Unfortunately this happens more than you might think and other Australian companies seem to have a similar approach to dealing with security findings. Many years ago I found a huge hole in a large company's Australian website that allowed me to download their entire database of customer records including addresses and plain text passwords, by a similar method of just changing url parameters. This was millions of consumer records from a -big- international brand.
Instead of warning the public, that their records may have been compromised, they focused on me. I was immediately slapped with legal threats via phone, email and mail. They took my original email apart, saying that by modifying the url and downloading the database I had illegally obtained this data, I could be prosecuted under xyz law etc... They ended it by saying that if I ever spoke about it publicly I would be taken to court.
Needless to say I attempted to take my issue directly to several Australian newspapers. I talked to a couple, but none wrote a story. I don't understand why - this was 7 years ago, perhaps they didn't understand the issue. I spoke to a lawyer who told me that there was nothing I could do. They'd given me a way out so I should just take it and try to forget what happened. In the end I convinced myself that perhaps I was in the wrong. No one would listen to me. At the time I was a lot younger and had less resources. I would of course not deal with it the same way now. However, I'm not interesting in digging up the past - the proof is long gone, but the lesson stays the same.
There should be a government body to whom security breaches like these can be reported. Companies can not be trusted to police themselves when it comes to private data.
At least this time around SMH have apparently understood the situation and called out First State Super.
Also; NSW Police said it was not taking any further action on this matter. "There was no criminal offence committed and the company in question has been informed of the outcome. It was more a case of a civic-minded person reporting a potential security breach."
I 100% agree that the government should handle these situations, unfortunately the closest thing we have is The Privacy Commission - which is completely toothless.
> I 100% agree that the government should handle these situations
Isn't that like asking the government to intervene when I notice that my next-door neighbor leaves his car unlocked with the keys in the ignition when he comes home from work?
There should be a government body to whom security breaches like these can be reported. Companies can not be trusted to police themselves when it comes to private data.
If the government is incompetent enough to prosecute you for making HTTP requests with non-obvious URLs, do you really have much hope for an smart government agency dealing with this?
I'm in Singapore and have been brought up in India, so out of curiosity, how is the scene in the US? (Because I don't know about how things are in practice but from the outside it still looks to me as the land of the free.)
Actually, the BSI (Bundesamt für Sicherheit in der Informationstechnik) may not be high-profile but seems in general reasonably knowledgeable and neutral. But I guess in Germany you'd report such a failure via the CCC or a similar organization.
There should be a government body to whom security breaches like these can be reported. Companies can not be trusted to police themselves when it comes to private data.
You could try the DSD CSOC. They're mainly interested in threats to Government agencies but may pass it on.
For the longest time I didn't understand why 'anonymous' and 'lulsec' and others went around hacking into sites. Now I know why... When you're punished for being good, it feels so good to be bad.
Or, they (lulzsec) think they are doing good and ignore when the police et al. say they are being bad, because those same police and agencies also say this guy in the submitted article is being bad.
A reasonably happy note of sanity is sounded at the end of the article:
'NSW Police said it was not taking any further action on this matter. "There was no criminal offence committed and the company in question has been informed of the outcome. It was more a case of a civic-minded person reporting a potential security breach."'
The comments from the First State officials seem fairly sane as well, but this is completely over the top:
"The next day Webster received a letter from First State's law firm, Minter Ellison, telling him his actions constituted a breach of the Crimes Act and Criminal Code Act...
...The firm said they may go after him for costs related to the matter."
Hopefully someone reigns in these vicious lawyers before they screw over one of the good guys.
As to my very basic understanding of Aus law they can't, they would need to take him to court and prove he broke the law before they can presue costs, Which is very hard since the police have decided not to investigate the matter because they believe he didn't break the law.
It's true. About five years ago my bank upgraded their systems and, no kidding, set everyone's password to their login name as part of the transition. When I called them on it, they stonewalled me and repeatedly claimed that I was being unreasonable, and as far as I know never fixed it, and fearing something like the OP I never pushed it. (I closed my account and switched banks.)
Agreed. There is no such thing as "responsible disclosure". If you discover a security vulnerability, either say nothing and move your business elsewhere or make an anonymous public report. Identifying yourself only makes you a target.
Does anybody ever address the fact that you have to violate the TOS of most sites (even if unintentionally) to do any white hat discovery in the first place?
