Slashdot Mirror
Security Researcher Threatened With Vulnerability Repair Bill
mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."
If you find a vulnerability, don't tell the people at risk, sell it or use it.
Either that or move to a less stupid country.
---- Booth was a patriot ----
If you are going to access 500 accounts you don't then report the problem with your name attached. Even if said access is just changing a number in a url because they have a retarded system.
No good deed goes unpunished.
Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.
"I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
Next time leave the whoresons to get fucked through their vulnerability by ill-intentioned black hats rather than warning them.
they deserve it. really.
Read radical news here
In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.
We need this for e-space.
If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.
The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.
--
BMO
He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.
but any ways that is just like having a open door and all you need to do is to go though the door next to the that is your door.
What the hell kind of logic is that? If this stands then every independent security researcher ought to leave Down Under at once and leave them to find out that White Hats != Black Hats through direct and painful experience. What a bunch of jokers.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Companies don't want to know. Literally. If they know, it increases their liability for doing nothing in the event of a problem.
If you find a vulnerability, disclose it. Publicly.
and anonymously.
Give me Classic Slashdot or give me death!
The rule should be: Disclosure Guarantees Immunity
This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.
tomorrow who's gonna fuss
Unfortunately statutes trump contracts.
The PDF has a sentence which hints that he may have submitted a proof of concept that accessed approx 568 statements.
The problem is, the guy admits to accessing their system and obtaining documents that he should not have been able to get. He says "Here are 500 samples".
What is the first thing that should occur to someone? Well, how about if he accessed 1000 and is planning on ransoming off the information of the 500 he didn't tell anyone about? Why do you think they want to see his computer? Unfortunately, anyone clever enough to do this would have moved the other 500 somewhere isolated that they would have to tear his house apart to get. Like on a microSD card sewn into a stuffed animal.
See, he has zero credibility here. He can say "But I only took 500! I swear it!" and it does no good. Even searching his house doesn't generate any credibility, it only says they didn't find what they were looking for. Checking his computer only proves that if he has criminal intent that he isn't stupid about it. Since many (most?) criminals are stupid, not finding something on the computer actually does say something ... just not much.
The real question is how much would other records be worth to the subject of those records and how much would it be worth on the open market? If you could take a record and turn it into some cash - presumably by drawing on the assets of the subject of the record - then you have a pretty clear idea of the worth. Even if the value was only privacy there might be some monetary value that you could get from the records. Then you have to either make the records irrelevant or you have to watch this guy for the rest of his life to see if he suddenly comes into a lot of money.
Why would I check my neighbor's lock because mine is broken?
Let's make it a closer analogy:
I walk up to my door, open it, and discover it's not my apartment. Oops. It's my neighbor's and it should have been locked.
Then I think, what about the others? So I start jiggling knobs, and a cop walks around the corner and catches me at it.
You think he'll believe me when I say I was just checking locks? And was I right to try to find all the unlocked doors on the floor just because my neighbor's is unlocked?
This is why you make your findings public. Stupid companies like this deserve the result.
Ask the EFF to write up an internationally-binding contract, in which a company would make a legal commitment not to harass [etc] any security researcher who provides them information in good faith. [..] Any company who signs this is likely to get security assistance. Those who do not sign, could not expect such assistance.
With respect, this is naive and assumes that such companies *want* your assistance. I'm sure that a significant proportion would rather that you STFU about any inconvenient vulnerabilities which would cause them a lot of hassle to fix, probably make them look bad (people do *not* like being made to look incompetent, even when they are) and I suspect, from a legal point-of-view, be all-round more convenient to not (officially) know about.
If you persist in trying to get them to do something about this (regardless of whether or not it would help their customers), they *will* find a way of getting back at you and dissuading others from doing the same thing. To be honest, that would appear to be the most likely explanation in this case, and going by some of the comments posted here, it seems to work.
Of course, such dissuaded responses appear to forget that the people you're really helping are more likely the innocent customers of this company (who have no idea how lousy the company is) as much as the company themselves- who would probably rather you kept quiet. So saying "fuck 'em" and letting the company reap the rewards of their own incompetence misses the point.
The primary aim is to address the problem and get them to fix it. While ideally this would be done in a way that minimises harm to the company/people responsible (as "punishing" them isn't- or shouldn't- be the aim), one *has* to assume that their response may not be positive, and make the #1 priority to protect oneself from a potentially hostile response.
This may not be natural for geek-types who see fixing the problem as most important and think they are doing those involved a "favour"- and being more rational- by being more direct, but it is *not* your job to risk being crucified and smeared by some company whose toes they think you stood on. If that means doing things anonymously and less directly then that has to be the way you do it.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.
