US's 'Cyberwar' Strategy: Making The Public Less Secure In The Name Of 'Security'

from the adding-up-wrongs-to-make-a-right dept

The US government seems to be responding to "cyber Pearl Harbor" by heading out on bombing runs of its own. All the concern for the safety of the American public displayed in Congress during the CISPA push seems to have been nothing more than the empty words we expect from our representatives. Americans and American companies are now being caught in the crossfire -- some of it "friendly."

The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.

As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."

The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.

Filed Under: cybersecurity, cyberwar, hacks, security, us government, zero day

If Everything Is A Threat, Then Nothing Is

from the government-created-'ad-blindness' dept

The government's neverending quest to make America "safer" has turned on itself, making Americans less safe. This isn't solely an issue with the government's obsession with "security," although that is a large part of it. It's the constant onslaught of warning messages, applied to nearly every product sold by retailers and any area frequented by the public. Most of the warnings are of the CYA variety. These are used to deflect future legal complications and satisfy the endless requests of regulators.

David Henderson, writing for Econlog, suggests that years of government-mandated warnings are resulting in a sort of "warning blindness" in Americans. He begins by discussing California's infamous Proposition 65, a law that requires warning labels to be affixed to any product that might possibly contain chemicals the state has determined "cause cancer, birth defects or other reproductive harm." Like any bit of overweening governmental concern, it has its heart in the right place. In practice, it's a nightmare.

Nearly every product sold in California contains this warning label. And it's not just products. A majority of businesses in California feature signage containing this warning. (One example: a parking garage may have to post the warning sign because of the exhaust cars produce.) This has led to Californians ignoring the label completely, even if the product in question actually contains harmful substances. Why? Because the warning label is omnipresent. If something's everywhere, on everything, it's obviously meaningless. (The old adage: if everyone's special then no one's special applies here.)

Californians have learned to ignore Proposition 65 labels because they are white noise: they don't communicate anything about degrees of danger or probabilities.

The problem here is created by the government itself. By declaring a majority of places and products "dangerous," it has lessened the effectiveness of the labels. This sort of self-defeating behavior goes much further than product labeling. It also carries over into other areas controlled by the government, undermining various agencies' non-stop efforts to portray this country as being in imminent danger at all times.

When I went through the San Jose airport Saturday morning in a long line at TSA, we passengers were subjected to John Pistole's warning, on an infinite loop, of the dangers of terrorism. We've all seen enough to know that it's not that dangerous. So we tend to ignore government warnings.

The government wants to be taken seriously and yet, it can't help but get in its own way. It gets in its own way because it wants to micromanage the lives of Americans. It loves control. It "knows better." On the rare occasion the government has something important to communicate, it can't find many people willing to grant it much credulity.

So when there really is a high-probability threat and the government warns us, we tend to dismiss that too. Government cries wolf way too often.

If the Homeland Security Advisory System moves from "elevated" to "high," is that up or down in terms of severity? Does anyone outside of the DHS know or even care? If we suddenly went to "severe," would it affect the daily lives of Americans outside of more hassles at airport checkpoints? The public doesn't really seem to know what these phrases mean in terms of an actual threat. And most Americans have long since stopped caring about "yellow alerts" or "orange alerts." It's meaningless and it conveys no useful information.

How meaningless? The alert system has never dropped below Yellow ("Heightened" [as compared to what?]) in its existence. (We have always been at war with terror.) In fact, a 2009 Task Force report suggested removing the two lowest tiers and making "Heightened" the baseline. If that's the baseline, then the government has won and the terrorists have won. Americans will remain awash in a sea of government-generated ambiance just loud enough to be noticeable but not annoying enough to grant it their full attention. It's a steady supply of junk "info" that generates resigned complacency, rather than heightened vigilance, and it does little more than make the government feel better about its monotonous efforts.

