Wednesday, February 24, 2016

Security Researcher Gets Accused of Being a Hacker

I read some articles yesterday that detailed a dispute between a company and a security researcher.  The company claims that the security researcher hacked into their database.  The security researcher claims to be a white hat hacker-i.e. a person who hacks for good.  I'm attaching links below that describe the dispute.  I do not claim that any sites are secure/insecure, so instead of clicking on links, I suggest that you use your favorite search engine and look for them. 

http://www.zdnet.com/article/uknowkids-child-tracker-firm-in-row-with-security-researcher/
http://www.theregister.co.uk/2016/02/24/child_tracker_firm_uknowkids_admits_breach/
https://threatpost.com/uknowkids-goes-on-attack-after-database-of-1700-kids-found-insecure/116427/

I've seen blog postings in support of the security researcher.  I don't personally know the security researcher.  I don't know if he was specifically hired to do a pen test-I don't think so, considering the organization's response to him tampering with their database.  I don't know if the organization's allegations of him refusing to delete documents are true.  My opinions are based on the information that I have at hand-which isn't a lot.

I think that both parties are at fault.

The organization is at fault because they disclosed the name of the individual before having any real proof that he tampered with their database.  They used IP Addresses to "prove" who he is.  IP Addresses can be spoofed.  I understand needing to warn your customers of the breach, but there is a proper way to handle it.  I don't know law, but I think that this may potentially open them up to a libel case depending on the laws of their government, state, and local government.  The security researcher could potentially lose his job and prove the damage that they caused him if he is innocent.

The security researcher was at fault because he could've only gone so far as to prove a vulnerability.  He did not need to copy parts of their database.  I don't know much about law, but I do remember reading SANS articles stating that laws could apply in the case of retrieving information from companies that you pen-test-laws like HIPAA.  HIPAA law probably don't apply in this case, but it makes me wonder what laws could apply in this case as far as protecting information? The security researcher, in the act of retrieving this information, may have made himself responsible for protecting the information depending on the laws of his government, state, or local government. 

Depending on his reasoning for hacking into the database, he may have also put his job at risk.  The 2nd IP is presumably the IP Address of his employer.  He's potentially causing them legal issues because company resources were used in his discovery of the organization's vulnerability.

In my opinion, the security researcher isn't a white hat hacker as he claims.  He's a grey hat.  The one thing that is important in this case is permission, and from what I understand, he didn't have permission.  He will be lucky if a civil or criminal case doesn't come out of this.  He did break laws.

I understand that security researchers have it difficult.  Many of them want to help people, and they risk getting in trouble for it.  I appreciate their desire to make people more safe by disclosing vulnerabilities to companies, but there is a correct way to do it.

No comments:

Post a Comment