4: impact

There’s a notable amount of rabble-rousing around the impact of vulnerabilities of this kind, specifically that XSS vulnerabilities ‘require user input’. Perhaps in contrast to vulnerabilities like heartbleed, shellshock, ETERNALBLUE or a denial of service attack that require only network access (but also don’t necessarily connect you with financial systems, either).

I think part of this line of thought in the security scene comes from the reassuring hypothetical that unlike the big-name vulnerabilities you hear about coming down the intertubes, there’s a small chance that when someone emails you, yourself (a Smart and well-versed security practitioner), a pixel-perfect replica of a plausible email from Her Majesty’s Revenue and Customs asking you simply to click a link that objectively goes to the UK tax service website, you might somehow x-ray it deeply enough to turn tail and refuse to click a single link in it.

While I do appreciate this, the set of people on whom you might use a sharp, well-honed spearphishing attack armed with a vulnerability that extracts and manipulates financial information directly doesn’t usually include industry professionals and the excessively paranoid. Indeed, we live in a world where the highest-earning mode of internet fraud (to the tune of $2.3B just in the US) is simply emailing financial officers asking them to make a wire transfer of big $$$ to our bank account which is registered conveniently to a bank in the middle of a volcano dimension that has no extradition treaty to NATO states.

time, and space

My words so far cover only the first three days of the 57 days it took to get a confirmed fix on these issues. It’s been really hard to write something about the rest:- being in real life, as in prose the boring and tedious bit.

Not writing about this step would be misrepresenting the trials I had to go through, and I think that’s similar to denying these things happened. Those 57 days represent the largest river I had to ford, a hurdle I had to personally push myself to jump in order to achieve the simple state of knowing the serious issues I identified were known and in good hands.

There’s a weight to finding issues and caring about them, a moral load that, as a security researcher you have to carry until the issues are fixed. Sometimes you have to fight people to care, sometimes you have to fight to find people to fight to care. It sucks.

I attached a raw timeline to the end of this article, but I’m also going to try my best to best represent the details here.

So far the hero of our story (that’s me 😉) found the first issue, reached out to multiple government agencies and contact addresses that could all have reasonably given a good contact. I reached someone in the HMRC press office, who responded positively. I sent them a second email with details of a much more serious issue. It’s the 21st of April. It’s taken me two days to get hold of a contact.

22nd April: By the next day, the first issue I found appears fixed, but I don’t delve far enough to know for sure. Three days pass with no reply.

25th April: I call my contact at his work phone. They avoid discussion of the issues, and on the topic of my emails say it’s not their place to comment on security issues. I’m kind of at a loss of what to do now. Four days pass.

29th April: I try to reach out to the consultant who runs the UK government responsible disclosure program. They, oddly follow me back on twitter but do not reply to my DMs. Five days pass.

3rd May: Frustrated, I start writing this article, hoping to at the very least talk about my experiences. I contact Augur.io, the vendor whose code I leverage in my vulnerability. They reply and thank me for the disclosure the same day. They notify me the issue is fixed the next day. Six days.

9th May: I call the HMRC press office to notify them of my intent to publish a predecessor to this article. The person at the other end is courteous and appears to understand my intentions. I email them an article URL.

At dinner that evening, I get a phone call from my original contact at the HMRC press office. I take the call out on the street, leaving my date inside. The caller implores me not to publish this article, threatening me with a plethora of criminal calamities I might cause if I publish.

Surprised, I try to muster a few common arguments on responsible disclosure. I decide, and state the decision that unless I have someone who can talk for the security policy for the HMRC tell me I shouldn’t publish this article, I’ll have to publish it. I mention the NCSC. They say they’ll try to find something.

10th May: HMRC original contact comes back to me with a mysterious NCSC email address for which googling has only 2 hits in the same PDF for a presentation made at a business conference. I compose a summation of all that has happened so far and send it to this email. Ten days pass.

20th May: I give up on this approach. I reach out to a special friend, who, it turns out has spooks on speed-dial and emails the Communications-Electronics Security Group (CESG), (as of now merged into the NCSC)with my email summation. He warns me these things take a little time, but move fast after that. 4 days later, we have a reply.

24th May: friend gets back an email from the CESG mailing list. They try to establish PGP encrypted contact with HMRC’s security team. 7 days pass.

31st May: Initial attempt at PGP key exchange between me and the NCSC. PGP sucks so this takes 2 days.

11th Jun: Senior NCSC contact confirms fixes, thanks me and offers to buy a drink.

epilogue

We live in an age where the great engines of our time are spun simply out of ideas, tethered to the universe only by the flickering of charges in a silicon die.

Sadly, I don’t think I’m ever going to fly through the sprawling dark cities and networks pictured in film. It hurts especially that I’ll never be able to pull off sick grinds with my friends in cyberspace on the internet superhighway or probably learn how to rollerblade.

I do think that, however the things we put into our computers live in their own little universe, so drastically different to our own. There’s no concept of space here, but there are universal laws: rules upon rules upon which a software application, an app, a program, a video game all live and die. We came up with these, of course — we call them protocols or APIs sometimes.

