HIV Dating Company Accuses Researchers of Hacking Database

itwbennett writes: Slashdot readers will recall the story posted last week about the misconfiguration of the MongoDB database that powers Hzone, a dating app for the HIV-positive, and the ensuing threat of HIV infection the company hurled at DataBreaches.net, who sent the notification. (Hzone later apologized.) But that's not the end of the story. Among other twists and turns that point to a CEO who was in way over his head, in several emails to Dissent, the admin of DataBreaches.net, Hzone CEO Justin Robert accused Dissent of changing the Hzone user database. But follow-up emails suggest that the company couldn't tell what was accessed or when, as Robert says Hzone doesn't have 'a strong tech team to maintain the site.'

That's a first

I know this warning is unnecessary here, but do not follow the second link in the summary (same as the one under the title). This is the first time a /. summary has been better written than the source article.

What content there was to be found between the typos and grammar errors indicated that the immunocompromised dating site owners are incompetent, sue happy, and really bad liars. (A fairly common combination, so nothing unusual there.)

Normal

[nospam007]

"...point to a CEO who was in way over his head,"

Aren't they all, these days?

Re:Normal

[DarkOx]

What you mean its not possible to completely abstract all management activities and decision making processes. Are you making the radical suggestion there isn't a completely generic way to run a business? Is you assertion you have to understand at least the basic nuts and bolts of what a company does to run it effectively?

Re:Normal

[Buchenskjoll]

"...point to a CEO who was in way over his head,"

He'd better wear a comdom then! (drum roll)

Re:Normal

[jellomizer]

Well with IT security nowadays it is very hard for a small focused business to survive in today's market.

Back in the 1980's and 1990's we had a slew of applications created by non-developers due to easy to learn languages such as Basic/Visual Basic, FoxPro, DBase, Access, etc... Being that these applications ran on a local network via file shares, with a more or less trusted group of employees. Security was never a concern. So the small company can make a custom app with a very small investment and allow them to be agile to adjust their business processes.

However now with hackers who will blindly attack any system that is vulnerable, or worse the hackers who think they have a mission to expose the bad people in the world. Means you need staff that are specialized in IT security. To keep their data safe, and be able to track and report on vulnerabilities.

This is like forcing a Mom and Pop candy shop to have armed guards on the payroll just in case someone breaks in and steals the candy, and exposes all the candy customers in the store. As to shame them for being the cause of obesity in the world.

Re:Normal

[unencode200x]

This is a huge point. The company and therefore the CEO are responsible for their customers' very sensitive information. Saying that they don't have a strong IT team is like a bank saying they don't have a safe. What the hell? Of all places you would think a website that knows you have a highly stigmatic disease would get this and spend appropriately even if it meant charging their clients more. I'm guessing those clients would have been happy to do so.

Re:Normal

[gstoddart]

The company and therefore the CEO are responsible for their customers' very sensitive information.

Show me the case law which says that.

Time and time again companies are utterly inept at security, get hacked, and basically say "gee, we'd like to say we're sorry but we're not really, and since we're not liable we don't care".

CEOs are, in my opinion, largely responsible for being greedy assholes doing PR and sales ... and they don't think they have any such responsibility as protecting your data. At the small company level, a CEO is a self appointed title by some schmuck who thinks he's got a winning business idea. My guess is this is more of the same.

Make companies and CEOs actually responsible for such stuff, and something might happen. Right now corporations can be utterly incompetent, and they have no liability at all.

If your'e expecting some kind of 'moral' responsibility, good luck with that.

So, some guy has an idea for a website, does a shitty job of building and securing it, and gets hacked. Do you really think the CEO is losing any sleep?

Re:Normal

[unencode200x]

Fair enough. Someone made the point a few posts up that this isn't subject to HIPAA and while I'm no lawyer they're probably right. The longer I work in business the more I see morality thrown out the window for better or for worse. I feel bad for these people but it's true, buyer beware.

The same is true with the CISA act this week. Put all your stuff in the cloud and were under the impression you were protected by warrants and all that? Too bad!

