Child-Monitoring Company Responds To Notification Of Security Breach By Publicly Disparaging Researcher Who Reported It

from the got-a-full-clip-of-'thank-yous'-with-your-name-on-it dept

Thu, Feb 25th 2016 7:15am — Tim Cushing

"Thanks for letting us know about this! We'll get it fixed immediately!" said almost no company ever.

There's a long, but definitely not proud, tradition of companies shooting the messenger when informed of security flaws or possible breaches. The tradition continues.

uKnowKids is monitoring software parents can install on their children's cell phones that allows them to track their child's location, as well as social media activity, text messages and created media. As such, it collects quite a bit of info.

The information on your child collected includes:

the online profile/screen names, mobile telephone numbers and email addresses associated with the Linked Accounts and the people communicating with the Linked Accounts and devices and in certain situations, the text of the online or mobile phone SMS or MMS conversations themselves;
the geographic location and time and date associated with a specific geographic location of your Linked Account mobile device;
your Linked Accounts’ social networking activity and contacts;
photographs sent, received or uploaded by your Linked Account;
the websites visited from your Linked Account mobile device; and
the applications installed on your Linked Account mobile device.

That's a lot of data, all related to children. This should be kept locked up tight. Unfortunately, it wasn't.

Chris Vickery, who now blogs about security over on MacKeeper, alerted this site that a misconfigured MongoDB installation exposed over 6.8 million private child text messages, 1.8 million images (many depicting children, according to Chris), and over 1700 in-depth child profiles.

The data reportedly included full names, email addresses, GPS coordinates, dates of birth, and much more, although Chris tells DataBreaches.net that he did not see payment info or parent details exposed.

Vickery did the right thing and notified uKnowKids. The security hole was closed. But the company wasn't interested in thanking Vickery for his efforts. Instead, as the Office of Inadequate Security notes, the company decided to notify its customers in a rather unusual fashion. A post at the company's site completely misconstrues the chain of events.

Here's the BS headline.

And here's the BS text:

It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.

The hacker claims to be a ~~"white-hat" hacker~~ a "security researcher" or "white hat hacker" or "ethical hacker" which means he tries to obtain unauthorized access into private systems for the benefit of the "public good". Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.

The passive aggression continues later in the post.

The first IP address that obtained unauthorized access to uKnow's private database was 65.36.124.81. We believe this IP address is associated with Mr. Christopher Vickery in Austin, Texas, but we don't have confirmation of that fact yet.

Mr. Vickery claims to work at a prominent law firm by day and exploit vulnerable technology systems at night. We do not have any additional background information on Mr. Vickery, but we are doing our best to fully identify Mr. Vickery in order to validate his stated "benign" intentions.

The second IP address (209.144.254.123) that accesed uKnow's private database in an unauthorized manner is reportedly associated with Mr. Vickery's full-time employer in Austin, Texas. Again, we don't yet have confirmation on who owns this IP address or the IP address owner's official connection with Mr. Vickery, but this is the early information we have been able to determine so far.

The post goes on to insinuate that Vickery has some sort of malignant interest in holding onto uKnow's code.

The database also included uKnow's proprietary natural language processing engine technology and data including our proprietary algorithms that power uKnow's technology.

We have repeatedly requested that Mr. Vickery permanently delete any and all copies of uKnow's intellectual property including iits proprietary customer data, business data, database schemas and field names, trade secrets, curated data dictionaries and algorithms.

After initial resistance, Mr. Vickery claims to have deleted the downloaded database in its entirety. However, he has reportedly retained an uknown number of screenshot copies of uKnow's intellectual property, and is so far unwilling to permanently delete this information. In an effort to protect our customers and stakeholders, we contine to request the destruction of any and all copies of uKnow's database including screenshots which are, in fact, copies of uKnow's database.

It also suggests Vickery's possession of screenshots might somehow violate COPPA (a law ensuring the privacy of data generated by children) and has apparently reported him to the FTC.

