Company Thanks Guy Who Alerted Them To Big Security Flaw By Sending The Cops… And The Bill
from the this-is-why-white-hats-go-black dept
We’ve seen before that organizations don’t seem to react well to outside security folks pointing out vulnerabilities in their systems. They very often take a “blame the messenger” approach — as if pointing out a flaw suddenly makes that flaw come into existence. But one company seems to be taking it to another level. That Anonymous Coward points us to a story in which a security professional found a big and ridiculously obvious bug in the website of an Australian investment fund, First State Superannuation. Apparently you could see other people’s accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line. This is the kind of extraordinarily basic mistake that I thought had been eradicated a decade ago. Apparently not.
But the company that runs the fund, Pillar, went quite crazy about this. While the company did fix the security hole, it also sent the police to interrogate the security researcher, Patrick Webster. Pillar also sent a letter to customers (pdf) in which it suggests that Webster created this massive security flaw, rather than their own dreadful programming:
It has come to our attention that a member of First State Super, who has online access to their account, devised a way to view an image of your statement.
And then, to add insult to injury, Pillar sent Webster a letter saying he broke the law, they were closing his account, and may seek money from him to fix the vulnerability:
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar’s systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund’s website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.
[….]
In addition, the Trustee reserves its rights to require you to allow it’s (sic) IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.
In the meantime, the Trustee has suspended your online access to the Member Section of the Fund’s website.
Yup. Help Pillar out, uncover a basic programming/security mistake that puts the info of tons of people at risk, and get punished. Pillar apparently prefers to have people never report any problems they find with its system at all, keep its head in the sand, and instead allow malicious hackers to run wild through a totally insecure system. Brilliant work.
Filed Under: australia, blame the messenger, patrick webster, security, vulnerability
Companies: pillar
Comments on “Company Thanks Guy Who Alerted Them To Big Security Flaw By Sending The Cops… And The Bill”
Well, if Patrick Webster needs to set up a legal defence fund, I know I’ll be pitching in a symbolic buck or two.
Not that I’ve ever been able to find a security problem, but I do probe; if whatever website I’m using has security so bad even I can crack it, why would I continue to use it? (And being aware of security problems, why wouldn’t I let them know so they can fix it?)
Re: Re:
Same here.
I’ve personally done exactly what he did on a number of websites, a very tiny amount had the same problem. I could see other people’s things which I shouldn’t have been able to. And I’m no “hacker”. Just a guy who is curious about random things and said “I wonder what would happen if I change a number and hit enter”.
Which means I need to stop doing that. If this is any indication of where things are going. I’d hate to have the cops sent my way, as well as a bill, and blame for the problem for a website/company’s OWN shortcomings.
Re: Re: Re:
I’m not going to stop, even if.
Better I get fined and jailed than a real criminal be able to grab everyone’s info, do the whole identity theft thing and probably get away scot-free.
Re: Re: Re: Re:
That’s true and something worth considering. The problem is no one is holding these companies accountable for their lax security. And when people like the guy in the story or yourself or myself or anyone for that matter, point out the problems they turn on us and try and hold us responsible.
I think what’s needed is major changes in regards to companies’ security policies online. If someone finds an exploit, they should be able to let the company know without fear of prosecution for pointing out something they should’ve been made aware of as a potential security risk (especially if they did no harm in the process of pointing it out). If it’s something MAJOR that the company should’ve been on top of in the first place, the company should be held accountable and fined (and not “slap on the wrist” fined). Or perhaps the CEO. Like that, they’ll learn to take our data security a bit more seriously.
Re: Re: Re:2 Re:
The problem is no one is holding these companies accountable for their lax security.
Would existing privacy laws cover this sort of thing? Can we apply the ‘moron in a hurry’ test to “security” measures like this?
Re: Re: Re:3 Re:
“Would existing privacy laws cover this sort of thing?”
I’m not sure. Would they? And if so, what happens to Sony (after the PSN fiasco where people’s data was stolen)? Even more so, what happens to Sony now (When they’re starting to include in their Terms of Service agreement that customers can’t/won’t hold Sony responsible for any f*ck ups, even if they are clearly Sony’s fault. And if you don’t agree to the ToS, then your “only does everything” PS3 becomes a much more useless item.)?
Things like this are what make me shake my head in wonder. I remember less than a decade ago (I’m only 26) that the customer was always right and customer satisfaction was at the forefront of most corporations business practices (I said MOST, not ALL). Now, hahahaha.
Re: Re: Re:3 Re:
There are lots of privacy laws that could cover disclosure of confidential information. If it could be demonstrated that the information had been stolen, and that that information was protected under applicable laws, a case could be brought. I think the chief problem there though would be that you would have to get the attention of the attorney general under whose jurisdiction this would fall and get them to prosecute, and in my opinion there are few AGs willing to bite at large corporations unless the crime is really overt and publicized. The possibility of an individual or class-action lawsuit seems quite a bit lower.
