Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Security Researcher Threatened With Vulnerability Repair Bill 231

mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."
This discussion has been archived. No new comments can be posted.

Security Researcher Threatened With Vulnerability Repair Bill

Comments Filter:
  • Lesson learned (Score:5, Insightful)

    by nurb432 ( 527695 ) on Friday October 14, 2011 @05:05PM (#37719070) Homepage Journal

    If you find a vulnerability, don't tell the people at risk, sell it or use it.

    Either that or move to a less stupid country.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      More like you need to extend whistleblower protection for security researchers disclosing vulnerabilities. However, the guy basically admitted to unlawful access of their system in order to prove the vulnerability existed, which in ethical circles is a big no-no.

      • He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

        but any ways that is just like having a open door and all you need to do is to go though the door next to the that is your door.

        • by blair1q ( 305137 )

          Accidentally walking into a neighbor's apartment is an accident.

          Doing it repeatedly because now you know they leave the door unlocked is a crime.

          • You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.

            Would you expect to be sued for trespassing on all of your neighbours?

            • well the landlord can sue you to cover the costs so it's blame the person who found the broken locks.

            • by blair1q ( 305137 )

              Why would I check my neighbor's lock because mine is broken?

              Let's make it a closer analogy:

              I walk up to my door, open it, and discover it's not my apartment. Oops. It's my neighbor's and it should have been locked.

              Then I think, what about the others? So I start jiggling knobs, and a cop walks around the corner and catches me at it.

              You think he'll believe me when I say I was just checking locks? And was I right to try to find all the unlocked doors on the floor just because my neighbor's is unlocked?

              • by Onymous Coward ( 97719 ) on Friday October 14, 2011 @07:18PM (#37720416) Homepage

                That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.

                Let's make an honestly closer analogy:

                When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.

                I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?

                The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?

                Later on, the apartment manager sends a notice [risky.biz] to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:

                It has come to our attention that a resident of our building devised a way to open your door. Access to your apartment was limited and rectified immediately.

                Please note: This incident was not the result of a targeted attempt to access your apartment. This resident alerted us to the ability to open your lock and advised that your door was only opened when testing the security of his own apartment. The member advised that he has not taken pictures of your apartment or taken any items.

                And now they've sent me a letter [haymarket.net.au] telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.

                Your darn tootin'! If this is the thanks I get! Some people!

            • You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.

              Would you expect to be sued for trespassing on all of your neighbours?

              If you just turned the knob and didn't open the door, then no. If you entered the apartment and wrote down descriptions of their furnishing to prove you'd been there, they'd probably charge you with trespassing. No different here. He should have just reported the vulnerability instead of writing a script to download personal information from other accounts.

              Under many US laws, he committed a crime. If the info he downloaded was subject to HIPPA or other regulatory laws, the company has the right to subpe

        • by AHuxley ( 892839 )
          Australia had such weak computer security laws in the past that they had to make any attempt i.e. URL rewrite equal to more creative attempts.
          Add in the reality that Australian lawyers are well trained, the old trespass like laws did not really hold up well in court.
          So federal law is now very clear- don't play with other peoples computer, data, url ect.
      • What I'd like to know is who he told that wasn't entitled to know about it.

        If the guy told the same network as the one he found the breach in, how is that a violation of privacy?

        We need to know more about whose network he discovered to have an exploit, and who exactly he told about it.

      • Re: (Score:3, Insightful)

        He used the appropriate amount of force, we all know these companies would not rush to fix it unless there was a known exploit ripping them to bits.

        If he didn't show an exploit the company would most likely have claimed it was only "theoretically possible". Especially when all that was required was:

        He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

        Complete lack of authentication seems the culprit here, does that make google, yahoo, bing, etc potentially guilty as well? They could have come across it as well (hopefully this company knows about robots.txt),

    • Re:Lesson learned (Score:4, Insightful)

      by interkin3tic ( 1469267 ) on Friday October 14, 2011 @07:34PM (#37720544)

      Either that or move to a less stupid country.

      "Shoot the messenger" transcends national boundaries. You really want to find a less stupid PLANET to live on.

    • If you find a vulnerability, don't tell the people at risk, sell it or use it.

