In what cases should applications be prepared for brute force?

Question

Today I had an idea: I've been thinking that one can use brute force to get some data from a university from our country.

It turned out my thoughts were true: an attacker can use brute force to reveal sensitive information.

How strong should be the protection against brute force for an application, for instance this university website?

In my case, I'm thinking to notify the right people about this so they can address it the right way (even I think they won't care at all).

According to the laws of my country, getting and manipulating the information that one can get from this university is illegal.

I'm thinking of the following scenario: I will probably announce the people that take care of that website, and maybe they will say: attacking us is illegal anyways––should they still care about my report?

Answer 1

this is illegal anyways––should they still care about my report?

Very much so.

To give one of a by now long series of such examples, consider (one of) the Yahoo hack, for example the 1 billion account hack reported in late 2016 (see also Krebs's coverage).

To quickly cover why "this is illegal anyway" is not a legitimate response:

• Yahoo had some sensitive data (in this case, user emails, passwords, and possibly more) stolen, yet Yahoo still has a duty to announce (and investigate) the hack
• that duty extends to its financial reporting, as explained in the footer of one of their press releases about the impact to users:

More information about potential risks and uncertainties of security breaches that could affect the Company’s business and financial results is included under the caption “Risk Factors” in the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 2016, which is on file with the SEC and available on the SEC’s website at www.sec.gov.

• depending on your country, the duty of reporting may also be tied to fines and other legal or financial consequences (Europe, for example).

All this tends to focus on Personally Identifiable Information (PII), but in the case of a university, the loss or theft of research (particularly when not protected by patents) could impact the financial status of the university. Not to mention the fact that universities do also hold PII, and so a breach would need to be investigated to determine what kind of data may have leaked.

I am not a lawyer, but there are so many cases where, at the very least, investigation would be warranted (if not required to determine the legal consequences), that I think the report would (assuming it was felt to be reliable, and accurate) given attention.

If you provide bad (or even overly noisy) reporting, then it may be they will ignore your report. But I would be surprised if conclusive evidence of a breach would be ignored.

Answer 2

It is not illegal to have bad security. But usually, organizations that handle private information also participate in activities that require some sort of regulatory compliance.

For example, in the United States, a university often handles credit card information, which means they must be PCI-DSS compliant. If they handle medical information, they must be HIPPA compliant. If they handle student loans, they must be FFIEC-compliant. If they handle government information, they may need to be ISO 27000 compliant. Etc. Each of these includes standards for cybersecurity. Some of them are very specific, e.g. specify that passwords must be hashed and that lockout mechanisms (to prevent brute force) are in place.

If a university is out of compliance, it may not necessarily be illegal (it isn't in the U.S.) but it may have consequences for them, e.g. Visa may not allow them to process payments.

If you have concerns that an organization is out of compliance, you can send an email and ask that it be routed to their compliance officer.