Re: Re: Re:3 Re:
A “moron in a hurry” programmed their website.
Re: Re: Re:2 Re:
it is things like this that make me shake my head at people who says “let companies regulate themselves.”
Re: Re: Re:3 Re:
It’s not companies regulating themselves that people want.
It’s the Markets (i.e. people, who comprise the markets) that should be regulating the companies.
If you notice, it’s indeed the government that’s being used against the customer in this case (e.g. laws in place that punish him for no reason)
In reality, the company should be completely liable for any and all bad things that happen from this horrible ‘security’. No limits. That is how a market regulates itself – not by passing laws, but punishing a company if they are shitty, instead of using laws to shield themselves.
Re: Re: Re:4 Re:
Yeah, it’s just too bad that that doesn’t actually happen outside of certain kinds of markets (specifically, ones where there is a lot of competition without collusion.) Those kinds of markets can only persist with the assistance of regulation. Even Adam Smith acknowledged that unregulated capitalism is unstable and will always devolve into a monopoly market, and monopoly markets do not self-correct.
Unfortunately, appropriate business regulations have been increasingly absent over the past few decades and so such markets are growing increasingly scarce.
Re: Re: Re: Re:
Only if the company is cool in cases like this one : close your account with them immediately and let them burn to the ground for being dicks.
Re: Re: Re:
No, you should continue doing it, but if you find a security problem don’t tell the company … post it on 4Chan via Tor so that they will be able to see it, but won’t know who discovered the flaw
Re: Re: Re:
Actually it appears you would be fine poking about, but if you do find a security hole don’t tell the company, that would apparently be a crime.
Re: Re: Re:
I used to do it on porn sites until they caught on. You could get entire picture or video sets without subscribing that way.
Re: Re: Re:
If you walk by the street and see that someone has forgotten to lock or even close the door of their home, will you probe what’s inside just because you are “guy who is curious about random things”?
Guess what, this will still be a crime. You do know that this is not your home, and you do know that the account with +1 in its number is not yours, and by hitting “enter” you do have very clear expectation of what will happen if it works.
Re: Re: Re: Re:
You’re an idiot. This is nothing like walking into someone’s home because the door is unlocked. This is more like if you bought a lock for your home, tested it, and found that it was flawed.. and then informed the manufacturer of the lock about it’s flaw so they can fix it to prevent “the real bad guys” from walking into people’s homes.
Or we could just all bury our heads in the sand and trust that companies are doing a good job of securing our personal data. Just keep in mind, when the bad guys find a hole like this one, they won’t tell anybody.. at least not until they have stolen all of the data they want.
Re: Re: Re:2 Re:
First, it’s not your lock and not your home. It’s someone else’s; the fact that you have noticed that it’s unlocked or defective, does not make it yours. In the communications Pillar clearly mentions that they were concerned about the size of the files with private information of their customers Webster has downloaded as a “proof”. So do a little experiment: walk up to police officer on the corner, and say that there’s that unlocked home across the street, and as a proof, here’s what I was able to grab from that home when I entered it through the open door, because you see, I’m researcher of the quality of the locks on others’ homes. Then see if you receive a medal, or something else for your discovery.
And if he indeed was a researcher, a white hat, he would know how to make it all legally, and to get paid by the same Pillar.
Hey, and thanks for the “idiot”, that really invites the discussion.
Re: Re: Re:3 Re:
I apologize for calling you an idiot, but I still strongly disagree with your argument. This is nothing like going to peoples’ houses and trying to walk in the front door… and you know that. If someone walked into my house and grabbed my stuff to prove they could get in, I’d be pissed. If someone changed a number in a URL and pulled up my personal information, I’d thank them for pointing out the security flaws, and then I’d close my account with the idiots that are in charge of my data.
If the guy had bad intentions, he would have kept his mouth shut. He tried to do good, [i]perhaps[/i] using questionable methods, but he didn’t actually STEAL anything as you try to imply with your analogy. When a vulnerability is found, the next step is to determine the scope. Maybe he should have left that part in the incapable hands of Pillar, but it just seems to me he was trying to gather as much information as possible to help them understand the issue.
Re: Re: Re: Re:
Be definition, if it (the site’s security) works, my expectation is that I will get an error screen, not someone else’s information.
Re: Re: Re:
No no, you’re fine. Just don’t ever let the website owners KNOW they have a problem.
Re: Re: Re:
‘And I’m no “hacker”. Just a guy who is curious about random things and said “I wonder what would happen if I change a number and hit enter”. ‘
That’s essentially what makes you a hacker.
Re: Re:
From http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how–770000-accounts-could-be-ripped-off-20111018-1lvx1.html
At least he doesn’t appear to have any criminal charges hanging over his head.