Re:Normal

[dbIII]

With dotnet that sort of shit is still happening, and just like back in the day it's not only security that suffers from newbie mistakes. It's not really the platform just people who cut and paste their way into getting stuff halfway working instead of knowing how to write things for the platform.
I'm sick of stuff that takes 30 seconds to start due to a huge 24bit background pic and a slow needless text to speech thing saying hello. Can I skip that shit on the hobby inventory list program and actually start using it please?

Re:Normal

[gstoddart]

Fair enough. Someone made the point a few posts up that this isn't subject to HIPAA and while I'm no lawyer they're probably right.

Well, think about it ... HIPAA covers medical professionals and hospitals with an expectation of confidentiality.

If you sign up for a private web site which ends up more or less saying you have HIV, then you chose to give that to a private entity. And then what happens to the data they have is entirely legally different. The same way that governments can demand from corporations what they're not allowed to collect from you. So, no warrant when a company can be forced to hand over data which is now considered "their" property.

There are no protections in place against corporations, and they have no liability.

The longer I work in business the more I see morality thrown out the window for better or for worse. I feel bad for these people but it's true, buyer beware.

It's sad, but it's true.

Honestly, I go straight to assuming all corporations are ran by greedy, incompetent douchebags who don't give a crap about you ... and that all of them are probably vastly insecure and not to be trusted with your data. It's a cynical world view, but it saves a lot of time.

The sheer number of security stories we see every year says it's better to assume companies are inept, and withhold your data, than it is to think "gee, these nice people seem trustworthy with my personal information". As long as people will hand over their private information to any old website, and as long as corporations have no legal liability, this will keep happening.

If you don't give this shit out to these companies, they don't have it to betray your trust. You might miss out on a shiny bauble, but the company can't get hacked and release your information.

But, nobody wants to listen to that kind of stuff. They want free things on the interwebs, and don't know or don't care about the consequences.

Withhold your data, or give it away ... but don't be surprised that when you give it out it might be accessed by someone you didn't intend to, or used for things it wasn't supposed to.

Because at the end of the day it's about greedy assholes maximizing profits, minimizing costs, and not giving a crap about you except for how it makes them money.

Re:Normal

[jellomizer]

The locks and security cameras are the equivalent on making sure you have a login and password to sensitive data. For the Mom and Pop shop this is usually enough, however for internet commerce it isn't. The internet is like placing your business in the middle of the worst neighborhood you can find. So you need the security guards (aka an IT Staff with strong security knowledge), who will be more proactive in keeping the site secure.

Re:"Researchers"

[ls671]

But, but, I have plenty of requests hitting my web server that have user agent strings matching "*research*", same for some abuse contact addresses for the IP (whois lookup) and they don't even set the evil bit so I thought it was OK to let them through.

Do you mean I should block those requests?

Re:"Researchers"

[DarkOx]

The Hypocrisy of it all is sickening

While I am incline toward agreement with you where exactly is the hypocrisy? Researches in other fields have a long history of being caught doing things that were illegal or determined to be unethical we can and do call them criminals, I am not sure we stop calling them scientists and researches. Its seems very possible to me to be both a criminal and researcher.

His name isn't Justin Robert, it's Mao JianQiang

[TechFurryFox]

I performed a reverse on the domains when the original controversy set out. This guy isn't HIV positive, he's just a guy in China trying to make a buck off others. He also has an app called SugarD and there are many other domains he has registered in an attempt to have a successful business. The company is pretty much run by him and whatever support he may have hired, which is the reason hzoneapp doesn't have a solid technical team. Check out the self published prweb for hzone, he calls himself "Justin M, CEO." Looks like you made a slip up there with keeping your name consistent Mr. JianQiang.

Irony exposes hackers to organic virus

[Bob_Who]

One way or another, hacker's exploits and malware share attack vectors.

Perhaps they're infectious...

