The hacker group that exposed holes in McAfee's website knows it's breaking U.S. law, but vows to continue exposing vulnerabilities, especially on security vendor websites.
"We do understand performing security testings without authorization is illegal under U.S. law," stated YGN Ethical Hacker Group, when contacted by Network World via e-mail. The outfit's own website describes YGN as a "small group of young but mature people" based in the country of Myanmar (Burma) who started working together about three years ago. Based on its website advertising, the group, which seeks to emphasize its goals are "ethical," appears to offer vulnerability-testing services while also working on security testing tools.
BACKGROUND: McAfee website full of holes, researcher says
In response to a question about why it's so secretive, YGN says, "Secrecy is very important to us that our Burmese government might not call us up to misuse our skills to attack their most hated countries including U.S., Norway...etc."
McAfee, which offers its "McAfee Secure" branded scan service for daily website evaluation and has Foundstone vulnerability-testing tools, earlier this week responded to Network World, which reported YGN's findings in a public security-discussion forum. A McAfee spokesperson said, "McAfee is aware of these vulnerabilities and we are working to fix them. It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities." McAfee has so far not made further comment.
QUIZ: Do you know IT security?
YGN indicates it may continue its campaign of performing vulnerability test scans on websites, particularly those of security vendors, because it feels this is the right thing to do: "As responsible netizens, we believe that YGN Ethical Hacker Group is liable to disclose security issues in high-profile web sites where thousands of users exist to rely on their security-related services/products. It is unethical by human conduct to sell security products/services while vendors don't care [about] fixing their issues."
YGN, which doesn't want to disclose the names of its members, said they want to "represent our country" and "'to do security research to contribute to the security of users in [the] digital world."
YGN also participates in security research groups, including EvilFingers, which security analyst Shyaam Sundhar Rajamadam Srinivasan indicated he started with his wife in 2006. When asked about YGN, and whether doing vulnerability tests on websites without the owner's permission is wrong or illegal, Srinivasan is direct.
"YGN is just a group that I got to know recently," according to Srinivasan, who says he is CEO of DigitOnto and works as a contractor for SANS Institute. "My wife and myself, we don't do unethical stuff. I believe that scanning one's website without prior authorization is definitely inappropriate and violates our partnership rules and regulations." He writes that he intends to inform YGN about the same. "EvilFingers never cooperates for any kind of unethical activities."
Mandeep Khera, chief marketing officer at Web application security vendor Cenzic, notes that performing vulnerability tests on a website without the owner's permission is illegal in the U.S. "You're forcing yourself onto someone's property," he points out. "It's like a break-in."
When informed of this criticism, YGN responded by saying it will expose vulnerabilities in Cenzic's website: "We will disclose an OWASP Top 10 Security issue in [the] Cenzic web site." The Open Web Application Security Project is an organization composed mainly of vendors that researches web application vulnerabilities, such as cross-site scripting, and puts out reports about the main ones in annual reports.
YGN says its motivation to expose holes in security vendor websites is because "nowadays security vendors don't even care about the security of their websites (while some of them offer Web App Security Products/Services), which allows attackers to exploit these flaws to attack their users. Apparently, the U.S. law will not sue security vendors for their lack of security."
To sum up, YGN states, "from the look of the law, what we did seems illegal from U.S. Law perspective. We, security researchers, sometimes need to go to the dark side for the benefit of users."