Edit: though I do believe that reporting systems with bounties like those you linked are exactly the way to compete with the black market for vulnerabilities.
The problem is how can you be sure they will treat you nicely?
I will grant you tarsnap is pretty safe since it is a one man operation and Mozilla and Chromium are both depending on the goodwill of the community, but Facebook is company which has been pretty aggressive in the way it shits over its users (I can remember about 3 or 4 privacy debacles).
I guess you have to trust that the company wouldn't go to the trouble of setting up a program (and making payouts) if it were going to treat vulnerability reporters poorly. I think treating them poorly is generally a pretty bad long-term plan though, because of the negative light it casts the company in, the lack of future responses it will garner, and the hostility it may bring out (hello, Sony).
Do you feel like Facebook has ever "shit over" legitimate security researchers? I can see if I can help if you have examples.
So release peoples private information, just to point out security flaws.
He could have pointed out the security flaw without downloaded peoples details.
Admittedly the reaction was over the top. But sending hundreds of peoples personal data around to 'prove' there is a security problem is a bit irresponsible.
It's not nearly as irresponsible as countless of companies straight out ignoring or even denying security breaches while trying to shoot the messenger.
The sad truth is, you can only make these companies move by hurting them. Another sad truth is that the best (and more often than not the only) way to hurt these companies is to hurt their customers.
I learned early on in my career not to mess around with account information, especially at a bank.
My first job out of university was in corporate IT for a big bank around the time that l0phtcrack came out. I used it to crack hundreds of user passwords, and then showed my boss the vulnerability.
He promptly told the director, the director sent out an email saying that people's NT passwords had been breached, and I got in a little bit of trouble for cracking people's passwords without authorization, even though people were using passwords like "password", "apple", etc.
I realize it's dumb to to blame me (or the guy in the original story), but I've come to learn that when you're dealing with big corporations like banks, they are eager to cover their own asses and to throw the blame wherever they can. So it's best to never mess with them.
The fact that the guy downloaded actually customer information is what opened him up to potential problems, that's the one step I probably would have avoided.
Of course, this ridiculous behavior by the banks will only make it more likely that any security breaches won't be reported, which means if you're a customer, you should change banks immediately to a bank that actually cares about the security of your information.
You're lucky you're not Randall Schwartz[1], who performed an unauthorised security audit on some intel boxes, and ended up being convicted and spent something like 10 years (and a hell of a lot of money) getting the ruling overturned.[2]
About 10 years ago my SO at the time was logging into an 'industry specific credit union' banking website for the first time. She called out to me to ask me about the error she was seeing on screen so I wandered over and couldn't believe my eyes...
Part of the login credentials was the requirement for her surname which just happened to be of the Irish persuasion and the apostrophe caused the SQL query to break.
I was dumbfounded but even then, at the back of my head all I thought was "I know I should report this, but no doubt they'll swing it against me". Needless to say, I said nothing, other than telling my girlfriend to a) try it without the apostrophe; and b) not to ever put any money in the account.
Actually I think the responses are right and I misspoke, it was pretty dumb of me. However, I did know at the time I was lucky not to get fired. I did think they were overreacting though, but in my defense, I was a dumb kid, and it was 1996 so security concerns weren't nearly as huge as they are now. The Internet was growing and popular, but 10% of what it was today, so things like security weren't really thought of except for Bugtraq which I was subscribed to, which gave me the inspiration to run l0phtcrack.
He said Webster's actions were more serious because he did not just access his own or a mate's account, but hundreds of other customer accounts, to prove the security flaw was real.
"While we were appreciative of him showing us a weakness in our security systems the size of the downloads concerned us greatly and the fact that it was a major breach of the privacy provisions of our members," Dwyer said in a phone interview.
The guy didn't just find and report on a vulnerability. He also scraped a whole heap of private customer details ('to prove the problem was real'). If his intentions were pure, he shouldn't have downloaded & saved the private information of hundreds of customers. First State Super overreacted, but I can understand why they're nervous that he might keep the data.
Seriously? I'd say checking that the vulnerability works on "hundreds of customers" out of 770,000 is a reasonable thing to do to see if it's really there and to get a bit of proof. I could easily imagine quickly banging out some shell one-liner with seq+wget to see if it wasn't a fluke.
First State Super shouldn't have worried about this guy. If he were evil, he wouldn't have told them. If some problem later developed with those few hundred people, they'd know who to nab. This is just scapegoating, presumably driven by IT people trying to distract execs from their total incompetence.