      Either that or move to a less stupid country.

      I'd almost say: "Name the country and I'll be packing."

      It can't be the land my mother and I left. It also can't be the country I found my SO. It surely isn't the state I'm living now.

      Take it from me that the country should be improved and not simply discarded as if it were a modern day employee.

    • by Z00L00K ( 682162 )

      Or publish it on 4chan or as an AC on Slashdot.

      Then you will find enough hackers to really get an interesting result.

  • by nedlohs ( 1335013 ) on Friday October 14, 2011 @05:10PM (#37719124)

    If you are going to access 500 accounts you don't then report the problem with your name attached. Even if said access is just changing a number in a url because they have a retarded system.

    • The "right" thing to do as per the old internet standard is to publish it as a 0 day hack and then let the company fix it themselves.

      1. It's the companies systems and they are responsible not you
      2. Hacking is illegal
      3. This is what happens when you try to reason with sheep who just don't get it

      If this was a 0 day currently, it would have probably been patched already and no legal action threat would occur.

      Also, at least in the states there are no circumstances a private entity can look at any of my informat

      • The "right" thing to do as per the old internet standard is to publish it as a 0 day hack and then let the company fix it themselves.

        1. It's the companies systems and they are responsible not you 2. Hacking is illegal 3. This is what happens when you try to reason with sheep who just don't get it

        If this was a 0 day currently, it would have probably been patched already and no legal action threat would occur.

        Also, at least in the states there are no circumstances a private entity can look at any of my information, it can contact law enforcement, and they can seize the computer, but otherwise SOL and that's the way it should be.

        Just goes to show, no good dead goes unpunished.

    • Re: (Score:3, Interesting)

      by Mathinker ( 909784 )

      > said access is just changing a number in a url because they have a retarded system

      I wonder just how many of us have come across such idiocies. I know I have, and yes, I didn't report it because the probability that I would get into trouble by doing so was greater than the damage of email addresses being leaked or having a few people getting their bulk email subscriptions erroneously canceled (it was a company which took care of mass emailing for quite a few clients, including a prestigious scientific j

      • Re:Obviously (Score:5, Interesting)

        by hawguy ( 1600213 ) on Friday October 14, 2011 @05:45PM (#37719564)

        I wonder just how many of us have come across such idiocies.

        I came across one long ago, back when the internet was more open and trusting - a discovered that a remote server had its root filesystem opened to the world via an NFS export. I emailed the administrator for the server and he said "No worries, you may be able to mount it but file permissions prevent you from doing anything unless you have an account on that server". So I emailed back and said that *any* root user on any server could get full access (this was before the root user was routinely mapped to uid nobody). He said "No, if you're not root on my server you can't get access". So I mounted it read-write from my computer, did a "touch /etc/i_have_access" and told him to look at the file I just created.

        He thanked me and stopped exporting the filesystem. If I did that nowadays, I'd likely be facing charges for hacking.

        • I still run into Unix and Linux admins who don't understand how NFS (non-)authentication works. It's a retarded system that blindly trusts the user to state their identity and group membership (uid/gid) and there are no credentials involved at all. These guys usually have norootsquash enabled which makes it even worse.

      • by arth1 ( 260657 )

        I wonder just how many of us have come across such idiocies. I know I have,

        I took a look at my cookie hive one day. Not just who set what cookies, but what they actually contained. There were several that "authorized" (if you can call it that) by a simple and relatively low number. No hash, no corresponding key, nope. Just a number in a cookie to bypass a login. Change it, and Bob's your uncle.

  • by magsol ( 1406749 ) on Friday October 14, 2011 @05:13PM (#37719164) Journal
    No good deed goes unpunished.

    Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.
  • If you find a vulnerability, disclose it. Publicly.

    And yes, I work in Information Security. Vulnerability Management even. Go figure.

    • Re:Full-Disclosure (Score:4, Insightful)

      by Hatta ( 162192 ) on Friday October 14, 2011 @05:30PM (#37719368) Journal

      If you find a vulnerability, disclose it. Publicly.

      and anonymously.

    • If you find a vulnerability, disclose it. Publicly.

      And yes, I work in Information Security. Vulnerability Management even. Go figure.