Re: publish all security flaws
fuck em
Re: Re:
Wow, people these days are so ignorant. He helped them for free and now he is getting sued for it. This is an insult to a security professionals out there and I hope they pay dearly for it.
I think they are just panicked because they smell the inevitable lawsuit coming.
Is there an online clearinghouse or list where organizations with a “Shoot the Messenger” policy regarding security breaches are recorded? I would certainly be interested in such a list or website, as I have no interest in giving any support to retailers who are so backwards in their thinking.
First, you have to understand Australia is hilariously backward when it comes to understanding communications, computers, and the internet.
Next, you need to read the source, wherein Patrick Webster not only admits to illegally accessing other people’s accounts, he submitted WRITTEN EVIDENCE to the company of accessing a thousand other accounts as proof of their vulnerability.
Neither side is going to come out smelling like roses, but Webster really put his foot in his mouth on this one.
Re: Re:
“Next, you need to read the source, wherein Patrick Webster not only admits to illegally accessing other people’s accounts, he submitted WRITTEN EVIDENCE to the company of accessing a thousand other accounts as proof of their vulnerability.”
The linked source says he only accessed a former colleagues report. Lemme check this on the web with other sources before I call bullshit.
Re: Re:
Illegally? It’s illegal to change the number in a URL and hit enter? That’s insane. If their website gives you confidential information just by changing the URL that’s not a case of someone ‘illegally accessing other people’s accounts’ that’s a case of the company illegally allowing access to other people’s accounts. At some point the responsibility must lie with the company hosting the information and I think that point comes with gross negligence as in this case.
Re: Re: Re:
Yeah you would think that. But the law says otherwise.
Re: Re: Re: Re:
The law is backwards, which is part of the point being made.
Re: Re: Re:2 Re:
It’s Australia, even the water drains backwards!
Re: Re: Re: Re:
That’s not necessarily true. Many laws discuss circumvention of access controls. Cracking is one thing but URL fudging simply generates a new request, which their servers respond to. This is the fundamental paradigm of web traffic (request-response), it’s how all http and https traffic work.
The fact that their server responded to a request for any account means, technically, they had no access control measures to circumvent.
Pillar refers to this as “unauthorized access” but their server responded with the data, and had every opportunity to apply whatever authorization logic to the request they wanted.
This analogous to phoning up a bank, asking for details of any account, getting it, and them blaming you. He asked for it, they gave it to him.
What this really shows is an epic lack of understanding of web app security on the part of Pillar. Anyone banking with them should close their account NOW, keeping you money with these guys is just begging to get it snatched.
Re: Re: Re:2 Re:
This.
Re: Re: Re:2 Re:
“The fact that their server responded to a request for any account means, technically, they had no access control measures to circumvent.”
and even if they had access control measures to circumvent, if I’m a customer of that company and that company holds my personal data, it is (or should be) my every right to attempt to find security vulnerabilities in the companies website that might expose my data. If I can hack the website, then others likely can just as well and I need to know about those vulnerabilities to make the company aware of them and have them corrected. No law should ever stand in my way because any law that does is a law that interferes with my ability to ensure that my data is well protected.
Re: Re:
“To demonstrate the flaw to First State’s IT staff, Mr Webster wrote a script that cycled through each ID number and pulled down the relevant report to his computer. He confirmed the vulnerability affected the firm’s full customer database.”
What I’m gleaming from multiple sources is that he DID NOT access anyone’s reports besides his colleagues; he wrote a script that could access everyone’s reports and sent the script to IT guys at the company.
This is why you don’t White Hat.
In the future, he should post the “hack” anonymously, then sue them for allowing the security breaches that inevitably will ensue. It’s the safest course.
Re: Re:
As tempting as it is to cause a shitstorm for companies like this, it’s the wrong thing to do. You’d be hurting the company’s other customers, who’ve done nothing to deserve it.
Re: Re:
What he did was grey hat. White hat imply’s that he was asked by said company to find holes. There are actual professional certifications one can get in White Hat Hacking. White hat = Okay Grey hat = might get the cops sent to your house.
Re: Re: Re:
Wrong. What you’re describing is a security test, not a White Hat hacker. By definition, White Hat hackers are not employees of the company they are hacking.
The Occupy Wall Street movement is a worldwide movement that is against the likes of all Jews who have destroyed the world economically, morally, finacially and in every possible way. The movement has identified Jews as the cause of this economic collapse. Techie Jews are no exception. Techie Jews are extremely ugly, short, vicious nobodies who found a weapon against the world — the computer. Sorry, Jew Techies, the world is on to you!
Re: Re:
Fuck off, you anti-Semitic bastard.
I think I speak for 99% of the 99% when we say we don’t want you around.
Re: Re: Re:
99% of the 99% would be about 98%
Emphasis fail.
