Your Fly Is Open

Netmenaces and Other Internet Stupidity

The Ethics of Publicly Naming Compromised Systems

2024-10-29 4 min read professionalism

I spend some time each week researching what Internet miscreants are doing. Because of this, I often encounter compromised systems before their owners know of the breach. As I write this, I currently have outstanding contact attempts for ten organizations with compromised websites - some with which you’re likely familiar.

While my primary goal is to alert these organizations so they can secure their systems, reaching the right people can be challenging. Some folks have suggested I publicly name these compromised organizations because it might spur them into action. However, this approach has significant pros and cons that need careful consideration.

In many ways, this debate mirrors the ongoing discussion over the public disclosure of security vulnerabilities. Like that debate, different individuals will likely agree with different sides of this question; I’m not attempting to settle this debate but rather to clarify the pros and cons of the issue.

Pros of Public Disclosure

Let’s get this one out of the way first: It’s much easier. Finding a way to notify an organization that they’ve been hacked is hard. I’ve tried everything from website Contact Us forms to messages on Twitter and LinkedIn to phone calls. Few organizations have a working security@ email address, and most folks likely consider my messages spam. No one likes hearing that they made a mistake; that’s essentially what I’m doing. Rightfully, they are suspicious of someone outside their organization telling them something they should’ve caught themselves. All of that works against me when I attempt to quietly inform an organization that they’ve been hacked.

Another advantage of publicly naming compromised organizations is the potential to create urgency. When a breach is made public, it often garners immediate attention from the organization, prompting them to address the issue more swiftly than they might have otherwise. Publicly naming compromised organizations can lead to quicker mitigation of vulnerabilities, reducing the risk of further exploitation. Additionally, public disclosure can raise awareness about common security issues, encouraging other organizations to check and secure their systems proactively.

Public disclosure could also foster a culture of accountability. By highlighting security lapses, organizations may feel more compelled to invest in robust security measures and prioritize cybersecurity as a critical aspect of their operations. If the potential for being named and shamed exists, this can lead to industry-wide improvements in security standards and practices, benefiting the broader digital ecosystem.

Cons of Public Disclosure

Despite these potential benefits, publicly naming compromised organizations carries significant risks. Chief among these is the potential for reputational damage. For instance, a small e-commerce business might lose customer trust and revenue if it’s revealed that its website was compromised. This could be particularly damaging if the breach still needs to be fully understood or contained, as it might lead to panic and misinformation. Attackers have already violated these organizations; publicly shaming them would only add to that violation.

Public disclosure of compromised systems can unintentionally benefit malicious actors. Remember, I don’t have some magic crystal ball. I’m using publicly available information to discover hacked organizations. Even if I don’t reveal a compromised system’s specific weaknesses, attackers may use this same public information to identify weaknesses and escalate their attacks before the organization can address them. This could worsen the situation, potentially resulting in more significant breaches and greater data loss.

My Approach

As I said at the beginning of this post, this isn’t a debate with some easy, clear-cut answer. It all comes down to what you’re personally comfortable doing.

For better or worse, I find myself uncomfortable with publicly naming victims. Organizations should absolutely be more vigilant in patching, monitoring, and securing their systems. As an outsider, I should never be the one telling a business that someone has hacked its systems. As my college roommate used to say, “They done brang it on themselves.

But they’re still victims.

Leaving the doors to your house standing open is dumb, but it doesn’t give someone the right to steal your stuff. If they do, you’re still a victim, and we should be cautious of falling into the trap of victim-blaming.

Given the complexity of these considerations, I’ll continue down the path I’m currently following. I’ll continue to do my best to notify organizations that attackers have compromised their systems without resorting to public shaming.

Even though this philosophical excursion hasn’t changed my mind, I’m happy to have taken it. This isn’t a black-and-white issue; it’s a decision informed by subjective values. Sometimes, it is important to think things through, if only to clarify your reasoning and strengthen your resolve.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
October 29, 2024