Hacker group defies U.S. law, defends exposing McAfee website vulnerabilities

YGN sought to explain its rationale for performing what it acknowledges is unlawful testing of McAfee's website for vulnerabilities

The hacker group that exposed holes in McAfee's website knows it's breaking U.S. law, but vows to continue exposing vulnerabilities, especially on security vendor websites.

"We do understand performing security testings without authorization is illegal under U.S. law," stated YGN Ethical Hacker Group, when contacted by Network World via e-mail. The outfit's own website describes YGN as a "small group of young but mature people" based in the country of Myanmar (Burma) who started working together about three years ago. Based on its website advertising, the group, which seeks to emphasize its goals are "ethical," appears to offer vulnerability-testing services while also working on security testing tools.

BACKGROUND: McAfee website full of holes, researcher says

In response to a question about why it's so secretive, YGN says, "Secrecy is very important to us that our Burmese government might not call us up to misuse our skills to attack their most hated countries including U.S., Norway...etc."

YGN sought to explain its rationale for performing what it acknowledges is unlawful testing of McAfee's website for vulnerabilities: "As for the McAfee website case, we've been seeing security holes have been popping up every year since 2008, which proves they don't have secure coding standard and proper security audit of themselves, while they do have world-renowned experts. We actually didn't perform intensively security scans on its web sites. We knew its flaws just by looking at their publicly available HTML/JavaScript source codes. This implies that deep testing might find more issues."

McAfee, which offers its "McAfee Secure" branded scan service for daily website evaluation and has Foundstone vulnerability-testing tools, earlier this week responded to Network World, which reported YGN's findings in a public security-discussion forum. A McAfee spokesperson said, "McAfee is aware of these vulnerabilities and we are working to fix them. It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities." McAfee has so far not made further comment.

QUIZ: Do you know IT security?

YGN indicates it may continue its campaign of performing vulnerability test scans on websites, particularly those of security vendors, because it feels this is the right thing to do: "As responsible netizens, we believe that YGN Ethical Hacker Group is liable to disclose security issues in high-profile web sites where thousands of users exist to rely on their security-related services/products. It is unethical by human conduct to sell security products/services while vendors don't care [about] fixing their issues."

YGN, which doesn't want to disclose the names of its members, said they want to "represent our country" and "'to do security research to contribute to the security of users in [the] digital world."

YGN also participates in security research groups, including EvilFingers, which security analyst Shyaam Sundhar Rajamadam Srinivasan indicated he started with his wife in 2006. When asked about YGN, and whether doing vulnerability tests on websites without the owner's permission is wrong or illegal, Srinivasan is direct.

"YGN is just a group that I got to know recently," according to Srinivasan, who says he is CEO of DigitOnto and works as a contractor for SANS Institute. "My wife and myself, we don't do unethical stuff. I believe that scanning one's website without prior authorization is definitely inappropriate and violates our partnership rules and regulations." He writes that he intends to inform YGN about the same. "EvilFingers never cooperates for any kind of unethical activities."

Mandeep Khera, chief marketing officer at Web application security vendor Cenzic, notes that performing vulnerability tests on a website without the owner's permission is illegal in the U.S. "You're forcing yourself onto someone's property," he points out. "It's like a break-in."

When informed of this criticism, YGN responded by saying it will expose vulnerabilities in Cenzic's website: "We will disclose an OWASP Top 10 Security issue in [the] Cenzic web site." The Open Web Application Security Project is an organization composed mainly of vendors that researches web application vulnerabilities, such as cross-site scripting, and puts out reports about the main ones in annual reports.

YGN says its motivation to expose holes in security vendor websites is because "nowadays security vendors don't even care about the security of their websites (while some of them offer Web App Security Products/Services), which allows attackers to exploit these flaws to attack their users. Apparently, the U.S. law will not sue security vendors for their lack of security."

To sum up, YGN states, "from the look of the law, what we did seems illegal from U.S. Law perspective. We, security researchers, sometimes need to go to the dark side for the benefit of users."

Read more about wide area network in Network World's Wide Area Network section.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags YGN Ethical Hacker Groupmcafeesecuritylegalcybercrime

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?