Would you expect to be sued for trespassing on all of your neighbours?
If you just turned the knob and didn't open the door, then no. If you entered the apartment and wrote down descriptions of their furnishing to prove you'd been there, they'd probably charge you with trespassing. No different here. He should have just reported the vulnerability instead of writing a script to download personal information from other accounts.
Under many US laws, he committed a crime. If the info he downloaded was subject to HIPPA or other regulatory laws, the company has the right to subpeona the computer he used so they can assess and properly report the information that he compromised.
Here is the link to the law which he broke:
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html
The stipulations to delete all the compromised data and a pledge to not attempt to gain unauthorized access again is pretty appropriate. The statements about reserving the right to inspect his computer or seek damages are in the letter simply to make it clear that they have not absolved him of responsibility and may want proof that he indeed deleted all the data. With all that said, I think it's silly for them to ask to access his computer to verify the data has been deleted. They have no way of knowing if he made copies or even if that's the computer he used.
Less than a year ago I found a similar (though not quite as grievous) flaw in a Kickstarter-like website when I mistyped the URL to my own profile page. I grabbed a handful of info with it; just a few random accounts to proof-of-concept automated grabbing, the technique for which I made note of in an e-mail to their support address. Also, I got the e-mail address of user #1 (unsurprisingly, the implementer), whom I CCed the support e-mail. After a few e-mails of discussion about the precise nature of the flaw, I received a very grateful thank-you from the owner of the company and the head of IT, and the flaw was fixed within the hour despite it being the dead of night in their HQ's time zone. When I see stuff like this, though, it makes me wonder if the next time I trip across something like this I should do the same thing.
"Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."
They can't simply look at their server logs and see what pages were served up to his IP address?
Re-posting because I forgot to login:
In a perfect World that would work, and Companies would notify their customers of the threat and come up with a game plan to mitigate the vulnerability.
In the real World Companies aren't going to do Jack Schitt unless their hand is forced.
And for me, as the Customer, I'd much rather know that a threat exists so *I* can be proactive and try to mitigate the threat than rely on some Company sitting on a vulnerability for months and years while they devise a patch or hotfix all the while I — the customer — am in the dark, and the bad guys have an opportunity to exploit the vulnerability.
Ethical Disclosure is a fallacy.
I can clearly see a need for the researcher to collect "unauthorized data".
Say for instance, white hats had to pen test only their own systems. A whitehat determines that XYZ corp's client accounts package exhibits a vulnerability when $Foo conditions are true. He sends this finding to XYZ, and also to $MultinationalCorp who uses XYZ.
$MultinationalCorp responds to the private disclosure, thanking them for the effort, and "affirming" that their implementation of XYZ client portal is not configured $Foo, and so does not have that vulnerability.
Without directly testing $MultinationalCorp, and pulling some "secret sauce" as proof, $MultinationalCorp can simply deny, and do nothing. (Which is what they usually do.)
This is why pulling some secret sauce is necessary, because it indisputibly shows that they are vulnerable. (Else, how would you get the secret sauce?)
Then there is the issue of "how do you locally pen test your own copy of $ClientSoftware, when $ClientSoftware is not available for purchase because it is a totally homebrew solution that is not distributed outside of $MultinationalCorp?"
The ONLY way to test the security of such a system is to test the live system. For the same reason above, you need to collect some secret sauce, otherwise they will just ignore the report and pretend you are a crank.
That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.
Let's make an honestly closer analogy:
When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.
I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?
The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?
Later on, the apartment manager sends a notice to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:
And now they've sent me a letter telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.
Your darn tootin'! If this is the thanks I get! Some people!
In a previous life I worked for an Australian law firm in their financial services division (not Maged's firm thank god). From Maged's profile you can clearly see he is an expert in superannuation law http://www.minterellison.com/People/maged_girgis/. I can say, with 99% certainty, that he has no practical experience in how section 308H of the Crimes Act and section 478.1 of the Criminal Code Act work. I don't claim to either. But the modus operandi of these law firms is that when a big client comes in with a weird request they get a junior lawyer (or crack team of junior lawyers if the billing is low for that month) who doesn't know much about anything to do some "research" and draft a threatening letter based on a few hours of reading some textbooks and legal databases.
It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).
Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!
I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.
Hm. The URL has my account number in it... I wonder if all accounts are accessible by that param alone? Nah. Well, let's see... I'll just increment the number.
ACCOUNT=1234
while true; do
ACCOUNT=$((ACCOUNT+1))
wget -nv url://site.with.FAIL.security/showstatement?acct=$i > log.$i 2>&1
done
By the time I press Ctrl-c I've hacked over 500 accounts!
