FireEye rift exposes divide in security industry
German security researcher Felix Wilhelm dissected some of the best-known malware protection tools on the planet this month in front of a conference room full of colleagues.
Within a day, Twitter, or at least a specialized corner of it, was in frenzy. A hashtag derided FireEye, the Milpitas vendor at the heart of Wilhelm’s work. People attending the British security event 44Con posted pictures of stickers brazenly telling FireEye exactly what they thought of the company.
Wilhelm’s remarks weren’t controversial because of what he revealed — bugs that could have felled software and hardware that FireEye customers count on to notify them of cyberattacks — but what he couldn’t.
The uproar was caused by a gag order, an injunction requested by FireEye in a German court. It kept Wilhelm from exposing what FireEye considered trade secrets; mostly, the firm said, its proprietary code.
Wilhelm made this clear by blacking out a slide in his presentation and labeling others “censored.” If he explained too thoroughly the way FireEye had failed to protect its customers, he and his employer, cybersecurity company ERNW, could be sued.
The spat between Wilhelm and FireEye illustrates the blurred line that security researchers toe.
They work to identify flaws in hardware and software, from cars to smartphone apps. It’s work that is often unsolicited, but in many cases compensated by companies grateful for the tips.
But when their findings could affect the profits of companies, researchers must be careful about how they disclose vulnerabilities.
Still, it’s rare to actually be served court papers.
“It was supposed to be,
‘Here is a vulnerability and here is how we patched it.’ Instead it was legal process and it was censorship stamps on slides,” said attorney Alex Urbelis, who was in the room during Wilhelm’s presentation.
If the gasp among those at the conference wasn’t audible, he said, it certainly was palpable. It wound up reverberating in the press, with critical coverage from Wired to Germany’s Süddeutschen Zeitung.
It reminded Urbelis of a time decades ago when researchers often faced such legal threats.
“This debate has been 20 years on,” said Jeremiah Grossman, founder of WhiteHat Security.
Neither side — researchers nor companies — is without fault, Grossman said.
“Even within the security community, we haven’t even gotten it right,” he said. “That’s the most problematic part of this. We still don’t have it down.”
Much skepticism
The mere mention of a lawsuit is taboo in this crowd, which believes prosecutors and law enforcement have been overaggressive in their pursuit of researchers.
Perhaps the most famous example was CiscoGate in 2005, when researcher Michael Lynn announced vulnerabilities in Cisco Systems’ routers, only to have the company and his own employer sue to prevent him from sharing findings. Cisco later issued a mea culpa and has changed its policies.
Today, some highprofile companies — Facebook and Google included — offer researchers thousands of dollars in exchange for disclosures about vulnerabilities and certain exploitation techniques.
That’s because those companies recognize that while criminals scheme to steal everything from credit card numbers to complete online identities, it’s researchers who hedge against such disasters by playing bad guy.
This is a role that even FireEye has said publicly that it supports.
Though it doesn’t offer a similar bug bounty program for researchers who discover flaws in its products, FireEye sometimes gives gifts and always offers name recognition for researchers who work with the company.
In this instance, ERNW had been trying for months to work with FireEye to help fix the bugs Wilhelm discovered, including one that revealed it only took two carefully crafted e-mails containing zipped attachments to exploit one of FireEye’s tools.
That close working relationship might have been Wilhelm’s mistake, however, said Rob Graham, chief executive of Errata Security.
“When you have a vulnerability, it’s always better to disclose them publicly first and then talk to the vendor,” he said. “The more you talk to the vendor, the more opportunity they have to shut you down.”
FireEye is a public company with a market capitalization of roughly $5.3 billion. It boasts that it has more than 2,700 customers across more than 67 countries, including over 150 of the Fortune 500.
Its technology alerts customers to myriad threats — warnings that Target famously ignored during its breach in 2013.
Its Mandiant division is a mainstay in the security industry, conducting important research in the wake of major data breaches, including last year’s Sony hack.
Still, FireEye served ERNW with court papers roughly a week before Wilhelm was supposed to present his research.
The dispute, according to FireEye, boiled down to a disagreement over disclosing details about its technology.
“FireEye did not seek to deny ERNW from disclosing the vulnerabilities themselves. In fact, FireEye cooperated with ERNW on this matter and ultimately approved their published report on the vulnerabilities,” the company said in a blog post.
Urbelis said he doesn’t buy that.
“The things he wasn’t sharing were screenshots, user interfaces, very basic things were prevented from being shown,” he said. “As far as the audience could tell, this didn’t have a hell of a lot to do with primary source code.”
ERNW founder Enno Rey didn’t find FireEye so benevolent, either.
“I don’t think (legal action is) appropriate in this specific case,” he wrote in a separate post. “I don’t think it’s appropriate in the vast majority of other cases of responsible disclosure and I think it eventually sends the wrong signal to the research community.”
Wilhelm, ERNW and FireEye all declined to comment to The Chronicle.
Targeting FireEye
The dispute reportedly has a faction of the security community targeting FireEye’s wares, said hacker Cris Thomas, who goes by the name Space Rogue.
Some are also considering a pledge that they will no longer use FireEye at their companies.
That negative perception might have longterm effects.
“It’s not about this vulnerability, it’s about the next five. Do the next five vulnerabilities get told to FireEye in advance or do they just get dropped?” — meaning released without warning — said security researcher Dan Kaminsky.
“The problem is that they might just get dropped, because maybe they should.”
That could be important, he said, because it might spur more industry conversations.
“That’s the trade-off when you harass researchers,” Kaminsky said. “They stop giving you advance notice.”
Anytime bugs get hoarded by researchers or published without notice, it puts users at risk. When companies are caught flatfooted, bad actors have a leg up.
The incident flared up, in part, because of FireEye’s role in the security community.
“The primary reason this one feels different is that when a security company has a security compromise, it’s a different kind of failure,” said Josh Corman, co-founder of I Am The Cavalry, a cybersafety industry group.
That FireEye would use legal means to allegedly cover up part of that failure is doubly troubling, he said. Corman is careful to say that FireEye’s technology plays a pivotal role, despite the backlash.
“We expect (FireEye) to know better. It’s like when a doctor gets lung cancer from smoking,” said Corman. “It’s not hypocrisy per se, but it’s just an expectation.”
Issue will fade
Most likely, Kaminsky said, the whole incident will blow over.
“We could live in a world where there is fundamentally an adversarial relationship between researchers and vendors,” says Kaminsky. “But we don’t.”
Less than a week after Wilhelm’s talk, FireEye returned to business as usual, releasing research about malware affecting Cisco’s routers.