We have contacted the Federal Trade Commission for guidance and to report the breach. uKnow goes to great effort and expense to fully comply with the FTC's COPPA regulations, and we beleive we are in full compliance at this time.

uKnow's demand for Mr. Vickery to delete ALL copies of uKnow's database was obviously driven by our desire to protect our uKnowKids customers, but also to fully comply with COPPA requirements that we do not knowingly allow any third parties access to child data without first having affirmative, verifiable permission from parents. Mr. Vickery obviously did not and does not have authorization to explore, copy, or control this private child data (or uKnow's intellectual property), and we expect him to comply with our requests immediately.

Nowhere in this long statement questioning Vickery's intent is there an apology for the breach. There are no unqualified statements of gratitude. Vickery's history of finding misconfigured databases is well-documented, as is his standard operating procedure of notifying affected companies immediately and destroying any data he obtained while investigating these leaky databases.

Instead of simply fixing the hole and informing affected customers, uKnow decided to publicly disparage the person who alerted it of the issue. It's responses like these -- along with continual abuse of computer security laws -- that make security researchers leery of informing affected parties. Informing someone of a security hole shouldn't be greeted with antagonism and legal threats. But that's the default operating mode, one that only ensures security holes discovered in the future are less likely to be reported.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: chris vickery, disclosure, ethical hacking, security research, shoot the messenger, vulnerability, white hat hacking
Companies: uknowkids

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 25 Feb 2016 @ 6:00am

When will they learn...
Vickery's history of finding misconfigured databases is well-documented, as is his standard operating procedure of notifying affected companies immediately and destroying any data he obtained while investigating these leaky databases.

Given reactions like this are not overly rare(though I must admit this company went above and beyond in shooting the messenger in the CYoA attempt), notifying a company of a security flaw is just asking for trouble. Make the flaw public, do so anonymously, and let the company deal with the fallout.
[ link to this | view in chronology ]
- Ninja (profile), 25 Feb 2016 @ 9:12am
  
  Re: When will they learn...
  It is unfortunate that we are in a world where this is the best course of action. But maybe if those white hat people started actually releasing stuff in the wild and real damages start happening because of the companies incompetence and obnoxiousness then in the future things may be different.
  [ link to this | view in chronology ]
  - tqk (profile), 25 Feb 2016 @ 10:51am
    
    Re: Re: When will they learn...
    But maybe if those white hat people started actually releasing stuff in the wild and real damages start happening ...
    
    Those damages would hit first those on the front line; researchers who find this stuff.
    
    It used to be when you found a small child wiping its eyes calling for its mother, you'd take it under your wing and help it find her. This encourages you to run away instead, lest you be accused of molesting a child.
    
    Stupid century.
    [ link to this | view in chronology ]
- Josh in CharlotteNC (profile), 25 Feb 2016 @ 9:24am
  
  Re: When will they learn...
  Even disclosing a vulnerability anonymously poses issues. If you stumble across a vulnerability in a service you use in the normal coarse of using it, there could be a trail leading back to you. When a company gets that anonymous tip and starts going back through their logs, you could be implicating yourself.
  [ link to this | view in chronology ]
  - That One Guy (profile), 25 Feb 2016 @ 9:41am
    
    Re: Re: When will they learn...
    The way I see it someone who stumbled upon a vulnerability has three options(assuming white-hat anyway, black hats have several more).
    
    1. Ignore it. If the vulnerability is serious enough, and you use the service, distance yourself from it as quickly as possible.
    
    2. Inform the company privately. While the 'polite' option, this also carries the chance that the company will react in a fashion similar to that displayed in this example, and prioritize shooting the messenger and CYoA over fixing the problem.
    
    3. Inform the public anonymously. The safer option for the one disclosing the vulnerability, this however is much more painful to the company and it's customers, as they're finding out about the vulnerability at the same time as those who might take the opportunity to exploit it, which means they have to scramble like mad to find a fix.
    