Filed Under: california, security

DMCA As Censorship: Chilling Effects On Research

from the make-it-stop dept

Professor Ed Felten, back from his brief foray as the FTC's chief technology officer, has written a fantastic piece for Slate detailing how the DMCA is creating massive chilling effects for researchers. This should come as little surprise, seeing as Felten himself was famously threatened by the recording industry for his research (at their request in the form of a "contest") to hack their DRM. In the article, Felten relates -- as he did a few weeks ago at a conference about the DMCA at Santa Clara University -- that students in his own lab had discovered the infamous Sony Rootkit before it was revealed to the public back in 2005. But, rather than do something about it, the chilling effects set in:

We were worried about the part of the DMCA called 17 U.S.C. § 1201(a)(1), which says that “No person shall circumvent a technological measure that effectively controls access to a work protected under [copyright law].” We had to disable the rootkit to detect what it was hiding, and we had to partially disable the software to figure out what it was doing. An angry record company might call either of those steps an act of circumvention, landing us in court. Instead of talking to the public, we talked to our lawyer.

And, because of that, the dangerous rootkit lived on for a bit longer, the public blissfully unaware of the massive security holes they were introducing onto their computers, courtesy of a paranoid RIAA. While it was eventually revealed by another researcher Felten and his students sat on the info for a while (including info on another vulnerability) before eventually releasing the details. That's a clear example of the very real and very dangerous chilling effects of the DMCA. Every time we bring up this concern, maximalists insist that there is no such thing. I'm curious how they explain these examples away.

Felten notes that a bunch of researchers had actually told Congress about this problem back when the bill was first being discussed... and they were mostly ignored:

The research community saw this problem coming and repeatedly asked Congress to amend the bill that would become the DMCA, to create an effective safe harbor for research. There was a letter to Congress from 50 security researchers (including me), another from the heads of major scientific societies, and a third from the leading professional society for computer scientists. But with so much at stake in the act for so many major interests, our voice wasn’t heard. As they say in Washington, we didn’t have a seat at the table.

Congress did give us a research exemption, but it was so narrowly defined as to be all but useless. (So perhaps we did have a seat—at the kids’ table.) I’ll spare you the details, but basically, there is a 116-word section of the Act titled “Permissible Acts of Encryption Research,” and it appears to have been written without consulting any researchers. There may be someone, somewhere, who has benefited from this exemption, but it fails to protect almost all of the relevant research. It didn’t protect Alex and me, because we were investigating spyware that didn’t rely on the mathematical operations involved in encryption.

Congress should fix this, but it seems like there's not much interest in doing so these days, which is unfortunate. While Felten has revealed his situation, we'll never know how many others were similarly stifled, or (worse) how much useful research was never even started because of this kind of risk.

Filed Under: anti-circumvention, chilling effects, dmca, ed felten, research, security

UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats

from the as-secure-as-an-unlocked,-vellum-paper-door dept

Another day, another self-inflicted privacy breach. This time it's a UK private parking enforcement contractor that's leaving its supposedly-secret stuff right out in the open.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.

When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC's site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It's a slick system, but its "security" is easily thwarted by a process AT&T might find strangely familiar.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

As you may recall, tweaking URLs allowed "Weev" to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.

A blog called Nutsville, which has been a longtime critic of the UK's private parking enforcement, posted several photos obtained from UKPC's website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers' identification cards.

After the Register reported this story, the UK Information Commissioner's office pledged to investigate the leak. UKPC hasn't publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville's response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.

The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by "using a password, without authorisation, to access their website." Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC's site by manipulating values in the URL themselves. From that point on, UKPC's legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville's actions. Mere sentences later, the lawyer threatens "injunctive High Court proceedings," suddenly making it a civil matter. On top of that, UKPC's rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.

As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.

The most disappointing aspect of this story is UKPC's response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about "unauthorized access" or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.