Think before you speak
Re: Re:
Blaming the Jews is sooo 11th century. Be ye an olde troll?
Re: Re:
*Takes the obvious Hitler wanna-be outside to the chemical sheds and shoots him/her*
Re: Re:
Lol @ someone being antisemitic with the name ‘Moses’ makes me laugh those hard laughs when someone is being deliberately stupid
Re: Re:
WTF? Did someone revive Hitler back as a troll? The Occupy wall street movment has nothing to do with anti-jew movements. But I guess you knew that already.
It doesn’t pay to be a white hat.
Re: Re:
yar and black hats are very profitable
Re: Re: Re:
and some of them have ships and parrots.
If no one knows the security flaw exists, then it doesn’t exist. Also, Tinkerbell was their security chief until she died because not enough people clapped.
Re: Re:
> “If no one knows the security flaw exists, then it doesn’t exist.”
That’s just not true. Just because the company and other white hats don’t know about, it doesn’t mean a black hat isn’t aware and is using (or just not preparing to use) the information to exploit the users of the account.
Re: Re: Re:
I swear I thought the Tinkerbell line would have substituted well for a sarcasm tag, but apparently not.
The Occupy Wall Street movement is a worldwide movement that is against the likes of all Jews who have destroyed the world economically, morally, finacially and in every possible way. The movement has identified Jews as the cause of this economic collapse. Techie Jews are no exception. Techie Jews are extremely ugly, short, vicious nobodies who found a weapon against the world — the computer. Sorry, Jew Techies, the world is on to you!
Re: Re:
What is this I don’t even…
Re: Re: Re:
It’s a rant against Jews. Are you really not familiar with those? Jews have been blamed for the problems of the world for ages.
Re: Re: Re:
its called a troll. a troll that is overdoing it and obvious but a troll none the less. Just ignore it and it will go away.
Re: Re:
If you posted a recipe of some typical Australian dish you’d be more on topic than with what you posted.
Here’s some incentive for you: http://www.aussiecooking.com.au/
He should have exploited the flaw
Sounds like he should have exploited the flaw before reporting it so he would have money for a lawyer.
I've done that
Any time I notice a URL has a query string with just numbers I always try incrementing them.
Did that with my ebill for my mobile phone provider and started seeing other people’s bills. I alerted them immediately, and the system went down for a couple hours and when it came back up it was fixed.
A few days later I got an email from the chief privacy officer of the company (I think that was his title) with a “personal” thank you for pointing it out.
Re: I've done that
What company was that? I might just switch…
Re: I've done that
From what I’ve read the IT guys at First State did the same. It was management/legal who reacted poorly.
But Mike of course ignoring the problem will fix the problem on it’s own! So will denying the problem even exists, even when confronted with evidence of it!
After all, that’s what millions of people believe about global warming. If we tell the earth it’s all a hoax then things will stop warming up! We just need to tell the website that the security flaw is all a hoax by a wannabe hacker, and the website will act as if the problem never even existed in the first place!
Re: Re:
Isn’t global warming a natural process? We’re simply speeding up the cycle not causing it. I think it’s preserving resources that we need to raise awareness about, it’s amazing how much people mix up the two.
Anyway, back on topic, who wrote that system, monkeys?!! This is not a mistake a self respecting programmer/designer makes.
Re: Re: Re:
“This is not a mistake a self respecting programmer/designer makes.”
What do you expect from a continent inhabited by the descendants of criminals … 😉
Re: Re: Re: Re:
I’d expect better, but then I remember that some of them must be descended from wardens.
Re: Re: Re:
“who wrote that system, monkeys?!!”
Worse, it was the lowest bidder.
Re: Re:
Your lack of faith in self fixing problems is disturbing.
Global Warming will fix itself…. eventually.
It just needs to warm up enough to eliminate what causes the warming. That might be a lengthy drawn out process but it will work.
When corporations make a mistake they like not be corrected, they don’t want the problem directed, instead they want to keep their head in the sand. They pretend to be under a curse that makes them not understand that this only makes them look worse. They make mistakes as though they were practiced and rehearsed ahead of time, instead of sublime behavior they act as though their valuable customers committed a horrible crime by doing them a favor. But I suppose being a good neighbor is a criminal offense these days.
Re: Re:
(No good deed goes unpunished).
If I ever find an 0day like that, the hell I’ll tell anyone about it. Look at the thanks they give.
Exploit that sh*t for personal gain.
Re: Exploiting the exploit...
…and how many DID find this little gem before Webster was ethical enough to point out the flaw PRIVATELY to Pillar?
I smell law suits with lawyers already salivating at the chance to take Pillar and its funds for an inconvenient ride…
Failed to understand corporations and bureaucracies.