A good deed never goes unpunished. I don't know if I would ever report a security problem like this for fear of needing to deal with this kind of head ache (at least with a non-Google-type company).
Anybody have any idea whether my feelings are being unduly influenced by familiarity with these kinds of stories? I doubt there is any real data to make a decision with, but I like to try to stay at least a little rational.
Not really strange. I generally don't report security vulnerabilities either when I find them. Sure, if it's a simple process to file an issue, or I know a knowledgeable person in charge of the system, I'll do it.
But otherwise I simply don't feel like explaining it. I don't feel I have the moral obligation to jump through hoops to get through all the customer bla-bla to someone who understands, and face legal issues, just because I bump on some 'bug'. Someone else will find it eventually. Choose your battles carefully and such...
Quite frankly, I'm disappointed that companies in Australia can wave the police wand whenever there's an IT security issue. I want Aussie police to step up their game and charge the companies with making false police reports. Especially with demands to seize equipment of individuals as a form of extortion with malicious intent to silence them.
"But then three and a half weeks later the police just knocked on the door and said we're here to speak to you about downloading files about First State Super," said Webster, adding police discussed the matter with him and told him to stay away from First State's website."
The implication there is that a website is property so strongly as to use the police to compel whether someone might choose to point their web browser at it.
That could be advise from the police. As in "We're looking into it, you say you are innocent, but if we find out you are hacking around that website again, then we might not be so sure"
So First State try and get revenge on and blame the poor guy who reports the problem. I can't understand how this is a cheaper or a better solution for them than fixing the hole. It would be interesting to know if there was a thought process behind this, because it reads like there wasn't.
"To demonstrate the flaw to First State's IT staff, he wrote a script that cycled through each ID number and pulled down the relevant report to his computer. He confirmed that the vulnerability affected the firm's full customer database."
Seriously? That sounds a little more than just "Checking the vulnerability exists", that sounds like exploiting it. Tweaking the url, is all he needed to do to workout that there was a problem... then he writes a script and downloads all the data?
I'm actually not that shocked by the reaction. Equivelant:
"I noticed your door was unlocked, so I stole all your stuff, and put it in that truck parked just there. Just thought you might like to know". <--- Would you take legal action in that case?
Even the CEO says he only downloaded info from "hundreds of other customers accounts", which would be 0.1% of "all the data".
Checking the extent of the vulnerability is a reasonable thing to do before reporting it. This is more "you have left all your doors unlocked" than "I stole all your stuff".
People don't take you seriously when you merely tell them about a problem. They start taking you seriously when you demonstrate the problem. It takes some knowledge and imagination to extrapolate from a reported security problem to the possible consequences. Many people, unfortunately including those in IT helpdesk positions, lack either the knowledge or the imagination.
This guy has done the company a huge favor by actually demonstrating the problem.
"I found your private diary in the hedge near your house, so I had a bit of a rummage around and also found your cheque book, credit card and driver's license. There's probably more stuff as well. Just thought I'd let you know before anyone else finds them"
Or, "I found that you, the bank, left all of your customers' money and social security cards and personal records (including mine) in an unlocked windowed room facing the street where anyone might walk by and steal all of it. You might want to lock it up."
"Prove it."
"Ok, I'll just show you how ridiculously easy it is to open this door . . ."
"Thief!!"
I don't know if personal information, including finances and info on your retirement fund, are like your diary. Perhaps more accurate would be "I found your checkbook with an exhaustive list of all your stocks, private information, bank balances, account numbers, etc. I recorded it all. You probably want it back?"
They aren't some online shopping store. They are a trustee.
Stealing physical goods was a crappy comparison in the GP and you didn't improve it a tiny wee bit.
The company hasn't lost anything, while both examples talk about 'taking away' and 'you want it back?'. This is the standard copy != theft analogy failure.
Note that I do understand that the company (and people affected as customers) wouldn't want him to keep a backup of whatever data he copied. Still, please don't compare it to theft, robbery or whatever.
Oh my gosh man. That's so bad. You simply replace the account ID parameter in the request URL? That's so bad. So so stupid on the bank's part. They should be showering this guy with gifts for pointing out such a stupid mistake to them and they should be going after whoever set up their system like that.