    If so many companies didn't have a penchant for shooting the messenger, then #2 would be the clear 'best' option for everyone involved, but as it stands #3 and #1 are much safer for those that stumble upon problems, with #3 being painful for the company in the short term, while #1 has the potential to be even worse long-term when the vulnerability is found by someone more interested in making use of it for their own gain.
    
    While it's possible that someone that goes with #3 could still be found out the odds are drastically less than #2, and at least it ensures that something will be done with regards to the vulnerability.
    [ link to this | view in chronology ]
    - Uriel-238 (profile), 25 Feb 2016 @ 12:11pm
      
      #4 trade it to the hacker sites.
      Facilitate the data-falling-into-the-wrong-hands scenario so that it becomes common and routine. Once the end users get skeptical of online services that don't advertise up front their security measures, they'll start having security measures to advertise.
      [ link to this | view in chronology ]
      - beltorak (profile), 25 Feb 2016 @ 3:18pm
        
        Re: #4 trade it to the hacker sites.
        #5 Call a lawyer.
        
        Let them be the intermediary between you and an the unknown vulnerable provider.
        [ link to this | view in chronology ]
kallethen, 25 Feb 2016 @ 7:34am

When I eventually will allow my son to have a cell phone, I won't be relying on software like this. I certainly don't feel safe with sharing all that information with a third party.

I'll take the same approach I do with his laptop: Set some ground rules about social media, check in on him every now and then, explain why those are the rules, and check in on what he's doing regularly.

It's amazing what some trust and communication can do. Of course, I'll readily say I'm very lucky he's pretty responsible.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Feb 2016 @ 7:36am
  
  Re:
  I'll take the same approach I do with his laptop: Set some ground rules about social media, explain why those are the rules, and check in on what he's doing regularly.
  That's how that sentence should have read... love it when I rethink a thought and fail to correct the whole sentence.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Feb 2016 @ 8:03am
    
    Re: Re:
    My dad had the rule of giving me total privacy on my computer, but with the allowance that he was randomly going to pop in and say "Hands up and off the keyboard and mouse" and check what I currently had active.
    
    Granted this wouldn't work well with a troubled kid, as I was particularly vanilla about my rebelliousness, but it does get the best of both worlds in my opinion.
    [ link to this | view in chronology ]
    - PRMan, 25 Feb 2016 @ 9:44am
      
      Re: Re: Re:
      I have the same deal with my kids.
      
      I've only used it once or twice, just to keep them honest.
      
      But they are good kids and I really haven't needed to spy on them.
      [ link to this | view in chronology ]
- John85851 (profile), 29 Feb 2016 @ 1:18pm
  
  Re:
  Wait, are you saying you'll try to be a good parent by setting rules and checking up on your child to make sure he's following the rules?
  That's preposterous- this is 2016! Everyone knows parenting should be outsourced to government agencies and private monitoring companies.
  [ link to this | view in chronology ]
Pixelation, 25 Feb 2016 @ 7:39am

Uknow, they will act like children when caught.
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 7:48am

Well...
You would be pissed if someone else pulled your pants down too!

But I think the public deserved to know, because when someone pulled these guys pants down... we found children!

I think a "for the children" response should be warranted here and start pulling the pants down on several other organizations saying we keep shit secure!
[ link to this | view in chronology ]
- Anonymous Coward, 25 Feb 2016 @ 8:17am
  
  Re: Well...
  You would be pissed if someone else pulled your pants down too!
  
  More like someone pointed out that the Kings clothes were illusionary, and they are too embarrassed to admit they were conned, and so claim the messenger stole them.
  [ link to this | view in chronology ]
  - tqk (profile), 25 Feb 2016 @ 10:58am
    
    Re: Re: Well...
    You forgot to mention we all now know how small their weewees are.
    [ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 8:13am

One oddity noticed
No mention of any efforts to review access logs to identify any other outside access prior to notification?
Red flag there.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Feb 2016 @ 8:23am
  
  Re: One oddity noticed
  It's called managing the message/damage control, while folks here at techdirt are usually able to see that, most other folks are not.
  
