controversial dating site Ashley Madison? Let’s break this complex scenario down:
- Malicious individuals leaked more than 10 GB of stolen Ashley Madison data onto the Internet. Ashley Madison is a Canadian-based company. Hacking is an illegal act in Canada.
- Many “researchers” around the globe rushed out to it in droves in order to download, review and analyze the stolen data dump. Is this a legal or illegal act in their given country?
All of a sudden I need glasses because the legal implications got real blurry once we jumped from physical robbery to cyber theft. Does it have to be blurry, though? From my hypothetical scenario above, substitute “download” with “receipt of” and “stolen goods” with “stolen data.” Now things are much more interesting.
Are there any legal ramifications for those that research stolen data and the companies they may work for? If not, should there be?
Treading on Thin Ice
As we shift our discussion from physical to digital theft, ambiguities in the law arise. The uncertainty surrounding the legality of researching data dumps places security professionals and the companies they work for in a precarious spot. One could argue that responsible research and information sharing should be conducted on exposed data; the bad guys have access, so should the good guys. In a utopia, the federal authorities would perform the research and share findings with the private sector, but that’s unfortunately not always the way these cases unfold.
What constitutes as responsible research anyway? In the Stolen Goods scenario, if an independent investigator stopped by that same stolen property, dusted it for fingerprints and then sent the information to law enforcement, would that be illegal? Similarly, if researchers are solely using stolen data for analysis and responsible information sharing purposes, should it be considered within their legal rights to do so? If yes, how is this regulated? Should it really be a free-for-all? After all, this is personally identifiable information (PII) and should be handled with significant care.
Other Gray Research Activities
It’s important for the InfoSec community to have conversations around what researchers can and can’t do. For instance, a lot of research is conducted in the Dark Web to understand what types of attacks are emanating from this world of anonymous networks. Visiting the Dark Web may be permitted, but conducting transactions for research could result in investigation from law enforcement.
In another example, hanging out in the AnonOps (Anonymous Operations) chat room may be permissible, but conspiring to conduct a cyberattack to obtain details for a research project could lead to unwanted consequences.
Data Dump Best Practices
A word of caution to amateur researchers: Not all data dumps posted online are genuine or legitimate. Some data dumps may only contain partially correct information (i.e., the name or email is made up), resulting in inaccurate conclusions drawn. Reporting on information that is purportedly associated with a particular organization without fact-checking is irresponsible and contributes to information rumoring instead of sharing.
This probably aids attackers, because while we’re too busy pouring over nonsense, they’re using their time wisely to plan their next attack. There have also been cases where faux data dumps actually contained malware — another reason that analysis of these data dumps is best left to professionals assigned to the case.
If you or your organization are not part of the investigation team hired by the compromised company and aren’t with a government agency, then best practice would be to not partake in researching stolen data. Legalities surrounding this action are blurry at best, and security researchers and companies should be cautious when engaging in research activities that could be considered illegal.
Data + More Data = More Attacks
In terms of future exploitation, the victims of data breach dumps potentially have a long battle ahead of them. Identity theft is a concern, as are spear phishing attacks. The fallout from these data dumps affects not only the individual but also provides fodder for more sophisticated attacks against enterprises. Data from one dump could be used in conjunction with information scoured from others or data purchased on the Dark Web.
Now would be a good time to remind employees about spear phishing campaigns. Although always a potential issue for corporations, this type of threat is exacerbated following a data dump incident. Why? The attacker has all the information needed to construct the perfect spear phishing message and know where to send it. No need to mine social media sites such as LinkedIn or Facebook. It’s all right there!
Spear phishing campaigns are also tried-and-true attack tools for delivering ransomware and were the initial attack step in the Dyre Wolf campaign. These messages can contain a weaponized document that exploits application vulnerabilities or a link to a phishing website.
Similarly, drive-by downloads result in malware infection and allow attackers to activate keylogging functionality to capture the users’ login credentials. Compromised credentials allow the attacker to gain fraudulent access to the corporate network and resources. Ensure your security program provides capabilities on three fronts: zero-day exploitation prevention, data exfiltration and credentials protection.
There is no question that information sharing among researchers and public and private entities is needed to effectively respond to cyberthreats. However, organizations should be cautious of the methods used to derive this information to avoid falling within what may be considered a gray area.