Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:27 PM
Connect Directly

'Hacking' Journalists Case Dredges Up Security Research Legal Debates

Telecom firm TerraComm seeks to sue Scripps-Howard journalists for Google searches that uncovered sensitive info freely available online

A legal storm is brewing between researchers who uncovered a cache of sensitive information about 170,000 consumers through a Google search and the company which left the information freely available online. It sounds like the typical disclosure scuffle that the security research community has come to expect as part of the territory, with the exposed firm threatening to ring up researchers for violating the Computer Fraud and Abuse Act. But this one comes with a twist: the researchers in this incident weren't code slingers, they were word slingers.

The exposed information was discovered by two journalists with Scripps-Howard news service who stumbled into the openly searchable information from data stores held by telecom vendor TerraCom Inc. through Google. Their search came while investigating a story on why so many consumer participants in government-subsidized cell phone program Lifeline -- a program in which TerraCom and its affiliate company YourTel participated -- were having their identities stolen.

"The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel," Many in the security community say the incident and its legal fallout could stand to draw attention to a more mainstream audience some of the biggest legal and ethical problems facing white and grey hat hackers today.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works .]

"I love this, this is a perfect example because what you effectively have here is a very innocent set of research. They stumbled on this data through simple searches," says Trey Ford, Black Hat general manager. "The custodian of this data was not properly managing authorized access. And just because the custodian didn't feel like they wanted this other company or the rest of the Internet to have 'authorized' access to this data, they cited a law that allowed them to hide and sue someone doing something that was ultimately trying to help them out."

But the slippery topic of motivation is what has some other researchers torn on whether the journalists acted appropriately.

"They definitely came up on some very poorly secured information and I completely agree that poorly secured information needs to be pointed out," says Wade Williamson, senior security analyst for Palo Alto Networks. "But I think that when you download all those records and start reaching out to contact people [from those records] for a quote in a story, you're very much using that for your own personal gain."

The split in opinion even among security experts shows how nuanced the perception problem can be in these disclosure cases. For his part, Ford believes the Scripps reporters acted appropriately to get the story out for the benefit of affected consumers.

"I actually appreciate the fact that they took the time to do some user awareness training, saying, 'Hey, you have got information out there, you trusted your information with these people and they didn't manage that, how do you feel about that?'" he says. "I mean, that's effectively what news is at the end of the day."

Regardless of the security community weigh-in, though, the true litmus test could be how the courts decide. If things were based strictly on precedence, things wouldn't look good for the Scripps scribes.

"To me I really don't see much difference between that and the teenagers that get sent down for a long time," Williamson says, "other than saying 'We're doing this for the public good.' A lot of people say they're doing it for the public good."

That's the exact argument that Andrew 'weev' Auernheimer made when defending himself in a case against him spurring from his disclosure of personal details of 120,000 iPad users to media site Gawker after finding a business logic flaw in the AT&T website. He's currently serving three years for his actions.

But if the courts are consistent in their judgments it could mean an extremely negative potential outcome for the industry that only serves to work against the ultimate best interest of companies like TerraCom that pursue legal action, says Marc Maiffret, chief technology officer at BeyondTrust.

"If there are going to be cases where people get in big trouble with potential jail time, it's going to make everybody stop pointing vulnerabilities out and all that means is that the bad guys are the only ones doing it because they don't care about the law," he says. "It's a balance. You want to have a way for good people in the world to not feel like they're going to jail for pointing out something wrong that a company is doing, whether they know it or not."

But the unusual nature of the case and the legal resources of the journalists' news organization could potentially help set a new precedence of its own. According to Ford, the experience of of the Scripps journalists is very dissimilar to the typical researcher because of the professional backstop journalists have in this instance.

"This is a good example of what researchers deal with all the time, the only difference is they don't have the backing of a strong media arm to protect them," Ford says. "There's also a certain amount of protection afforded to members of the press compared to some random Joe Schmuck hacker dude that's trying to say 'I found something, I'm worried for you and I want you to know about this.' When they say, 'what are you talking about, I'm going to sue you,' the journalist says 'I'm going to quote you. Thank you.' There's some level of accountability when you say something like that to a member of the press."

Robert "Rsnake" Hansen agrees that there's a contrast between a journalist's experience disclosing and a traditional security researcher's struggle. He thinks it underscores the difficulties many independent researchers face in order to be heard.

"Precisely because he's a member of the press, it makes it naturally not like every other researcher," says Hansen, Black Hat Review Board member and a long-time fixture in the security research community. "Someone who writes for a magazine or whatever can really shape the conversation in a way that some researcher who may not even speak English very well is trying to explain some very complex thing, and explain a history with a company that may be extremely complicated."

However, if this case does go anywhere, it could potentially benefit the research community if it brings enough attention to the lowlights of the legal framework around computer manipulation and ethical hacking. A big part of the problem is even legally defining what hacking really is.

"My personal definition of hacking is if you can find it through a Google search and it's out there open to the public, that's not really hacking because you're not specifically manipulating the system based on a security weakness to get the information out of it. But that's not necessarily what the law says," Maiffret says. "The law has definitely not evolved with the rate of innovation and the changing of how society is communicating and data is flowing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/23/2013 | 5:19:49 PM
re: 'Hacking' Journalists Case Dredges Up Security Research Legal Debates
One question to consider here is did the reporters post the information on line for others to exploit or did they write their story and attempt to get the owner of the data to secure it? If they are not attempting to mis-use the data and informed the owner prior to their story then they probably didn't commit a crime (this is for the lawyers to fight over). If however they wrote the story showing where the data was and left the company out to hang then you must wonder what their true motivations were.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.