Filed Under: hacking, legal threats, parking enforcement, privacy, security, uk, urls
Companies: uk parking control, ukpc

TMZ Accused Of Placing Hidden Mics In Courtroom

from the wait,-did-you-hear-that? dept

Technology and courtrooms have clashed before. Whether it's tweeting from court, judges connecting with lawyers via social media, or juries using the pesky interwebz during a trial, concern over how modern technology can trouble legal proceedings is nothing new. That said, what you will tend to find in examples like the above is, regardless of your thoughts on their impacts, that they usually stem from mostly innocuous intentions by all concerned.

Not so in the case of Alpha Walker, a man accused of attempting to extort ivory-tickler Stevie Wonder. Walker is bringing a lawsuit against TMZ, claiming the tabloid secretly placed hidden microphones in the courtroom at strategic locations to allow them to both hear conversations that would otherwise be inaudible as well as stream those recordings directly back to the company.

During the proceedings, Walker's attorneys objected to the presence of media in the courtroom and then the discussion evolved to the illicit microphones that were placed on the judge's bench and behind books on both sides of counsel table. According to the complaint, which asks for a permanent injunction, "It was then learned that these privileged communications were instantaneously transferred to the headquarters of TMZ Enterprises."

While I'm generally less concerned with the use of technology in courtrooms than some, this is likely to create some fairly large problems for TMZ if true. Judge Ray Jurado is understandably less than pleased and he's stated that he was unaware of the hidden mics and that this would absolutely not happen again. It seems clear that TMZ would know that this move was wrong, assuming it's true, given that they don't appear to have requested placement of their microphones. Fortunately, Judge Jurado has reviewed the recordings and stated that they don't contain any "discernible voices", but that doesn't mean that enhancements couldn't change that. TMZ, for their part, has declined to state that they would destroy the recordings.

Not surprisingly, this has opened up questions from Walker about his faith in the judicial process.

Walker says that as a result of TMZ's conduct, he has experienced "tremendous fear and distrust of the judicial system" and is suing for wiretapping, invasion of privacy, intentional infliction of emotional distress and eavesdropping on confidential communication. He's seeking $100,000 in actual damages and more in punitive damages.

The complaint also asserts that TMZ's "conduct is ongoing" and violates attorney-client privilege. Asking for a permanent injunction over TMZ's alleged conduct, the plaintiff says "its threat to the public interest is tremendous. No matter who the alleged victim in a case is, there can be no lawful justification."

And it's hard to dismiss those claims. While I'm hard-pressed to think that this revelation has any material impact on Walker's case, I can certainly understand a degree of paranoia. Part of what makes for a fair trial is the setting of the court and its rules. If court security can't, you know, secure the court, and if there's even the slightest chance that hidden mics could pick up privileged information in a trial, it's a problem. In the future, any media member that wants to utilize technology in courtrooms needs to do so above board. The judicial process is simply too important to kneecap.

Filed Under: courtroom, hidden mics, security
Companies: tmz

Time To Speak Up About CISPA: We Shouldn't Be Scared Into Giving Up Our Privacy

from the speak-out-now dept

A bunch of groups are teaming up this week to call for a week of action against CISPA just as Congress is gearing up, yet again, to push through this cybersecurity bill based on a lot of FUD, with little to back it up. To be clear, there are a lot of challenges around online (can we dump the stupid "cyber" prefix?) security out there, and it's clear that there is plenty of malicious and government-sponsored hacking and attacks. But we need to put this all in perspective. First off, there is already tremendous incentive to combat these attacks, and there are existing methods to do so. Second, no one has given a reasonable response to explain how something like CISPA will do anything at all to help prevent such attacks in the future. Third, while these attacks may be economically damaging, there is little evidence of them creating real physical harm to date. That's not to say it's not possible in the future, but stories of airplanes falling from the sky are quite exaggerated. Fourth, and most importantly, no one has explained why we all need to sacrifice our own privacy for these vague and undefined benefits.