Whatever executive is supposedly responsible for web-site design in particular does NOT wish to hear of any flaws, could derail his career. Same applies up and down the system: jobs often depend on presenting the illusion that all is well. Corporations are conformity and control, not disruption, especially from outside. Even if you get through the bureaucracy, you won’t be thanked for raising problems.
Webster, indoctrinated in the myth that corporations are good and motivated by “excellence” rather than sheerly money, now knows different.
Bank Security
This is the equivalent of letting a customer into a bank’s safety deposit vault so they could open their own deposit box. Then the customer notices that the box next to his seems a little loose and might be able to be opened without a key.
He checks this out and yep, it’s able to be opened with no effort, and the next one too, and the next one…
Then he tells the bank their safety deposit boxes are all broken, they might want to check into that.
The Bank throws him in jail for robbing the place.
Re: Bank Security
That’s a good analogy. I sometimes have trouble educating people on how security vulnerabilities aren’t the fault of whoever discovered them, but rather whoever built the system. Once a subject drifts into this area, people’s mouths gape open and their eyes tend to glaze over with the memory of the thousands of “hacking” scenarios they’ve seen in TV and movies. They have no real-life foundation to even begin to understand a computer security situation, and fall back to reasoning that if someone got into a place they weren’t meant to, that they *must* have had to maliciously break something using evil hacker skills and are therefore vile criminal scum.
Re: Bank Security
The bank will throw him in jail only if he actually stole money from the other boxes. And since they do know that he looked in those boxes, it’s certainly reasonable to search him.
Note that there’s a difference between merely noticing that the box is unlocked, and actually opening it and looking what’s inside.
Re: Bank Security
The difference is, there is a clause in your hypothetical bank’s terms and conditions saying at under no circumstances should any customer touch or attempt to open another customer’s box. Any customer discovered interfering with or opening a box that does not belong to them is liable to their account being closed and prosecution. The hypothetical person who went into the vault knew that it was illegal to attempt to open another customer’s box but did so anyway; in fact, he opened around a thousand boxes even though he could have just tested one or just told the bank staff themselves to check that they looked a bit suss and should be checked.
Similarly, the real person could have tested just one access, or none at all and wrote an email or letter to the Bank CEO, manager and IT manager asking if this potential security flaw had been tested and was it safe. A reply might have told him, “yes we have checked it and it’s OK” (although they probably would have said the same if it wasn’t and they just fixed it). Either way the problem could have been resolved with no law broken. If they had not replied within a given time frame, perhaps then he could have checked one time to see if the flaw was there and wrote again. The first letter would probably cover him a bit better legally given that he tried to warn them and got no response.
Of course, it would be ridiculous to prosecute either hypothetical person or real person – having examined all the facts surrounding the situation and agreed that the actions were with good intention, but I would have no surprise really if the company wrote a letter warning him that what he did was illegal and against their terms; but it does surprise me that any punitive action was taken against him and I would be even more surprised if more action was taken. What should happen is the company hang its head in shame, wring a few necks internally, and count themselves lucky they didn’t get caught out with worse.
But I fear, reading some responses, that what some “white-hat hacker” types are more afraid of is that their fun is being taken away from them. Listen: if no one invites you to test their security you have no business doing it – whatever your motive – so don’t do it. If you don’t agree that this is right and fair, fair enough, but comply with the written law if only just to protect yourself.
Lesson in dealing with corporacies
Don’t help them. s a starting point, he should have sued them for putting his data at risk.
Depressed Computers...
> allow malicious hackers to run wild through
> a totally insecure system
Unsecure, Mike, not insecure. I’m fairly certain that the company’s system isn’t suffering from self-esteem issues. 😉
Re: Depressed Computers...
Insecure – adj, not secure; exposed or liable to risk, loss, or danger
Re: Re: Depressed Computers...
> Insecure – adj, not secure; exposed or
> liable to risk, loss, or danger
Yes, there’s always some humorless fuck who doesn’t get the joke.
Well done.
Re: Depressed Computers...
I don’t know. After letting itself get touched by the types of programmers that would let this flaw through? It just might have self esteem issues now.
Re: Depressed Computers...
Failed Grammer Nazi has failed. Here’s a free tip: before you call out people’s mistakes, at least double check your “correction” ahead of time.
Re: Re: Depressed Computers...
*Grammar
Please don’t respond to Grammar Nazi’s with spelling errors, that brings in the Spelling Police thus making the problem even worse.
Re: Depressed Computers...
Unsecure? That’s unpossible!
Your more better english correction are very appreciateful.
I unknow what this place would becoming with not the helply advice of peoples who have clearful comprehended of these language. That would be humoury.
Re: Re: Depressed Computers...
“Unsecure” seems more like a verb to me, so “insecure” would indeed correct in describing something such as a computer or bank. Hence (if I am correct) person would unsecure a computer by removing the password and thus make it insecure.
Am I right?