Notwithstanding the right and wrong of this case, if Patrick Webster had done all his investigation anonymously, e.g. through Tor, and expressed his findings to First State Super in a way that does not imply that he actually downloaded anything, I wonder whether it would have put him in a better position.
Even without investigating anonymously, if he had just described the security vulnerability without saying what he actually did, would he be legally vulnerable?
I find it ironic that in helping this company with their IT vulnerability, he possibly took on himself a legal vulnerability.
The exact same thing (except in the USA) is happening to my friend: https://freeweev.info
He's looking at ten years in federal prison for what basically amounts to whistleblowing. They've charged him with identity theft and conspiracy to commit unauthorized access for scraping email addresses (and nothing else) that AT&T had published unauthenticated on the web.
I'll preface this by saying that I like weev, and get a kick out of some of his antics, but...
He's a really unsympathetic defendant. Put him in front of a jury and they'd likely convict him regardless of the evidence. If you're going to be engaging in activities of questionable legality, even if you think you're doing the right thing, it pays to at least put up a respectable front. Just about everything he engages in is something his attorney will have to account for in trial.
"Yes, he founded a grey-hat security firm named after an infamous image of a man exposing his digestive tract, but..."
"Yes, he claimed responsibility for illegally taking Amazon offline, but..."
"Yes, he exploited a vulnerability in AT&T's site to collect 100k+ user emails, but..."
"Yes, he is a member of the Gay Nigger Association of America, but..."
He's a defender's nightmare. If you're going to put yourself at odds with the law, at least give your attorney a fighting chance.
He says the whole thing will be worth it even if he just gets to play Gayniggers From Outer Space in federal court (to illustrate that he is not the leader of a hate group).
The man epitomizes "doin' it for the lulz". I agree 100% with all your points, but I personally feel that it's the unpopular or misunderstood speech that needs the most defending. What he does is not criminal, and should not land men in prison for a decade, trolling or no.
I'm not sure it's "the exact same thing". From published reports, Weev harvested data from 114,000 accounts and shared it with reporters. Another member of his hacking group says that the bug was shared with others before AT&T closed the hole, resulting in other accounts likely being compromised. [1]
He also previously claimed to be part of a hacking organization that brings in $10m annually, able to 'wreak havoc from anywhere". And he last encountered the feds while supposedly "in the midst of an LSD-and-methamphetamine bender". [2]
Another member of the group told the reporter the bug was shared, so either way it sounds like the group is unreliable.
The other items are indeed unrelated to the charge, but they a) prove false your claim that the cases are identical, and b) are related to the decision to charge. A lot of people evade taxes, but they actually bothered charged Al Capone.
After reporting how easily the Manhatten Project military safes could be opened, the higher ups sent round an urgent memo addressing the issue. It said "Don't leave Feynman alone in your offices".
Unbelievable. Am not aware of US law, but I hope he can sue First State back for the mental harassment they caused him. This isn't plain ungratefulness - it is dangerous. It can dissuade well meaning, civic minded members of the public from helping an company, which by the way is great for the bad guys.
The other lesson is that incompetence of this magnitude on one issue is always a symptom of incompetence generally.
I have seen this over and over again with multiple companies. It's not like everything else is first-rate and somehow just one glaring thing slipped by them. That's what we'd like to believe.
Instead, there is a systemic problem with horrible decision-making that will infect every level of operations, until the organization finally collapses into a black hole of infinite stupidity.
Well, that may be a little extreme. Some of them putter along as White Dwarfs.
Instead of warning the public, that their records may have been compromised, they focused on me. I was immediately slapped with legal threats via phone, email and mail. They took my original email apart, saying that by modifying the url and downloading the database I had illegally obtained this data, I could be prosecuted under xyz law etc... They ended it by saying that if I ever spoke about it publicly I would be taken to court.
Needless to say I attempted to take my issue directly to several Australian newspapers. I talked to a couple, but none wrote a story. I don't understand why - this was 7 years ago, perhaps they didn't understand the issue. I spoke to a lawyer who told me that there was nothing I could do. They'd given me a way out so I should just take it and try to forget what happened. In the end I convinced myself that perhaps I was in the wrong. No one would listen to me. At the time I was a lot younger and had less resources. I would of course not deal with it the same way now. However, I'm not interesting in digging up the past - the proof is long gone, but the lesson stays the same.
There should be a government body to whom security breaches like these can be reported. Companies can not be trusted to police themselves when it comes to private data.