Attacks/Breaches
5/22/2013
11:27 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

'Hacking' Journalists Case Dredges Up Security Research Legal Debates

Telecom firm TerraComm seeks to sue Scripps-Howard journalists for Google searches that uncovered sensitive info freely available online

A legal storm is brewing between researchers who uncovered a cache of sensitive information about 170,000 consumers through a Google search and the company which left the information freely available online. It sounds like the typical disclosure scuffle that the security research community has come to expect as part of the territory, with the exposed firm threatening to ring up researchers for violating the Computer Fraud and Abuse Act. But this one comes with a twist: the researchers in this incident weren't code slingers, they were word slingers.

The exposed information was discovered by two journalists with Scripps-Howard news service who stumbled into the openly searchable information from data stores held by telecom vendor TerraCom Inc. through Google. Their search came while investigating a story on why so many consumer participants in government-subsidized cell phone program Lifeline -- a program in which TerraCom and its affiliate company YourTel participated -- were having their identities stolen.

"The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel," Many in the security community say the incident and its legal fallout could stand to draw attention to a more mainstream audience some of the biggest legal and ethical problems facing white and grey hat hackers today.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works .]

"I love this, this is a perfect example because what you effectively have here is a very innocent set of research. They stumbled on this data through simple searches," says Trey Ford, Black Hat general manager. "The custodian of this data was not properly managing authorized access. And just because the custodian didn't feel like they wanted this other company or the rest of the Internet to have 'authorized' access to this data, they cited a law that allowed them to hide and sue someone doing something that was ultimately trying to help them out."

But the slippery topic of motivation is what has some other researchers torn on whether the journalists acted appropriately.

"They definitely came up on some very poorly secured information and I completely agree that poorly secured information needs to be pointed out," says Wade Williamson, senior security analyst for Palo Alto Networks. "But I think that when you download all those records and start reaching out to contact people [from those records] for a quote in a story, you're very much using that for your own personal gain."

The split in opinion even among security experts shows how nuanced the perception problem can be in these disclosure cases. For his part, Ford believes the Scripps reporters acted appropriately to get the story out for the benefit of affected consumers.

"I actually appreciate the fact that they took the time to do some user awareness training, saying, 'Hey, you have got information out there, you trusted your information with these people and they didn't manage that, how do you feel about that?'" he says. "I mean, that's effectively what news is at the end of the day."

Regardless of the security community weigh-in, though, the true litmus test could be how the courts decide. If things were based strictly on precedence, things wouldn't look good for the Scripps scribes.

"To me I really don't see much difference between that and the teenagers that get sent down for a long time," Williamson says, "other than saying 'We're doing this for the public good.' A lot of people say they're doing it for the public good."

That's the exact argument that Andrew 'weev' Auernheimer made when defending himself in a case against him spurring from his disclosure of personal details of 120,000 iPad users to media site Gawker after finding a business logic flaw in the AT&T website. He's currently serving three years for his actions.

But if the courts are consistent in their judgments it could mean an extremely negative potential outcome for the industry that only serves to work against the ultimate best interest of companies like TerraCom that pursue legal action, says Marc Maiffret, chief technology officer at BeyondTrust.

"If there are going to be cases where people get in big trouble with potential jail time, it's going to make everybody stop pointing vulnerabilities out and all that means is that the bad guys are the only ones doing it because they don't care about the law," he says. "It's a balance. You want to have a way for good people in the world to not feel like they're going to jail for pointing out something wrong that a company is doing, whether they know it or not."

But the unusual nature of the case and the legal resources of the journalists' news organization could potentially help set a new precedence of its own. According to Ford, the experience of of the Scripps journalists is very dissimilar to the typical researcher because of the professional backstop journalists have in this instance.

"This is a good example of what researchers deal with all the time, the only difference is they don't have the backing of a strong media arm to protect them," Ford says. "There's also a certain amount of protection afforded to members of the press compared to some random Joe Schmuck hacker dude that's trying to say 'I found something, I'm worried for you and I want you to know about this.' When they say, 'what are you talking about, I'm going to sue you,' the journalist says 'I'm going to quote you. Thank you.' There's some level of accountability when you say something like that to a member of the press."

Robert "Rsnake" Hansen agrees that there's a contrast between a journalist's experience disclosing and a traditional security researcher's struggle. He thinks it underscores the difficulties many independent researchers face in order to be heard.

"Precisely because he's a member of the press, it makes it naturally not like every other researcher," says Hansen, Black Hat Review Board member and a long-time fixture in the security research community. "Someone who writes for a magazine or whatever can really shape the conversation in a way that some researcher who may not even speak English very well is trying to explain some very complex thing, and explain a history with a company that may be extremely complicated."

However, if this case does go anywhere, it could potentially benefit the research community if it brings enough attention to the lowlights of the legal framework around computer manipulation and ethical hacking. A big part of the problem is even legally defining what hacking really is.

"My personal definition of hacking is if you can find it through a Google search and it's out there open to the public, that's not really hacking because you're not specifically manipulating the system based on a security weakness to get the information out of it. But that's not necessarily what the law says," Maiffret says. "The law has definitely not evolved with the rate of innovation and the changing of how society is communicating and data is flowing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kharrison212
50%
50%
kharrison212,
User Rank: Apprentice
5/23/2013 | 5:19:49 PM
re: 'Hacking' Journalists Case Dredges Up Security Research Legal Debates
One question to consider here is did the reporters post the information on line for others to exploit or did they write their story and attempt to get the owner of the data to secure it? If they are not attempting to mis-use the data and informed the owner prior to their story then they probably didn't commit a crime (this is for the lawyers to fight over). If however they wrote the story showing where the data was and left the company out to hang then you must wonder what their true motivations were.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?