A bunch of groups are fighting this, and now is the time to take part. EFF and Fight for the Future have put together a simple page to help you take action. As they point out there are three key objectionable parts to CISPA:

• Eviscerating existing privacy laws by giving overly broad legal immunity to companies who share users' private information, including the content of communications, with the government.
• Authorizing companies to disclose users' data directly to the NSA, a military agency that operates secretly and without public accountability.
• Broad definitions that allow users' sensitive personal information to be used for a range of purposes, including for "national security," not just computer and network security.

None of these are even remotely necessary to allow for effectively combating online attacks, but all certainly would be quite handy in helping the government snoop on the activities of citizens (and non-citizens) without much oversight. Considering how often we've seen other laws passed in a flurry of FUD around other "threats" later turn out to be abused by government officials for the sake of snooping, rather than any legitimate reason, we should be very concerned about these efforts here.

Filed Under: cispa, cybersecurity, fud, privacy, security, speak out, week of action

EA's Troubles Keep Getting Worse: Big Security Flaw Discovered In Origin Platform

from the another-day,-another... dept

Perhaps the timing is a coincidence, but following the absolutely disastrous SimCity launch, in which EA's focus on DRM seemed to get in the way of actually making a product that works, it's been announced that CEO John Riccitiello is stepping down at the end of the month. This is clearly not a planned succession situation, because the company's former CEO, Larry Probst, who ran EA from 1991 until 2007 when he handed it over to Riccitiello is taking over as interim CEO as they search for a real replacement. Perhaps they should look for someone who recognizes that providing a good product that people want to support is a better goal than "stopping piracy." Just a suggestion.

Of course, they may also have bigger issues to deal with. Rich Kulawiec was the first of a few of you to submit the news that researchers have demonstrated a pretty big security vulnerability in EA's Origin platform (the company's Steam competitor), which can be used to exploit local vulnerabilities on the computers of about 40 million Origin users. If you'd like to see the hack in action, there's a nice video. You can read the details directly, if you'd like, which comes complete with some graphics explaining how the security vulnerability, found in the URI handling of Origin, can be exploited: You get the feeling that March 2013 is a month that EA would prefer to forget ever existed.

Filed Under: origin, security
Companies: ea

Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail

from the now-the-holes-will-be-open-longer dept

We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.

The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.

Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.

Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:

"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."

While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.

Filed Under: andrew auernheimer, cfaa, hacking, jailtime, research, security, weev
Companies: at&t

Security Reporter Raided By SWAT Team After Someone Put In A Bogus 911 Call

from the hazards-of-the-job dept

Brian Krebs is a phenomenal online security reporter who's been deeply involved in many stories concerning underground hacking issues, from spam to credit carding and many other such issues. As someone who explores that world, he's been subject to various attacks, including regular DDoS attacks on his website (he now works with a company that helps protect against such attacks). However, things got taken to another level yesterday. First, that anti-DDoS company, Prolexic, received a forged letter, pretending to come from the FBI, asking it to stop hosting the site. Then, something much bigger happened. As Krebs was getting ready for a small dinner party at his house, he walked out his front door and discovered a bunch of police officers with guns pointed at him. He'd been "swatted," -- the term for tricking a SWAT team into raiding a house based on bogus info.

"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs, who is a long-time friend and colleague, told me. "The first thing I said was: 'You've got to be kidding me.'"

In all, there were at least a dozen officers with pistols, shotguns, and assault rifles pointed at him. They had police dogs circling his house and cruisers had sealed off a nearby street. Krebs, who was dressed in just gym shorts and a T-shirt, complied. Wisely.

"Two different guys were barking orders at me," he continued. "I finally said: 'Which way should I go?'" One officer told Krebs to lie on the ground, but before he could comply the other cop ordered Krebs to walk backwards. Eventually, "they put the cuffs on me and took me up the street. I was freezing the whole time."

Someone had made a call to the police, pretending to be Krebs, and claiming that "he was hiding in a closet after Russian thieves had broken into his home and shot his wife." And the police sent the SWAT team.