As someone who finds vulnerabilities in software, many parts of this foreign universe are more intricately familiar to me than the places I’ve lived. Someone with the right knowledge can send a little idea of their own into a computer, one that interacts, competes with and manipulates others to the author’s own ends.

All of us with these abilities have a moral compass they must construct for themselves. I don’t think anything has given me more respect for an individual’s right to their own boundaries and privacy than living and working every day with the knowledge of how to strip those boundaries away. Not all end up seeing the same way.

I try to do my best to do the right thing, but sometimes you can’t help trying to avoid putting yourself in that place where you should be doing the right thing. You ask yourself — if I invest a little time trying to do the right thing, am I going to be sucked into a 57 day trek trying to see it through? There comes a point at which even doing the right thing seems to have been the wrong choice.

If you choose to walk down the moral high road with security issues sometimes you will find people who care as much as you do. Other times you’ll find people whose job you’re just making more difficult, people who think you’re trying to harm them or their company and people who just don’t understand. Those are fights you have to fight yourself.

I’m happy to be working security in a time where we have bug bounties — where sometimes, if the planets align I can feel like I didn’t just do the right thing because I had to.

But the places where security help is needed most are the places that don’t have these security investments; the places that don’t know, can’t afford, or can’t understand the value of security. The places with no security email address or responsible disclosure procedure.

The security issues I found were complex. The issues that made fixing them take 57 days are simple, and common.

Good security is an invisible luxury most places can’t afford. Security teams are expensive and hard to measure success for.

Security is young. I hope if I have children, they get to live in a world that better understands the risks and rewards of putting their data in that little silicon universe.

timeline



19 Apr: first issue found, tweeted @govuk @ncsc, email security@

19 Apr: contact from NCSC via twitter, link to cyber fraud page

19 Apr: inform NCSC link is wrong

20 Apr: HMRC customer help asks me to DM them (I'm unable to)

21 Apr: HMRC Press Office asks me to call them

21 Apr: Call HMRC Press Office

21 Apr: Email first issue to contact, contact thanks & will get back

22 Apr: Email second issue to contact (no reply)

(sometime before) vuln tentatively fixed

25 Apr: Called contact, they say it's not their place to comment on security issues

29 Apr: Try to contact consultant who runs UK gov responsible disclosure, get followed but doesn't dm back

03 May: begin writeup, contact augur.io via email

03 May: augur.io replies, thanks for disclosure

04 May: fix deployed to augur.io (not replicated to UK tax systems)

09 May: call HRMC press office with intent to publish this article

09 May: original contact calls me & implores me not to publish, says I'll be encouraging criminals. I ask them to get in contact with NCSC

10 May: get some kind of ncsc email, attempt to contact w/ details of additional issue (the email has literally 2 hits in PDFs on Google)

20 May: reach out to special friend for contacts, friend emails the

24 May: NCSC contact responds to friend

31 May: NCSC contact is attempting to establish PGP encrypted communication with HMRC

31 May: attempt PGP key exchange with NCSC contact

1 Jun: actually complete PGP key exchange (lol, pgp)

2 Jun: send PGP encrypted details to ncsc contact

11 Jun: reply from senior NCSC contact, thanks & apologies, offers to buy me a drink

15 Jun: vulns confirmed fixed; OK to publish with corrections from NCSC

22 Aug: finish much better rewrite of the article

2018

18 Apr: HMRC publishes new 201719 Apr: first issue found, tweeted @govuk @ncsc, email security@19 Apr: contact from NCSC via twitter, link to cyber fraud page19 Apr: inform NCSC link is wrong20 Apr: HMRC customer help asks me to DM them (I'm unable to)21 Apr: HMRC Press Office asks me to call them21 Apr: Call HMRC Press Office21 Apr: Email first issue to contact, contact thanks & will get back22 Apr: Email second issue to contact (no reply)(sometime before) vuln tentatively fixed25 Apr: Called contact, they say it's not their place to comment on security issues29 Apr: Try to contact consultant who runs UK gov responsible disclosure, get followed but doesn't dm back03 May: begin writeup, contact augur.io via email03 May: augur.io replies, thanks for disclosure04 May: fix deployed to augur.io (not replicated to UK tax systems)09 May: call HRMC press office with intent to publish this article09 May: original contact calls me & implores me not to publish, says I'll be encouraging criminals. I ask them to get in contact with NCSC10 May: get some kind of ncsc email, attempt to contact w/ details of additional issue (the email has literally 2 hits in PDFs on Google)20 May: reach out to special friend for contacts, friend emails the Communications-Electronics Security Group (CESG) -- now merged into the NCSC 24 May: NCSC contact responds to friend31 May: NCSC contact is attempting to establish PGP encrypted communication with HMRC31 May: attempt PGP key exchange with NCSC contact1 Jun: actually complete PGP key exchange (lol, pgp)2 Jun: send PGP encrypted details to ncsc contact11 Jun: reply from senior NCSC contact, thanks & apologies, offers to buy me a drink15 Jun: vulns confirmed fixed; OK to publish with corrections from NCSC22 Aug: finish much better rewrite of the article201818 Apr: HMRC publishes new responsible disclosure procedures

~Z

Take care of yourselves. Stay healthy, stay cosy. Get regular exercise. Take breaks. Go outside. Look at a plant. Be as real with people as your feelings are to you.