Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:27 PM
Connect Directly

'Hacking' Journalists Case Dredges Up Security Research Legal Debates

Telecom firm TerraComm seeks to sue Scripps-Howard journalists for Google searches that uncovered sensitive info freely available online

A legal storm is brewing between researchers who uncovered a cache of sensitive information about 170,000 consumers through a Google search and the company which left the information freely available online. It sounds like the typical disclosure scuffle that the security research community has come to expect as part of the territory, with the exposed firm threatening to ring up researchers for violating the Computer Fraud and Abuse Act. But this one comes with a twist: the researchers in this incident weren't code slingers, they were word slingers.

The exposed information was discovered by two journalists with Scripps-Howard news service who stumbled into the openly searchable information from data stores held by telecom vendor TerraCom Inc. through Google. Their search came while investigating a story on why so many consumer participants in government-subsidized cell phone program Lifeline -- a program in which TerraCom and its affiliate company YourTel participated -- were having their identities stolen.

"The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel," Many in the security community say the incident and its legal fallout could stand to draw attention to a more mainstream audience some of the biggest legal and ethical problems facing white and grey hat hackers today.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works .]

"I love this, this is a perfect example because what you effectively have here is a very innocent set of research. They stumbled on this data through simple searches," says Trey Ford, Black Hat general manager. "The custodian of this data was not properly managing authorized access. And just because the custodian didn't feel like they wanted this other company or the rest of the Internet to have 'authorized' access to this data, they cited a law that allowed them to hide and sue someone doing something that was ultimately trying to help them out."

But the slippery topic of motivation is what has some other researchers torn on whether the journalists acted appropriately.

"They definitely came up on some very poorly secured information and I completely agree that poorly secured information needs to be pointed out," says Wade Williamson, senior security analyst for Palo Alto Networks. "But I think that when you download all those records and start reaching out to contact people [from those records] for a quote in a story, you're very much using that for your own personal gain."

The split in opinion even among security experts shows how nuanced the perception problem can be in these disclosure cases. For his part, Ford believes the Scripps reporters acted appropriately to get the story out for the benefit of affected consumers.

"I actually appreciate the fact that they took the time to do some user awareness training, saying, 'Hey, you have got information out there, you trusted your information with these people and they didn't manage that, how do you feel about that?'" he says. "I mean, that's effectively what news is at the end of the day."

Regardless of the security community weigh-in, though, the true litmus test could be how the courts decide. If things were based strictly on precedence, things wouldn't look good for the Scripps scribes.

"To me I really don't see much difference between that and the teenagers that get sent down for a long time," Williamson says, "other than saying 'We're doing this for the public good.' A lot of people say they're doing it for the public good."

That's the exact argument that Andrew 'weev' Auernheimer made when defending himself in a case against him spurring from his disclosure of personal details of 120,000 iPad users to media site Gawker after finding a business logic flaw in the AT&T website. He's currently serving three years for his actions.

But if the courts are consistent in their judgments it could mean an extremely negative potential outcome for the industry that only serves to work against the ultimate best interest of companies like TerraCom that pursue legal action, says Marc Maiffret, chief technology officer at BeyondTrust.

"If there are going to be cases where people get in big trouble with potential jail time, it's going to make everybody stop pointing vulnerabilities out and all that means is that the bad guys are the only ones doing it because they don't care about the law," he says. "It's a balance. You want to have a way for good people in the world to not feel like they're going to jail for pointing out something wrong that a company is doing, whether they know it or not."

But the unusual nature of the case and the legal resources of the journalists' news organization could potentially help set a new precedence of its own. According to Ford, the experience of of the Scripps journalists is very dissimilar to the typical researcher because of the professional backstop journalists have in this instance.

"This is a good example of what researchers deal with all the time, the only difference is they don't have the backing of a strong media arm to protect them," Ford says. "There's also a certain amount of protection afforded to members of the press compared to some random Joe Schmuck hacker dude that's trying to say 'I found something, I'm worried for you and I want you to know about this.' When they say, 'what are you talking about, I'm going to sue you,' the journalist says 'I'm going to quote you. Thank you.' There's some level of accountability when you say something like that to a member of the press."

Robert "Rsnake" Hansen agrees that there's a contrast between a journalist's experience disclosing and a traditional security researcher's struggle. He thinks it underscores the difficulties many independent researchers face in order to be heard.

"Precisely because he's a member of the press, it makes it naturally not like every other researcher," says Hansen, Black Hat Review Board member and a long-time fixture in the security research community. "Someone who writes for a magazine or whatever can really shape the conversation in a way that some researcher who may not even speak English very well is trying to explain some very complex thing, and explain a history with a company that may be extremely complicated."

However, if this case does go anywhere, it could potentially benefit the research community if it brings enough attention to the lowlights of the legal framework around computer manipulation and ethical hacking. A big part of the problem is even legally defining what hacking really is.

"My personal definition of hacking is if you can find it through a Google search and it's out there open to the public, that's not really hacking because you're not specifically manipulating the system based on a security weakness to get the information out of it. But that's not necessarily what the law says," Maiffret says. "The law has definitely not evolved with the rate of innovation and the changing of how society is communicating and data is flowing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/23/2013 | 5:19:49 PM
re: 'Hacking' Journalists Case Dredges Up Security Research Legal Debates
One question to consider here is did the reporters post the information on line for others to exploit or did they write their story and attempt to get the owner of the data to secure it? If they are not attempting to mis-use the data and informed the owner prior to their story then they probably didn't commit a crime (this is for the lawyers to fight over). If however they wrote the story showing where the data was and left the company out to hang then you must wonder what their true motivations were.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.