Why? Krebs suspects it was a response to a an article he had just posted, which highlighted a Russian website that was used to get easy and cheap access to credit reports (one interesting tidbit, is that he suggests that people are abusing the federally mandated free AnnualCreditReport.com site, which was supposed to reduce identify fraud, but may actually be enabling much more of it). Krebs figures that the people behind that site weren't too happy about the exposure, and tried to send him a message.

Of course, if law enforcement officials weren't so eager to rush in with a SWAT team, such issues might have been avoided as well. In fact, Krebs notes that he warned his local police agency of the possibility of such a thing happening about six months ago, but apparently no one bothered to check on that bit of info until later.

After about five minutes in custody, Krebs explained that he was the victim of a monstrous crime known as swatting. One of the officers asked if Krebs was the person who had filed a report a few months earlier. When Krebs replied yes, the officers did a quick search of his home. With preparations for a dinner party clearly on display, it quickly became apparent that Krebs' home was not a crime scene and that the call was part of a fiendish plot. An officer told him later that they had tried calling him before he opened his front door but no one had answered the phone.

As Krebs notes, these are situations where it makes little sense for local law enforcement to rush into these things where they may not understand what's going on.

Often local police are left to investigate, even when the perpetrators may be half a world away. He wants that to change. "Your local police department, the ones that are responding to these distress calls, they don't have the bandwidth," he said. "This is an area where federal law enforcement needs to be coordinating investigations. I'd like to see some sort of recognition or statement from federal law enforcement that this is something they're actively investigating."

Of course, I'm not sure how well that would have worked in this case, since the caller suggested it was a local crime issue. Still, hopefully Krebs' situation raises some questions about the eagerness to send in the SWAT team, though given just how common bogus SWAT team raids have become, it seems doubtful that yet another example of a bogus raid will lead to any real change.

Filed Under: brian krebs, credit reports, ddos, hacking, security, swat team, swatting

Dutch Parliament Member Fined For Hacking; He Says He Was Just Exposing Security Flaw

from the ethical-hacking-or-not dept

A few folks sent over this story of Dutch Member of Parliament (MP) Henk Krol being fined about $1,000 for "hacking." He claims that he was just exposing poor security on the part of a Dutch medical laboratory called "Diagnostics for You," which he felt was especially important since there are stricter privacy rules for medical info. Of course, "hacking" is used loosely here: basically, a patient overheard an employee at Diagnostics for You reveal the system password while he was in the lobby, and that patient passed the password along to Krol. So, the "flaw" could be as simple as a stupid employee revealing their password out loud (though, you could argue that a system like that should require two-factor authentication or some other more advanced security than a simple password).

Either way, the court recognized that Krol's intentions may have been in the right place, but faulted him for viewing and printing "more files than necessary" to make his point -- and also for going to the press with his findings at around the same time he notified the laboratory. The court said simply finding the flaw and even downloading some records to prove it to the lab would have been fine, but that he went too far (even if he carefully redacted personal info). And then going to the press immediately when the problem seemed to be more a case of a bad employee revealing their password, just seemed like too much. As the court noted: "the problem was not so acute that immediate use of media was necessary."

Of course, this kind of thing is often a struggle when it comes to security hacking. Different people have different opinions on whether or not it's appropriate to go to the press, and also how much information to access. But it seems to be handled on a case by case basis, rather than with clear rules. There are some norms among security researchers -- and that tends to include giving a company some period of time to fix things -- but this remains an area of the law that is sometimes a bit fuzzy. You want companies to respond quickly to security flaws, and sometimes going to the press ensures getting a real response faster. But, it also seems less likely to cause significant damage if you contact them first.

Perhaps MP Krol can now try to pass some legislation with standards on how to handle security breaches found without having them turn into legal cases against the researchers.

Filed Under: ethical hacking, hacking, henk krol, netherlands, security