Re: Depressed Computers...
Actually when talking about an object, insecure means lacking in safety or security. You corrected him for being right and showed you don’t know the actual definition for either 😛
Does Business 2.0 still run the "100 worse decisions of the year" article?
Because if they do – this would probably in be in the mid 30-40 range for this year. Good Grief – wonder if this will gain traction in the Aussie “mainstream press”? If it does, it will open more than a few cans of worms for the company in question.
If only...
there was an Australian law authorizing prosecution of those responsible for “allowing” such easy and irresponsible unauthorized access to customers accounts in the first place, this malicious attack on “kill the white hat messengers” would never get this far, as the companies testimony would put themselves in the line of fire too.
Even if there is such a law, I’m sure that the corporations at most would pay a simple and small fine (while raising the money from customers, so it doesn’t come out of the “company profits”) and be on their merry way. Saying “We’re looking out for our customers best interest”, when they’re really only looking out to cover their own asses from their own mistakes.
Spin, it’s always about spin.
Re: If only...
I think that’s naive. If a government passes a law saying that it would be illegal to have less-than-reasonable security, then now the government is in charge of deciding what is reasonable. The execution of such a law may come down to individual court cases where experts may or may not be called to inconsistently define what is “reasonable” or not. Another way it might come down is that clueless bureaucrats and legislators then have the power to define what is reasonable. They may have to create an entire department similarly clueless investigators which would then need to review cases in the most inefficient and wasteful manner possible to decide what is reasonable. The power now being in their hands to decide what is reasonable, you have problems of them keeping up with advances in the art about what is reasonable, and being subject to corruption and regulatory capture about what is reasonable, and trying to pull even more circumstances of reasonableness under their purview in order to justify their continued existence.
Attempts to legislate reasonableness often spin out of control rapidly into bureaucratic nightmares. Legislation is not a panacea. Any proposition that just says “Oh they should just make a law and then this will never be a problem” is hopelessly naive. A new law may make a situation better or worse, but it *always* comes with a cost, and that cost may be far higher than the cost of the problem it tries to solve.
Re: Re: If only...
It’s been done. See, for e.g. HIPAA, HITECH, FDA 21 CFR Part 11, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information or, for a little continental flavour, EU Directive 95/46/EC
While some legislation lays out specific techniques that must be followed, they typically include statements to the effect of “Use of all reasonable data security best-practices”.
Re: Re: If only...
@ Anonymous Coward:
Naive or not, what you just described in your post is the system we have right now.
The only thing I wanted to point out is how the company pays a simple minor fine for doing the wrong thing, and the individual trying to do the right thing ends up being threatened with and may end up doing prison time all due to the “letter of the law”.
No good deed by an individual goes unpunished, and no bad deed by a company goes unrewarded.
This sort of thing is akin to an employee throwing away confidential information in the trash versus disposing of it securely. If a guy searching through your trash at the dump (trash being the programming, and dump being the website) and finds out your client’s confidential information, no one would think it would be reasonable to try to say that a guy digging in the trash is committing a crime.
By the way, if this does constitute a crime, this could be easily turned into harassment along the lines of ‘swatting.’ Send someone a phishing-like disguised email with a link to confidential information that they shouldn’t have access to and all of a sudden they can get arrested for clicking a link….give me a break.
One other thing though…holding entities accountable for breaches is a dangerous game. What would be considered “reasonable” measure of security by some court case today could be extremely negligent 5 years from now. And we all know how well the courts keep up with technology in their rulings.
Re: Re:
It’s even less pernicious than that. He formulated a request, there server responded with data it shouldn’t have. They had every means to authorize the request but they didn’t. Pillar referred to it as “unauthorized access” but this is only correct if one takes that to mean “we fucked up and didn’t authorize the access even though we had all the means and information needed to , and this is basic web app development”.
I run a team of web app devs, we deal with sensitive data, and if a junior dev did this, he would be pulled from the project and put on remedial web training for a couple days. An intermediate or higher dev would be summarily dismissed.
This is basic, basic stuff. Their response displays an appalling lack of technical understanding.
Re: Re:
Agreed but with a slight correction: The request was authorized (incorrectly) by the server – the fault of the company.
The act of accessing another customer’s account was an action unauthorized explicitly by the terms and conditions of the bank and the law of the land, so that was the fault of Webster.
So while it was indeed “less pernicious” it was still not a permissible action. Technically, both were at fault but while the company were criminally negligent, Webster had only misguided good intentions. The company should be made an example of, not Webster.
Contact First State Superannuation and let them know how you feel.
I foresee a ‘sudden’ increase of interes in Pillar from the hacking community. And they’ll deserve every single fuck up and damage this might cause.
Re: Re:
Seriously, text book hacker community trolling.
The real mistake...
that he made was being a nice guy about it. The arrogance, ignorance, and overall attitude that this company displayed is nothing short of criminal.