      At least be ethical and anonymously tell the company first and give them a chance to fix it themselves. If they ignore it, then consider a public announcement. Otherwise you're no better than the criminals, legally or ethically.

      • Re-posting because I forgot to login:

        In a perfect World that would work, and Companies would notify their customers of the threat and come up with a game plan to mitigate the vulnerability.

        In the real World Companies aren't going to do Jack Schitt unless their hand is forced.

        And for me, as the Customer, I'd much rather know that a threat exists so *I* can be proactive and try to mitigate the threat than rely on some Company sitting on a vulnerability for months and years while they devise a patch or hotfix

  • Next time leave the whoresons to get fucked through their vulnerability by ill-intentioned black hats rather than warning them.

    they deserve it. really.
    • I concur. People like those are why you have to ask before saving someone from choking. Fuck 'em. And honestly, what's the point or informing them that their code is shitty. It isn't as if they are an OSS project. They are a private company, and they should either pay you, or get hacked and lose customers. The is the free market. Only a filthy socialist would do it for free.
    • by deniable ( 76198 )
      Except he's a member of the fund and they've already admitted that they use money in the fund to fix these things. Unless the members file a suit for negligence (good luck) he'll be out of pocket when they get violated.
  • by bmo ( 77928 ) on Friday October 14, 2011 @05:17PM (#37719214)

    In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.

    We need this for e-space.

    If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.

    The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.

    --
    BMO

    • by fyngyrz ( 762201 )

      The problem is legislation written by idiots, abused by lawyers (but I repeat myself), and then the dance of arbitrary abuse performed by the judiciary. There is nothing so dangerous as poorly written law, and in my experience, almost all law is poorly written.

      • They're not idiots.

        They just don't work for the voters that supposedly are supposed to decide whether or not they get into office.

        It's an issue of loyalty, not competence.

    • No one would looked bad if they didn't sue the guy, since this story wouldn't even been published but when they filed that suit against him now everyone knows how much of A-holes this company is to a person that saved them a massive PR nightmare.
      • by bmo ( 77928 )

        >No one would looked bad if they didn't sue the guy,

        You misunderstand what I meant about who is looking bad. This is the result of someone within the organization attempting to cover his ass by blaming the messenger and convincing the lawyers that it's not his fault.

        Because if he didn't, he'd look bad to his bosses.

        That's why all this is happening, and since shit rolls downhill and there is no protection for people like the researcher, guess who gets squashed like a bug by the corp?

        >Flaw
        >Researche

        • by cshark ( 673578 )

          Sometimes, it really seems like no good deed goes unpunished.

          If one of the good guys gives you information to help you fix your systems when they're obviously broken, and you bite their hand... the consequence is that fewer good guys will be willing to do it. So, if you follow this slippery slope argument to it's conclusion; you're pretty much left with the bad guys being the only people who are willing to break into your obviously broken server. And, then there are no warnings. There are no second chances.

    • Ironically, Good Samaritan laws in Ohio don't apply to health care professionals because they're supposed to know what to do.

      Translating to e-space, a security consultant could be liable to malpractice. However, this consultant still did the right thing, so there are no grounds for causing him trouble.
    • That's not entirely true. Rendering CPR to an unconscious victim can and has gotten people sued.
  • by Nom du Keyboard ( 633989 ) on Friday October 14, 2011 @05:20PM (#37719252)

    “Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, your actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.

    What the hell kind of logic is that? If this stands then every independent security researcher ought to leave Down Under at once and leave them to find out that White Hats != Black Hats through direct and painful experience. What a bunch of jokers.

    • by deniable ( 76198 )
      I wonder if NSW does the 'accessory / facilitator' thing where if you help the criminal you get charged with the same crime. The provider can be a co-defendant.
  • The summary says that he "run a batch file to access 500 accounts", but there's no mention of that in TFA. According to that article "Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data."

    So which is it? This is a pretty critical part of the story that seems to be missing. The linked article seems to indicate that the researcher simply found the one issue and quickly
    • by julesh ( 229690 )

      And how would the company have found out about that anyway?

      Theoretically, if he had, his requests would be in their access logs...