  A lot of organizations pay good money to people able to misdirect anger so that the real dirt bags do not get the focus. This company is going to do its best to spin this like they are an honest company that did their best until some scumbag came along, broke in, and then stole shit like a common criminal. Please feel sorry for us and will will now expend effort in trying to keep these meanies away from your precious kids...
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward, 25 Feb 2016 @ 8:51am
    
    Re: Re: One oddity noticed
    I get that the idea of perfection is just that, an idea, but wouldn't the company be doing their best if the hacker (white hat, black hat, ethical, or criminal) couldn't get in?
    
    Just short of that, how about noticing that someone was playing in their playpen? It doesn't appear that they did notice, until told.
    [ link to this | view in chronology ]
Peter (profile), 25 Feb 2016 @ 8:47am

>>We have repeatedly requested that Mr. Vickery permanently delete any and all copies of [...].

Or, in other words, we have made sure that IF the appropriate authorities finally pull the finger out of their ass and start investigating who else may have downloaded private data, they will find no evidence at all.

Obstruction of justice or compliance with COPPA?
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 8:57am

'There's a long, but definitely not proud, tradition of companies shooting the messenger when informed of security flaws or possible breaches'

i believe we have to hold our hands up, here in the USA, dont we? let's face it, it's on par with the attitude that no one should ever have the audacity to think there is anything wrong with anything in the USA and to actually prove it when there is, is committing the cardinal sin! the fact that those who are affected by the failing of something are supposed to say nothing and do nothing other than be proud that they were among those when as much as could be gleaned from the companies concerned, was gleaned! that doesn't normally affect anyone at the company because they manage to keep their information separate from customers, but when it becomes known that was something that could have been done to have prevented the problem, that's when the company starts throwing hand grenades at those who found the breakdown in the first place and told the company!!
[ link to this | view in chronology ]
Cjones, 25 Feb 2016 @ 9:07am

Proposal, YWS
I propose, as a new standard with its own acronym, "you were stupid" or YWS. YWS applies, and may be given as an answer that concludes the discussion, in the following circumstances: *

1. A person voluntarily gives information over which he has control to a corporation or government organization.
2. That information is not public, that is, he wouldn't publish it in a newspaper or on a blog.
3. That information is leaked, sold, or otherwise transferred.
4. The person who originally gave the information complains.

The proper and reasonable answer, after these twenty years of global network access, is simply YWS. Note that stupid, in this context, indicates both an intellectual and moral failing.
As for shooting the messenger, does anyone honestly expect anything else?

*Note that YWS applies also to other circumstances. One that hops to mind is purchasing DRM protected content which needs to be authorized over the network and then having either network access or the authorizer fail/refuse to authorize.
[ link to this | view in chronology ]
Anonymous Blowhard, 25 Feb 2016 @ 9:11am

A different approach
In the past if I discovered a vulnerability I would have reported it directly to the company like this guy did. It's obvious that companies hate this approach so instead I will post the info anonymously on 4 chan or reddit and other public forums. I hope it meets their approval.
[ link to this | view in chronology ]
Nick, 25 Feb 2016 @ 9:11am

Nice people
I like the way they include the IP address of his "full-time employer", presumably in the hope of getting him fitted.
Classy company; I'd trust them. With nothing at all.
[ link to this | view in chronology ]
- tqk (profile), 25 Feb 2016 @ 11:10am
  
  Re: Nice people
  like the way they include the IP address of his "full-time employer", presumably in the hope of getting him fitted.
  
  I thought you were just using British instead of English.
  
  Head of law firm: "What do you do in your spare time?"
  
  You: "I break into child monitoring software databases."
  