Re:His name isn't Justin Robert, it's Mao JianQian

[TechFurryFox]

Just to give everyone the FYI, Mr. JianQiang also has the following domains: tophivdatingsites lesbiandatingonline singleparentdatingonline singleparentfish pozty - alas to hzoneapp ubaliaoyn - some chinese site xoiiixaab - some chinesesite He stopped the other site projects when he scored with hzone. He's not a single parent, he's not lesbian(well he may like women) and he's certainly not POZ. He's just a Chinese man screwing everyone over with this charade. So Mr. JianQiang, drop the act.

Re:"Researchers"

[NatasRevol]

And what if there's a clearly open port that provides unfettered access?

Say port 80 brigs up phpMyAdmin and is configured to allow access without a password?

Is this criminal or just browsing their website?

Failure to properly and fully secure your externally facing computers is your fault and anyone accessing it has every right to. It is NOT synonymous to leaving your door unlocked.

Doubt there would be fines

[Aaden42]

There's no reason they'd be subject to HIPAA nor be fined under it. They're not medical providers. Users of their system willingly disclosed their status to a third party, non-medical provider with the explicit purpose of being placed in contact with other people who had also disclosed their status and the understanding that their status would be disclosed to those other people in the process.

Whether there are any fines related to general personal information breach, I don't know; but I kind of doubt it. Describing those laws as "a bit loose" would be charitable.

MongoDB

[unencode200x]

http://www.databreaches.net/mi...

I hadn't realized it the first time around but this was also a MongoDB database. Not that it really matters, the CEO makes them all sound incompetent.

Re:Gotta be careful

[unencode200x]

Isn't that a crime? If so is one bound to report it? I mean, if you know there's going to be a serious breach, especially if the governor is on the list, holy crap man.

Re:Gotta be careful

[cjjjer]

No it is not a crime not to report violations, not yet anyway. However the fact that the OP failed to report the violations is also part of the problem.

Re:"Researchers"

[dissy]

You are a researcher if you buy the software, install it, and then see what you can do. If you try to get into a system belonging to someone else, you are a fucking criminal.

You are aware the researcher simply saw a "HIV dating site database dump.zip" up on bittorrent and decided to inform the site owner that he may want to check that shit out to see if it is theirs and if so maybe fix their site up, right?

If I found something of yours across town in the middle of the street, that you put your own name and address on, why am I a criminal for returning it to you or informing you where I found it, if I am not the one that took it and put it there?

Re:"Researchers"

[TWX]

No, it's more like a business or storefront leaving the lights on and the doors unlocked without any staff present and without any sort of door chime or camera. While it's not right for patrons to start looking through the drawers or the paperwork or the receipts, let alone steal any merchandise, it should be expected that some people will do this and it's the obligation of the entity to take steps to prevent it.

Those that do not understand at least the basics of security and do not take steps to learn the specifics or to hire-out for them have no business operating on the Internet. They deserve whatever civil legal repercussions are brought down upon them. It doesn't matter if they too are victims when they have a responsibility to protect themselves and their users from a world that is understood to be unkind.

Re:"Researchers"

[arth1]

I don't know. How long will morons keep pretending that if we shun and punish those who disclose vulnerabilities, the vulnerabilities won't be exploited by malicious actors?

What are the ratio between (a) criminals using 0-day exploits they've found out through own research or obtaining them from other criminals, and (b) criminals using N-day expoits they have been made aware of by public disclosure?

As a sysadmin, I would have to say the (b) is by far what hammers the systems the most these days, and costs my company quite a lot of work and resources. I'm not saying that is work that shouldn't be done, but that the cumulative cost of disclosure for the sake of disclosure can be higher to society than the cumulative cost of 0-day attacks.

Re:Gotta be careful

[unencode200x]

Assuming OP is in the US who would OP report it to? Perhaps it's not too late.

Re:"Researchers"

[NatasRevol]

No, it's like moving your house to the middle of the road, taking the front door off the hinge & expecting no one to walk in.

Re:"Researchers"

[NatasRevol]

If it's in the middle of the road (internet), those are the rules.

Re:"Researchers"

[NatasRevol]

Clueless idiot threatens people anonymously online.