    • by RichMan ( 8097 )

      "run a batch file" and simply modifying a URL likely means something like a simple script around wget or something equally trivial

      for (i=0;i500;i++)
            wget -O dump${i} http:///url/long/user=${i}
      end

    • by ark1 ( 873448 )
      The PDF has a sentence which hints that he may have submitted a proof of concept that accessed approx 568 statements.
    • 568 accounts to be exact.
      http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf [haymarket.net.au]

      Try clicking a few of the links in TFA next time. Or were you surprised that the summary actually included more than just a paraphrasing of the original article?

  • Companies don't want to know. Literally. If they know, it increases their liability for doing nothing in the event of a problem.

    • by Joe U ( 443617 )

      After the first letter, kindly explain that you're going to take out a full page advertisement explaining how company doesn't care about user data. Make sure to mention identity theft.

      • Make sure you're ready for some time in jail for blackmail, too, if you follow that route. The only thing worse than reporting this sort of data the nice way is to report it in a way that's threatening.

        • by Joe U ( 443617 )

          Make sure you're ready for some time in jail for blackmail, too, if you follow that route.

          Last time I checked, blackmail involves money. 'I'll tell lots of people about your horrible security record if you threaten to sue me' is not blackmail.

      • by deniable ( 76198 )
        No need for advertising. Just copy ASIC, the privacy commissioner and some MPs into the correspondence. If that goes nowhere get a bored journalist to ask the government bodies what they're doing about this issue. Cheap, effective and puts the heat on people with legal protection.
  • No good deed goes unpunished
  • by mounthood ( 993037 ) on Friday October 14, 2011 @05:37PM (#37719458)

    The rule should be: Disclosure Guarantees Immunity

    This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.

    • So if I disclose all your bank password, would that make me immune ?
      I agree in part, but it is a problem.

      If as a delivery dude, I find your key under the front door mat, can I make a 1000 copies and drop them off all over the city with your address to teach you to be safer ?

      I am genuinely asking, I don't have the answer.

      If I simply return your key, and you keep putting it under the mat, then what do I do.
      • by Rennt ( 582550 )

        Bad analogy. If I choose to leave my key under my door mat, that is none of your god damn business.

        Now, if I am a locksmith and I leave copies of all my client's keys just lying around unsecured, that's a different story.

    • No, it should be this:

      "Unauthorised access, with full disclosure, and without intent to illegally make use of accessed data, should not be illegal."

      Say for instance, somebody pen tested sony before the PSN hack-a-thon, pulled some demonstration data to prove the exploit was live, and forwarded it to sony's IT staff, asking them to inform the impacted users of the breach and to please fix the exploit.

      That should be legal.

      If they did the above, but neglected to mention that they vacuumed up 10,000 credit card

  • It took a lot of work to delete all references to "ass" and "douchebag".
    Ehud

    Dear Maged,

    I read with interest your letter to Patrick Webster copied at
    http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf [haymarket.net.au]

    Mr. Webster informed your client of a security flaw in their software that allows
    access to members' confidential and financial information. He did so in accordance
    with accepted business principles of Full and Open Disclosure.

    Your response shows that your law firm clearly lacks an understan

    • You might also want to read the law before you accuse them of being ignorant of it. They are absolutely correct that his actions violate the law. I doubt the police will pursue it unless there is some malicious intent shown.

      http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html [austlii.edu.au]

  • If I were a "security researcher" I wouldn't offer anything to anyone unsolicited. Fuck 'em. Fuck ALL of 'em.

    The only way to punish these cocksuckers is to NOT look for any credit, expose their vulns, then laugh quietly as they are exploited.

  • The problem is, the guy admits to accessing their system and obtaining documents that he should not have been able to get. He says "Here are 500 samples".

    What is the first thing that should occur to someone? Well, how about if he accessed 1000 and is planning on ransoming off the information of the 500 he didn't tell anyone about? Why do you think they want to see his computer? Unfortunately, anyone clever enough to do this would have moved the other 500 somewhere isolated that they would have to tear his house apart to get. Like on a microSD card sewn into a stuffed animal.

