8

On Christmas day, our web service came under an apparent attack and we responded by blocking the (single) source IP. Upon later investigation, it turns out the 'attack' was actually an intense vulnerability scan by a reputable company. It appears one of our hosting customers had requested it, but we don't know for sure.

The scan started with a request for what I assume to be a verification file (e.g. 38fsoif3n4.html) which did not exist. Unfortunately, our custom 404 page was temporarily misconfigured and returned an HTTP response code of 200 instead of 404. Presumably the bot checked for the verification file, was satisfied with a 200 response, and continued with the scan.

This version of events was pieced together from our log files and seems to make sense. The problem is, the company in question refuses to discuss the issue with us. In their first (and only) response to my questions, they acknowledged a scan took place and offered to pass our contact info along to the party that requested the scan.

Is this an acceptable response? I followed up and requested that since they had scanned our servers without our knowledge or consent - and presumably provided a report to a 3rd party - they should at least give us a copy of that report.

I also asked that they make their verification a bit more robust. They should, at the very least, inspect the contents of their verification file, rather than rely on a single HTTP 200 response. This was a fairly intrusive scan, with thousands of form submissions and SQL injection attempts over a short period of time. With that kind of impact, they should probably also verify via root domain email (e.g. postmaster@domain.com).

They have not responded at all to these (reasonable, I think) requests. For a security company, they've displayed a surprisingly lax approach to verification and may have revealed a vulnerability to a competitor or hacker.

How should I proceed? Legally? Executive Email Carpet-bomb? Public Shaming?

EDIT to clarify

We're not that concerned about our customer and would not pursue them legally. We provide a site-builder/CMS for non-technical users and host their sites in subdirectories. They can upload whitelisted files (no code) and enter text & html (client-side JS is OK, if they want). They would have no need to pen-test their own code, since they have none.

Our concern is the security company that scanned our server without permission, presumably gave the results of that scan to a 3rd party, and now will not even talk to us about it. I'd love to just let it go ("eh, big companies, whatta ya gonna do?"), but it seems irresponsible to just ignore it.

Just looking for any leverage, short of lawyering-up, to get the company to respond.

michaelg
  • 81
  • 3
  • 6
    I'm voting to close this question as off-topic because it should be resolved by the legal department. – Deer Hunter Jan 14 '16 at 07:47
  • 1
    This is a legal question, but within the field of information security first. I would resume it to: "How to counterstrike when I am under attack from an **unsollicited security scan**?" – dan Jan 14 '16 at 07:56
  • I don't actually see it as a legal question, as I was being slightly facetious. The question is more along the lines of, "How does the security community police itself?" – michaelg Jan 14 '16 at 08:00
  • 2
    Public shaming opens you up to libel suits. Please, please consult a lawyer. – Deer Hunter Jan 14 '16 at 09:27
  • What is the actual problem here? Their scanning didn't seem to cause any service outage for you nor for your customers, nor did it uncover any vulnerabilities, so personally I'd let it go and move on. – André Borie Jan 14 '16 at 13:03
  • @michaelg we go to court and slug it out like any other sane group :) Seriously, there's really nothing else you can do besides scolding them privately and/or getting them to promise they won't do that again. Sometimes clients aren't clear on their demands, and they give poor information to a security company, who does their best to act in good faith. Bad things happen. – Ohnana Jan 14 '16 at 13:20
  • If the scan violates your terms of service with the client, then you have built-in responses. – schroeder Jan 14 '16 at 18:47
  • Even with this latest edit, this isn't a security question - it is perfectly reasonable for a company to not disclose who they are working for. – schroeder Jan 14 '16 at 18:51
  • I think you should respond like a business, not like a hurt individual. The law is unlikely to help you. If you think it's worth your time and effort, contact a lawyer and sue them for any damages. If you don't have any real damages, why do you care? Don't make this incident into something like an attack against you, otherwise you're just bound to lose. – Steve Sether Jan 14 '16 at 19:04
  • Thanks everyone. I understand that this question is not clear-cut and could be considered more discussion or opinion-oriented. Was hoping it would trigger a "oh, well in that situation, you would do this..." response., but I guess it's kind of an edge case. – michaelg Jan 14 '16 at 19:05
  • 1
    Your relationship with your customer isn't clear. You provide a CMS service, but what assurances do they have that you're providing real security? If the service scanned your customers website, with your customers permission, then do you really have any legal recourse against that? I don't think that's at all clear. – Steve Sether Jan 14 '16 at 19:12
  • @SteveSether, our service is more like a shared CMS than a virtual server. The scan extended well beyond the customer's site and did have an impact on our service. A lot of responses have suggested that it is appropriate and reasonable for customers to scan their hosting service. Does that mean it's OK for me to ask, say Qualys, to pen-test Facebook because my business has a page there? Extreme example, but it illustrates my concern. – michaelg Jan 14 '16 at 19:32
  • @michaelg Your facebook example is an analogy. Analogies are great to illustrate a new concept, but are an extremely poor way to reason. I still think it's relatively pointless to pursue this. As I said, if you think you have real damages here, pursue it with a lawyer. Otherwise it's pointless. Business is rarely about winning, being right, or justice. Business is about money. You sound like you're taking this a little personal. It's not, it's just business. If you want to protect yourself, keep the IP ban permanent on the company who scanned you. But really, sue or move on. – Steve Sether Jan 14 '16 at 19:40
  • Use it as advertising: "CompanyName ran a surprise pentest and couldn't find any problems." – Oleg V. Volkov Jan 14 '16 at 20:20

2 Answers2

2

Whether you could pursue legal action depends on the contract and terms of service you have established, however that's probably not the right way to go as it will cost you money and lose you at least one customer. You might also discourage your customers from having penetration testing done, which would be a bad thing.

I would recommend educating all your clients as to the right way to go about having pentests done. Inform them you wholeheartedly support security testing, but that it can impact all customers if it is not done right so they should contact you to discuss scope and timings.

GdD
  • 17,291
  • 2
  • 41
  • 63
1

What kind of service are you providing? It depends on your TOS what users can and can not do, if you have a hosting service it depends on your TOS if a user can scan his hosting account for exploits with automated means without your prior consent. Most secure aware people DO test their production scripts/programs not only on localhost, because configuration on shared hosting may reduce security or turn other unexpected security implications. They are right to not give out information as you are not the customer, you should pinpoint the third party and start from there, as far as the check goes they should have a better one, but my guess is there are other means of verifying ownership of a script/product so a test can be run. Also you can always look for intrusive script on your hosting service that was used to proxy or directly attack someone and that triggered the scan. Anywya the company was just doing their job.

Setekh
  • 131
  • 2
  • 2
    I don't really blame the customer for requesting the scan, though we will be revisiting our TOS. I blame the security company for being so lax about obtaining appropriate permission to probe a server, and then (potentially) providing a list of vulnerabilities to someone other than that server's owner. – michaelg Jan 14 '16 at 08:04
  • It depends on the scan, you mentioned form submissions, that most likely is XSS, and SQL Inj. so most likly it was a test against a script and not the server config itself, they probably used a well known automated tool probably commercial one, you can actually pinpoint with good percentage the product by the attacks made and their succession, but that's not what you're after. I do understand you disapproving the situation, and i'm supporting that, still if you provide shared hosting than this is not a big deal and users should be able to do so. – Setekh Jan 14 '16 at 08:14
  • 2
    Users should be able to test the security of the virtual servers used in shared hosting but if I'm not mistaken this was a scan on the service itself which should be on a different non-virtual server. – Jonathan Gray Jan 14 '16 at 08:33