No one runs away scared.

Re:"Researchers"

[NatasRevol]

So web browsing isn't allowed?

Or just maybe it's not the same principal as a house.

Re:"Researchers"

And furthering this analogy, this reaction is like trying to crucify the one guy who goes through shit to find a number to call to let someone know "hey, your shit's unlocked."

Re:"Researchers"

[Wootery]

it should be expected that some people will do this

Not relevant to the questions of whether it's moral or legal.

Re:"Researchers"

What do you think listening for connection requestion on port 80 mean?

• client: knock knock
• server: Who is there?
• client: The web browser, want this cookie back?
• server: Whatever. Here is the documents I allow you to access and action you are permitted to perform.

Serving stuff on a internet facing server without password is EXACTLY like holding a sign that invite everyone to come in. Deal with it fucktard. The Internet is no "safe space" for over sensitive millennial.

Systematic attack

[DrYak]

This is like forcing a Mom and Pop candy shop to have armed guards on the payroll just in case someone breaks in and steals the candy, and exposes all the candy customers in the store. As to shame them for being the cause of obesity in the world.

Except the whole things happens in world with Star-Trek like teleporters and replicators. So the case of "some breaks in" are happening on massive scale.

It's not merely one guy deciding to go berserk, and then needs to walk to the (only) nearest Mom and Pop candy shop.
It's a guy deciding to go beserk, and then instantly teleport in front of all Pop and Mom shop of his country and breaking in all of them. Every single one. All in the same hour.
That's the power of Internet.

And amidst all this he also happens to also break the window to the bed room of little Shirley, because she happens to have be eating the same candy as the one in all Mom and Pop shop.

Also, the guy don't beam himself in front of all these windows. He beams some random chinese guys to break the windows for him.
In fact it's not the chinese guys who get beamed. It's their roombas/neatos/whatever robot they have at home. The chinese guys owning the robots don't even notice their little escapade and meanwhile the berserk guy has a standing army of robots systematically breaking all the Mom and Pop shops of the country.

And even if the robots are all chinese, the berserker doesn't really need to speak chinese, he only needs to point his finger in the correct direction, other have developped "finger-to-chinese" dictionnaries for him.

That's the power of large scale automatic script-kiddie attacks on the Internet.

Also the government has modified the building code and has mandated that every single shop or house has an extra separate door that can't be locked. (Just in case that the police need to be able to quickly come inside). But they have painted the door the same colour as the wall so they hope that nobody will notice.

In other words: the current state of world-wide computer security is abyssimal, and our brains accustomed to the physical world (where everything necessitate slow travelling around) are poorly equipped to grasp the menace cause by the systematic and quick access offered by modern means of communication.

Re:Systematic attack

[KGIII]

I think this thread might actually be the worst analogy thread ever. The sad truth of this is, the "researcher" didn't even *do* the "research* but found their database on a torrent site and informed them because he feared it might belong to them.

So it's like you're trying to make an analogy about a guy who isn't actually the guy who did it and cars, doors, shop keepers, candy stores, and condoms!

Worst Analogy Thread Ever!

Re:"Researchers"

[TWX]

Immoral and illegal things happen all of the time. You are obligated to prevent them from happening to you. We have attempted to build a society that reduces the number of immoral and illegal things that happen and reduces the number of people victimized, but ultimately the individual is the final line of defense against becoming a victim.

Re:"Researchers"

[NatasRevol]

Guess what open ports say?

'Come on in'.

Re:"Researchers"

[NatasRevol]

open ports = open doors

On the internet = with an invitation to come in.

Deal with it.

Re:mongo is webscale

[andymadigan]

Worldwide, more straight people have HIV than gay people, by a huge margin. You probably mean the U.S. though, in which case:

"MSM accounted for 54% of all people living with HIV infection in 2011, the most recent year these data are available."

So, straight people would appear to be 46%, hardly a "tiny fraction of a percent".

http://www.cdc.gov/hiv/statistics/overview/ataglance.html