Perhaps if they get enough negative feedback, they'll drop the threatening postures and lawsuits...
http://www.firststatesuper.com.au/EmailEnquiries
-=Lothsahn=-
You go to a web cafe and post it on 4chan, as Anonymous of course. That is what the system has encouraged.
Hello, I am Patrick. I cannot reproduce the email their staff replied with, except it says something along the lines of thank you for raising this matter for our attention and that is was fixed within an hour or two. Below is my email to them, with certain parts redacted, which includes the heavily debated script. The email was a follow up after a lengthy discussion with staff and they were most thankful for the call. I'm publishing this just so that you are better informed and can form your own opinions based on this. From: Patrick Webster [mailto:patrick@osisecurity.com.au] Sent: Thursday, 22 September 2011 1:26 PM To: [REDACTED] Subject: Privacy breach in pillar.com.au website Hello [REDACTED], Thanks for taking the time to speak with me today. As mentioned, I am a FSS member from my time a NSW Police Force. My personal background is in IT Security and I am the owner of OSI Security (www.osisecurity.com.au). You're welcome to see my personal history at http://www.linkedin.com/in/patrickwebster - the past 10 or 11 years I have been working in securing information systems etc, which is how I came across this bug. Yesterday, I received the FSS email notification to download my member statement. So I logged in to the pillar / FSS members portal and went to statements and clicked to download the statement, which is in PDF format. My *personal* statement is at https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 You're welcome to have a look (I have [REDACTED] in super, yay). So after I saw my statement I noticed the 'documentId' number and, based on my security background, I have natural concerns my information is stored securely. So I incremented the number to see what happens (expecting to be rejected); I.e. https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 becomes https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D9&page=0 Amazingly (and coincidentally I might add) the statement I downloaded is my former colleague at [REDACTED] (if you look at my LinkedIn profile and see my connections you will see that we are connected). I then did a random spot test to see if it worked for any number, which indeed it did. I quickly wrote a linux bash script to enumerate documentId numbers and discovered it worked. Script source is below: #!/bin/bash #[REDACTED] for i in {[REDACTED]..[REDACTED]} do echo $i wget "https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-$i&page=0" --no-cookies --header "Cookie: [REDACTED]" done You can see the script runs from [REDACTED]..[REDACTED] in member numbers (just a guess on my part) and then tells the wget software to fetch the documentId with the 'for loop' number which is $i. I was then able to download every member statement, including my own of course. Naturally I find this extremely concerning so contacted you today (I found this around 9pm last night). All the data I obtained has been destroyed / deleted but validated my concerns. Ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References That is about it... if you have any questions please contact me via email or details below. Kind Regards, Patrick Webster ...
From SALTER v DPP [2008] NSWSC 1325 (5 December 2008)
...
http://www.austlii.edu.au/au/cases/nsw/NSWSC/2008/1325.html
13 Counsel appearing for the defendant drew attention to a number of prior decisions, albeit on different statutory provisions, those cases including Gilmour v Director of Public Prosecutions (Cth) (1995) 43 NSWLR 243, The Director of Public Prosecutions v Murdoch [1993] 1 VR 406 at 409,410. In that last mentioned case Hayne J said:-
“... Where, as is the case here, the question is whether the entry was with permission, it will be important to identify the entry and to determine whether that entry was within the scope of the permission that had been given. If the permission was not subject to some express or implied limitation which excluded the entry from its scope, then the entry will be with lawful justification but if the permission was subject to an actual express or implied limitation which excluded the actual entry made, then the entry will be “without lawful authority to do so.”
In my view the section requires attention to whether the particular entry in question was an entry that was made without lawful authority. In the case of a hacker it will be clear that he has no authority to enter the system. In the case of an employee the question will be whether that employee had authority to affect the entry with which he stands charged. If he has a general and unlimited permission to enter the system then no offence is proved. If however there are limits upon the permission given to him to enter that system it will be necessary to ask was the entry within the scope of that permission? If it was, then no offence was committed; if it was not, then he has entered the system without lawful authority to do so.”
14 The passage has direct application to the situation here.
15 Authorisation to use a computer or authorisation in an entirely different field of law may be general or it may be limited or it may be subject to conditions, and I do not believe that s 308B should be given an operation so as to set at nought that aspect of the general law. As Hayne J said in the passage to which I have referred:-
“If there are limits upon the permission given, it will be necessary to ask was the entry within the scope of that permission?"
------- So, much will depend on the terms that governed the access to the website. Can these be posted ?