  Aaron Swartz was only freeing scientific papers.
  [ link to this | view in chronology ]
Nick, 25 Feb 2016 @ 9:14am

Fired not fitted. I'm not to be trusted either.
[ link to this | view in chronology ]
Pronounce (profile), 25 Feb 2016 @ 9:29am

Moral Fortitutude
Some of these people are made of sterner stuff than others, 'cause it isn't hard to justify making big bucks selling flaws to a market willing to pay for this information.
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 9:34am

With a giant hole like that, My question is how many people accessed it before Vickery? If a company attacked me after informing them of an major problem in their security, I would counter with the fact that others may have had access to it without informing the company. You could pretty much paint a horror story and people would have to assume it was true without any access logs to prove otherwise. It was only after the company was notified of their error that it was fixed but all that data was exposed. "The Bad Guys" still could have the data up until the flaw was repaired and could easily track the habits of the children.
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 9:51am

When will these MORONS ever learn? Never EVER tell a company that they have a breach in their software or their security. Every time someone has informed a company of a serious security hole or glitch, almost always, that company has turned the tables and accused the person of hacking their systems.

If these morons "white hat" security researchers were smart, they would just post the information online and let these companies run around like chickens with their heads cut off and play damage control.

If I discovered a security hole, I would never inform the company of it. I would post it online, everywhere I could, and sit back and watch the company fall over themselves with the reality that they couldn't blame me after I informed them of it.

How many times are these idiot security researchers going to learn that companies do not want you informing them of glitches in their software or their devices. They fix the holes and then blame you for "hacking" into their systems.
[ link to this | view in chronology ]
connermac725 (profile), 25 Feb 2016 @ 9:55am

None of My kids will ever use their crap now
why well their name says it best UKNOW
[ link to this | view in chronology ]
Groaker (profile), 25 Feb 2016 @ 10:23am

Trust?
Why would anyone trust a third party (someone other than an MD or defense attorney) with proof of the faux pas that their children make in the early phase of their life. This data can be used to blackmail them for their entire lives.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Feb 2016 @ 12:58pm
  
  Re: Trust?
  Evidently some parents trust a third party company more than their children. Sad.
  [ link to this | view in chronology ]
Rich Kulawiec, 25 Feb 2016 @ 11:14am

This is why "responsible disclosure" is a fairy tale
There's really no such thing, because companies continue to (a) lie (b) deny (c) disparage (d) ignore (e) threaten (f) litigate (g) censor (h) prosecute.

Given this environment, the best course of action is to anonymously disclose security bug/breach information with no advance warning. That at least avoids (c), (e), (f), (g), and (h).

Oh, and avoid this company like the plague, because if they've made one mistake this enormous, they've probably made more. And the next person who finds one of them is extremely unlikely to be so kind and generous.
[ link to this | view in chronology ]
tommygilley (profile), 25 Feb 2016 @ 2:21pm

Unauthorized Access?
If a person finds a poorly configured system and uses their neglect to access a database felt secure, how can they claim unauthorized access? They were responsible for te choice of software and configuration. The responsibility lies solely with the owner of the database. He used the configuration the organization set up to access the data. Had he used an independent program to access the database through external software tools, that's hacking as hell.
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 3:02pm

Shoot the messenger!
[ link to this | view in chronology ]
That Anonymous Coward (profile), 25 Feb 2016 @ 4:26pm

"private database"
a "private database" that we configured that ANYONE who looked online could access all of the details from.

Look over there at the very bad man who told us that we fucked up & violated all of our customers trust. Do not question how we might be using this data to make more money, burn the bad man who exposed we are incapable of protecting our most important data...

They can't protect a database, and you pay them to protect your kids... perhaps you should focus on that.
[ link to this | view in chronology ]
Christenson, 25 Feb 2016 @ 8:33pm

Defamation suit time
This may not be the researcher's cup of tea, but a defamation suit seems in order against UKnow.

No vagueness needed here at all...just all those specific, FALSE insinuations not based on what is known publicly about the researcher.
[ link to this | view in chronology ]