As soon as he found the flaw he should have called, closed his account, then taken them to court for allowing his personal information to be accessed by criminal elements though a ridiculous lack of security.
Doesn’t matter that he doesn’t know if some criminal had ever looked at his information. It was made available to anyone by a company that was tasked with protecting it.
And people wonder why white-hats become black-hats so easily…
Re:
I’ve read that sentiment on quite a few articles and I would like to know precisely why this would make any white-hat hacker become black-hat. I just don’t see where you’re all making the connection. Surely a white-hat hacker, motivated by some good intentions, would not be so easily swayed unless they had a severe personality disorder to start with (which they probably don’t). I mean, out of concern you tell a company about their security flaw and they get all hissy at you… then what? Why would you then decide you should now start hacking to cause damage or even steal money? You even make it sound like you think it’s a somewhat justified reaction at being spurned like the jilted lover who torches all his girlfriends CDs because she left him and started dating another guy. It doesn’t make sense. In fact, it’s a little crazy.
Most likely the white-hat hacker gets on with his real programming job and doesn’t bother saying anything in future.
Think about it a bit before saying something like this again.
It's not just corporations, it's just average morons in a hurry
Quite a few years back there was a “free telephone” scammer operating out of Florida. (no surprise, I think more than half the scammers in America live there) Anyway, they had their site set up so that you could just trim the URL to the root directory and view the files. Right there in plain sight is a .csv file. I downloaded it, expecting to see some spamming list with e-mail addresses in it and discover that it contained names, addresses, work addresses, telephone numbers (home and work), bank accounts, social security numbers and credit card numbers!
Several times I sent the link, an explanation and an excerpt from the file to the Florida attorney general’s consumer affairs office. They never even responded.
So I removed most of the personal info but left just a part of the mailing addresses and area codes so that it was obvious the data was valid and I bcc’ed it to each of the e-mail addresses explaining to them that they had been suckered in by the spammer and that their personal and credit card info was now an unprotected file on the internet. I also provided the URL for the home page of the site (not the one to the files). It seemed like they’d want to lock their credit reports and replace their credit cards.
The only responses I ever got were people accusing *me* of stealing their personal information, and of being the scammer and telling me that they were going to get police and/or lawyers after me to find out who I was and where I lived.
Long way of saying I think the corporate reaction is just a reflection of the typical moron who works there – ready to lash out at whoever dares to expose their own idiocy/incompetence.
I monitored the file for many months afterwards and it remained up there. I kept sending copies to the FL AG but they didn’t give a shit.
Re: It's not just corporations, it's just average morons in a hurry
Your story sounds like just how Clifford Stoll was treated by organizations he would call up to tell them their systems were being hacked.
The book he wrote about his personal experience should be required reading for anyone who is in the computer security business, as it shows just how hard it is sometimes to get anyone to listen to the facts.
Wrong bill
I don’t interpret this as them threatening to bill him for the their cost to fix the flaw. That is separate. I see this as their threatening to bill him for their costs to notify their users that an unauthorized individual accessed their account information. This is something they are likely required to do, even if it’s only their own (published) policy that requires it. That, at least, I could almost understand. After all, he did illegally breach those accounts.
NSW Police said it was not taking any further action on this matter. “There was no criminal offence committed and the company in question has been informed of the outcome. It was more a case of a civic-minded person reporting a potential security breach.”
At least their cops can realize that no crime has been committed and cease pursuit in a fairly expedient fashion.
Reports are that the CEO is backing down and wants to ‘talk’ to him now.
http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how–770000-accounts-could-be-ripped-off-20111018-1lvx1.html#ixzz1bA54owoy
This is why you should just report the security flaw to Chinese hackers…let them sort it out. 🙂
I remember playing an online game where they set up different methods of password protection to see how many you could get through. It was all on the same server, and it really was a game, all you got by cracking through one level of security was the next level.
The very first level was protected by JavaScript, with the user and pass stored in an external JavaScript file. I thought it was a joke, that nobody would be dumb enough to use something as insecure as that to protect something even mildly important, so I went on a hunt.
With the number of websites on the internet I didn’t want to just start randomly searching, so I picked a bunch of local businesses or organizations. I opened a bunch of these sites and looked for a login area. After looking at the source code of the login page on most of them I assumed I was right, none of them used anything even close to as insecure as what I had been reading about. That was until one of the last ones, the local hospital.
They had a section called “Staff”, with a login page. When I checked the code I saw some obvious JavaScript that was meant to check the entered username and password against some other values, values that were stored as JavaScript variables. So I went looking through the code, and had to take a second look, when they embedded their external JavaScript file they didn’t give the file an extension, and they called it “JavaScript” I guess as a way to throw off anyone looking around.