    See, he has zero credibility here. He can say "But I only took 500! I swear it!" and it does no good. Even searching his house doesn't generate any credibility, it only says they didn't find what they were looking for. Checking his computer only proves that if he has criminal intent that he isn't stupid about it. Since many (most?) criminals are stupid, not finding something on the computer actually does say something ... just not much.

    The real question is how much would other records be worth to the subject of those records and how much would it be worth on the open market? If you could take a record and turn it into some cash - presumably by drawing on the assets of the subject of the record - then you have a pretty clear idea of the worth. Even if the value was only privacy there might be some monetary value that you could get from the records. Then you have to either make the records irrelevant or you have to watch this guy for the rest of his life to see if he suddenly comes into a lot of money.

    • They can't simply look at their server logs and see what pages were served up to his IP address?

    • I can clearly see a need for the researcher to collect "unauthorized data".

      Say for instance, white hats had to pen test only their own systems. A whitehat determines that XYZ corp's client accounts package exhibits a vulnerability when $Foo conditions are true. He sends this finding to XYZ, and also to $MultinationalCorp who uses XYZ.

      $MultinationalCorp responds to the private disclosure, thanking them for the effort, and "affirming" that their implementation of XYZ client portal is not configured $Foo, an

  • by Charliemopps ( 1157495 ) on Friday October 14, 2011 @06:31PM (#37720034)
    This is why you make your findings public. Stupid companies like this deserve the result.
  • by The Archon V2.0 ( 782634 ) on Friday October 14, 2011 @06:36PM (#37720068)
    Less than a year ago I found a similar (though not quite as grievous) flaw in a Kickstarter-like website when I mistyped the URL to my own profile page. I grabbed a handful of info with it; just a few random accounts to proof-of-concept automated grabbing, the technique for which I made note of in an e-mail to their support address. Also, I got the e-mail address of user #1 (unsurprisingly, the implementer), whom I CCed the support e-mail. After a few e-mails of discussion about the precise nature of the flaw, I received a very grateful thank-you from the owner of the company and the head of IT, and the flaw was fixed within the hour despite it being the dead of night in their HQ's time zone. When I see stuff like this, though, it makes me wonder if the next time I trip across something like this I should do the same thing.
  • by FyberOptic ( 813904 ) on Friday October 14, 2011 @06:50PM (#37720194)

    "Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."

  • ladies and gentlemen is why you put the vulnerability on the internet, anonymously.

    At least the fear of being exploited will put proper security in peoples mind...then eventually maybe we can get people who actually understand security in charge of security.

  • by fenris60 ( 925596 ) on Friday October 14, 2011 @07:25PM (#37720478)
    In a previous life I worked for an Australian law firm in their financial services division (not Maged's firm thank god). From Maged's profile you can clearly see he is an expert in superannuation law http://www.minterellison.com/People/maged_girgis/ [minterellison.com]. I can say, with 99% certainty, that he has no practical experience in how section 308H of the Crimes Act and section 478.1 of the Criminal Code Act work. I don't claim to either. But the modus operandi of these law firms is that when a big client comes in with a weird request they get a junior lawyer (or crack team of junior lawyers if the billing is low for that month) who doesn't know much about anything to do some "research" and draft a threatening letter based on a few hours of reading some textbooks and legal databases.

    It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).

    Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!

    I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.
  • Perhaps if they get enough negative feedback, they'll drop the threatening postures and lawsuits...

    http://www.firststatesuper.com.au/EmailEnquiries [firststatesuper.com.au]
  • Strange how most people seem to be forgetting this very simple yet very pertinent fact.

    This fund had been making his personal and financial details publicly available!

  • by X86Daddy ( 446356 ) on Friday October 14, 2011 @09:14PM (#37721180) Journal

    You go to a web cafe and post it on 4chan, as Anonymous of course. That is what the system has encouraged.

