A report in the Sydney Morning Herald from Asher Moses is scary on so many levels, and not for the issue that the police where called in to investigate.
A security consultant Patrick Webster pointed out a security flaw in the First State Super website (a super fund for NSW Govt employees, including judges and police), the company responded by lawyering up on Mr Webster.
To illustrate the flaw, imagine all your information contained in a webpage. This does include information including address, date of birth, employer details, some financial information including all super payments received, and possibly bank account details.
The only protection was obscurity. The personal data was not encrypted, and by putting the Super account number into the URL that show statement of accounts, allowed a person to gain view access to that account.
Since the account number was numeric and in a fixed format, Mr Webster showed how simple to write a script to extract up to 77000 customer details from the website.
Mr Webster did a service for First State Super. And was initially thanked by someone in IT support for pointing out the issue. However, when the management caught wind, they initiated police and legal investigations.
From the SMH article:
When Patrick Webster told First State Super he found a flaw exposing the personal details of its 770,000 members – including NSW Police officers, politicians and magistrates – he thought he was doing a good deed.
But before long, Webster, a private security consultant, received a knock on the door from police and a legal letter from the superannuation firm threatening legal action. First State Super has disabled his account, asked to check his computers and said he may be liable for any costs in fixing the breach.
Companies need to take security seriously. The system used by First State is the equivalent of riding a bike naked and hopefully not have anyone notice. The personal ID theft repocussions alone would have been devastating. Webster was also ordered to destroy all of the records he had accessed and notified that the firm reserved its rights to allow its IT personnel to examine his computer to verify that the records had been destroyed. The firm said they may go after him for costs related to the matter. He was given seven days to respond and asked to sign a letter admitting to having gained “unauthorised access”. The excessive use of legal process to paper over a stupid security flaw has the chilling effect for the next person who finds a security flaw in a web system. If Mr Webster took advantage of the information (either financially or identity wise), I have no issues with people throwing the book at him. However, he prevented exploiting of a virtually open system. Security Consultants should have some “no risk notification” system to allow reporting of site vunerabilities without fear of reprisal. Otherwise, we might as well open up the databases to the scammers and thieves.
Read more: http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how–770000-accounts-could-be-ripped-off-20111018-1lvx1.html#ixzz1b6rhniKB
Disgusting, to say the least. And here I thought grown-ups are supposed to take responsibility for their own mistakes. Webster did them a HUGE favor, imagine if one of the thousands of online crime syndicates had gotten hold of this…. absolute chaos. Shame on you, First State!!
As another thought: does anyone notice the similarities between how Webster was treated by the authorities, and the case of the two year old run over in China? No one wanted to help the toddler, because they would be held liable. All the police / First State have done is forced people to not execute their duty of care for fear of being held liable. Australian society being forced into the same direction as the disgusting Chinese one.
Almost. Sometimes ignorance comes into play as well.
The run around Asher talks about before an IT person got involved shows that there is a lack of knowledge in IT throughout the organisation.
It could also be denial of cause. Either way, the end result is putting an open database online and the overreaction shows someone there at a high/board level needs to be even mildly competent in IT matters, because they are not now