So in the code there was src=”JavaScript” instead of the usual src=”somefile.js” which is easier to see.
I was a bit hesitant at first because I was expecting medical information or something. But I figured that if someone else found it they could do much worse than I would, because I wasn’t doing anything except looking.
So I checked the JavaScript file and was even more surprised to find that there was only one login name and password, meaning that everyone that used it used the same account.
So I logged in and found that it was just a repository for all of the official hospital stationary and logos and stuff like that. Images, Word Documents, everything. There was nothing at all stopping me from downloading official letterhead, brochures, logos, or anything else I wanted to be able to create fake hospital documents.
I sent them an e-mail right away to let them know about it. I never heard one word from them, they didn’t even acknowledge that they received my message. However, the very next day when I checked the login page again it was all changed and used some sort of PHP login system.
So it makes no sense to jump on the messenger in these cases, it just makes people less likely to report these kinds of issues to you, which could potentially cause way more trouble down the road. Just fix the problem and move on, no need to let the issue linger on.
Re:
Well in this case the JavaScript file was on your computer so you had ever right to check it, but as for logging in using the username and password, you were skating on thin ice there and were lucky the company recognized your good intention (or perhaps didn’t know you had actually logged in). They could have prosecuted you under the current laws in most countries.
The thing is, you didn’t need to log in and access those private files to get the problem fixed, you could have just pointed out to the company their insecure use of JavaScript and explained why anyone could have easily logged in. No illegal, unauthorized access was necessary to prove this point or get the problem corrected.
response
I think its a basic part of end user agreements, especially on financial website. They CYA by having you agree that you will never knowingly or unknowingly look at someone else’s data. so they shutting the door on getting info from users.
Australia's Superannuation Funds
…the Aussie Funds have an attitude…their customers money is their money. That is why they often charge teenage super’ contributors life insurance charges which quickly whittle away the young folks’ part-time job super’ savings. It is a national scandal just waiting in the wings. Bosses often get the young workers names wrong while enrolling their employees in compulsory super’…too bad, when the person wants to change their fund, the fund says prove you are so-and-so person…and keeps the funds forever. This is the latest episode in the sorry saga of Australia’s unregulated compulsory superannuation story…their management of other people’s money is again in the spotlight, thanks to their own arrogance this time…IT Security expert Webster told them on the quiet, but they just had to shoot the messenger, didn’t they?
In a country where they are trying to pass a law to say things that would upset the minister in charge of video games this makes perfect sense.
http://boingboing.net/2011/10/18/proposed-australian-law-makes-it-an-offense-to-insult-gaming-minister-michael-obrien.html
One wonders how far removed from reality the “leaders” are.
Re: Re:
Not a country, a State. The State of Victoria to be precise.
Apparently you could see other people’s accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line.
Fortunately, in today’s world, something as complex as figuring out that you can change an URL falls under “advanced hacking”.
For the full Manifesto click the link
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike http://www.mithral.com/~beberg/manifesto.html
If the other one gets out of review for posting the link to the full manifesto pardon the double post .
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike. (link folows here but hey, I thought it may not get out of review) Just fodder for the anti-mikes for “allowing” me to post it. LMFAO.
You all do know this happened to Citibank too, right?
http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html
Disgusting
Sometimes I wish there was a hell so that people like this could go to it. Not saying “Thank you” is impolite, but what these people did is just plain disgusting. I hope they get what they deserve.
I guess, the right way would be to inform Pillar that he has found a security hole in their system, without giving any details, and offer them a $10K contract for consulting services, which would include the clause of his being untouchable for whatever information he has obtained in the course of that consulting.
Corporations in general and banks in particular are natural opponents, if not enemies, of the people; assuming that they will behave according to human values is simply plain wrong. Helping them on voluntary basis is as silly and dangerous as helping the police – in both cases, while the positive outcome is quite unlikely, but your putting yourself in danger is guaranteed.
Think about it from a non-technical persons’s standpoint. You don’t understand the exploit, but the technical people you employ are BSing, telling you it’s the actions of someone external hacking your system and that someone happens to have an account with you.
Everything seems to me to be a fairly natural outcome from that, all because some technical manager is trying to save their arse.
wow that’s… kind of disgusting. I’ve sent them an e-mail letting em know I’m closing down my account with them and for exactly what reasons. And I’ll be bugging everyone I know to do the same.
Re: Re:
don’t worry, by now someone else will have closed your account for you! hehehehe
I found this document amusing. Same CIO too.
http://publications.nsw.gov.au/pub/09b/026/09b026d57b923208598d2a928aad2f596adbb904/document.pdf
Whats the bet
That the company is SO annoyed because someone was using the ‘flaw’ to steal account info and make a personal profit from it?
No wonder the CEO/board of directors of the company were pissed off….this filthy hacker/hippy just cost them their secret monthly bonus.