  • by aushack ( 2485288 ) on Saturday October 15, 2011 @12:08AM (#37721986)
    Hello, I am Patrick. I cannot reproduce the email their staff replied with, except it says something along the lines of thank you for raising this matter for our attention and that is was fixed within an hour or two. Below is my email to them, with certain parts redacted, which includes the heavily debated script. The email was a follow up after a lengthy discussion with staff and they were most thankful for the call. I'm publishing this just so that you are better informed and can form your own opinions based on this. From: Patrick Webster [mailto:patrick@osisecurity.com.au] Sent: Thursday, 22 September 2011 1:26 PM To: [REDACTED] Subject: Privacy breach in pillar.com.au website Hello [REDACTED], Thanks for taking the time to speak with me today. As mentioned, I am a FSS member from my time a NSW Police Force. My personal background is in IT Security and I am the owner of OSI Security (www.osisecurity.com.au). You're welcome to see my personal history at http://www.linkedin.com/in/patrickwebster [linkedin.com] - the past 10 or 11 years I have been working in securing information systems etc, which is how I came across this bug. Yesterday, I received the FSS email notification to download my member statement. So I logged in to the pillar / FSS members portal and went to statements and clicked to download the statement, which is in PDF format. My *personal* statement is at https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 [pillar.com.au] You're welcome to have a look (I have [REDACTED] in super, yay). So after I saw my statement I noticed the 'documentId' number and, based on my security background, I have natural concerns my information is stored securely. So I incremented the number to see what happens (expecting to be rejected); I.e. https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 [pillar.com.au] becomes https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D9&page=0 [pillar.com.au] Amazingly (and coincidentally I might add) the statement I downloaded is my former colleague at [REDACTED] (if you look at my LinkedIn profile and see my connections you will see that we are connected). I then did a random spot test to see if it worked for any number, which indeed it did. I quickly wrote a linux bash script to enumerate documentId numbers and discovered it worked. Script source is below: #!/bin/bash #[REDACTED] for i in {[REDACTED]..[REDACTED]} do echo $i wget "https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-$i&page=0" --no-cookies --header "Cookie: [REDACTED]" done You can see the script runs from [REDACTED]..[REDACTED] in member numbers (just a guess on my part) and then tells the wget software to fetch the documentId with the 'for loop' number which is $i. I was then able to download every member statement, including my own of course. Naturally I find this extremely concerning so contacted you today (I found this around 9pm last night). All the data I obtained has been destroyed / deleted but validated my concerns. Ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References [owasp.org] That is about it... if you have any questions please contact me via email or details below. Kind Regards, Patrick Webster ...
  • by indaba ( 32226 ) on Saturday October 15, 2011 @02:08AM (#37722340)
    From SALTER v DPP [2008] NSWSC 1325 (5 December 2008)
    http://www.austlii.edu.au/au/cases/nsw/NSWSC/2008/1325.html [austlii.edu.au]

    13 Counsel appearing for the defendant drew attention to a number of prior decisions, albeit on different statutory provisions, those cases including Gilmour v Director of Public Prosecutions (Cth) (1995) 43 NSWLR 243, The Director of Public Prosecutions v Murdoch [1993] 1 VR 406 at 409,410. In that last mentioned case Hayne J said:-

    “... Where, as is the case here, the question is whether the entry was with permission, it will be important to identify the entry and to determine whether that entry was within the scope of the permission that had been given. If the permission was not subject to some express or implied limitation which excluded the entry from its scope, then the entry will be with lawful justification but if the permission was subject to an actual express or implied limitation which excluded the actual entry made, then the entry will be “without lawful authority to do so.” ...

    In my view the section requires attention to whether the particular entry in question was an entry that was made without lawful authority. In the case of a hacker it will be clear that he has no authority to enter the system. In the case of an employee the question will be whether that employee had authority to affect the entry with which he stands charged. If he has a general and unlimited permission to enter the system then no offence is proved. If however there are limits upon the permission given to him to enter that system it will be necessary to ask was the entry within the scope of that permission? If it was, then no offence was committed; if it was not, then he has entered the system without lawful authority to do so.”

    14 The passage has direct application to the situation here.

    15 Authorisation to use a computer or authorisation in an entirely different field of law may be general or it may be limited or it may be subject to conditions, and I do not believe that s 308B should be given an operation so as to set at nought that aspect of the general law. As Hayne J said in the passage to which I have referred:-

    “If there are limits upon the permission given, it will be necessary to ask was the entry within the scope of that permission?"

    ------- So, much will depend on the terms that governed the access to the website. Can these be posted ?

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...