Sophos Cloud Optix
South of the Equator, a yawning security hole is swirling responsibility backwards to the bug finder.
It surely amounts to the Coriolis effect.
Yes, children, it’s true: In Australia, flushing insecure bugs out of the toilet drain of investment fund companies results in all the responsibility flowing counterclockwise, completely opposite to that of rational Northern Hemisphere nations where white-hat researchers are lauded and well-enumerated for uncovering ridiculously simple coding errors. (Or not.)
To wit: After Australian security researcher Patrick Webster recently alerted his investment fund First State Super of a glaring, blaring security lapse – a lapse so duh-licious, it ranks at #4 on OWASP’s top 10 list of application security risks – he was thanked with a legal threat and notice that he just might be billed for the security fix.
As brought to light by Patrick Gray on Risky.biz, First State Super’s law firm on Oct. 14 sent Webster a letter demanding that he turn over his computer.
According to Gray’s account, First State Super threatened to track down the costs incurred “in dealing with this matter” if Webster does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.
Webster’s sin was to uncover the fact that his pension fund allowed logged-in members to access their online statements via what’s known as direct object reference, wherein other members’ statements could be accessed by changing a single digit in the displayed browser URL.
Webster says that he cooked up a script to demonstrate the flaw to the investment fund’s IT staff, downloading some 500 account statements and then promptly deleting the information in September.
Here’s the company’s rationale for not only closing his pension fund but also for potentially sending Webster the bill for the security fix:
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.
[....]
In addition, the Trustee reserves its rights to require you to allow it's IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.
In the meantime, the Trustee has suspended your online access to the Member Section of the Fund's website.
No good deed goes unpunished. But one would hope that most good deeds go without prosecution against the good-deed-doer.
One would most fervently hope that most good deeds don’t result in companies with No.-4-On-The-OWASP-Lame-O-Meter scale sending lame-ass demands to punish those who would point out the insufficiency of their security practices. But one would be hoping in vain, evidently.
It’s ironic that this news crosses my desk on the same day in which I had a conversation with Akamai’s Josh Corman about the subject of how, in these post-Anonymous days, we have arrived at a place wherein organizations are becoming more transparent about their victimization through security breaches.
“Looking across the swaths of security compromises both in the security and the non-security industries in the last 12-18 months… [and] watching incident response and public relation successes and failures,” Corman has noticed that the current state of predation by Anonymous, LulzSec et al. is forcing the industry to re-evaluate best practices for communicating breaches.
“I think there’s a shift from ‘keep quiet and hide it’ to more modern expectations from the installed base,” he said.
In other words, we’re seeing more transparency about what happened in a given security breach and how the situation was attended to. It’s an evolution to a new set of best practices in crisis management, Corman explained.
Are things better? More transparent? In the Northern Hemisphere? Not in Australia?
This isn’t even a question of lack of transparency, of course, not a question of a company going mum and hiding under a rock. No, this is a situation in which the company is hurling the rock at an innocent researcher’s head.
The Anonymous Coward remarked that the first thing you have to understand is that “Australia is hilariously backward when it comes to understanding communications, computers, and the internet.”
I don’t think Australia would agree with that.
But in this instance, something’s certainly flowing backwards.
And if Mr. Webster sets up a legal defense fund, let us all step forward and send a bit of coinage down under, in support of his efforts to point out a simple security error before people’s funds were compromised, and to attempt to rectify the cockeyed misdirection of police time and the backwards misflow of blame.
Update: First State Super has updated its website with a statement about the incident – notifying its broader customer base of the security issue – and explaining that it plans to take no further action against Webster.
Mr Webster – tell them to "suck my cock" and bring it on !!!!!
So much for trying to be a good samaritan 🙁
Grossly unfair! They should be thanking him with a parade! At the very least a fruit basket…
A giant FAIL to remember the maxim, "Don't kill the messenger!"
This is why I love LulzSec
And. . . Time to find a new investment firm! Preferably one that does a better job with net security!!
This story is about the rampant stupidity of suits (and their need to feed the lawyers), more than it is about hemispheric differences. There have certainly been lots of stories of this sort over the years here in the other half of the planet.
Words fail me… What a moronic way to solve a problem that should have never existed in the first place.
As a user of the fund Mr. Webster should sue the bastards for not doing a good work protecting his data (a being a bunch dicks).
It would appear that the super company and their outsourcer didn't conduct the very basic of web application testing, otherwise even "blind Freddy pen tester" would have found this simple bug. The error was so basic that in terms of low hanging fruit, it actually dragged on the ground. Instead of persecuting Webster in this way, a simple thank you would have sufficed and they could have simply and quietly fixed the problem. By acting the way they did, they have displayed that they still live in a bygone era and have become a laughing stock the world over. Now all they can do is hang their heads in shame!
"First State Super appreciates that the actions of the person involved has allowed us to address an undetected weakness in our online security. Subject to his compliance and cooperation in ensuring that the unauthorised statements he downloaded have been destroyed, we have no intention of taking any other action against him."
Looks like they have come to their senses
Outrageous. Infamously deplorable conduct by the Trustee and the Fund. It's not even minimally rational. If Mr. Webster were up to no good, why on Earth would he identify himself and openly describe what he had done?
The attack on Mr. Webster is an act of cowardice and a gross attempt at evasion of responsibility. HE didn't cause the problem; THEY did…and now they're trying to pin it on HIM? It would be laughable if it weren't such a monstrous injustice.
They're lucky he told them.
In this case Patrick's lesson should be "Don't do anything good, do something really bad. Post the info publicly and anonymously where anyone can access it". At least it seems how this dumb firm would rather have had it go.
Looks like investment banksters have the same lack of moral compass in Australia as they do in the US.
'via what's known as direct object reference, wherein other members' statements could be accessed by changing a single digit in the displayed browser URL.'
That vulnerability has been around since the Dawn of Man, and if First Rate Super was a high-profile company thousands of others would have found and exploited it.
'Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.'
So in other words, the company hadn't spent any money, or made an effort, prior to this in securing the data from one of the oldest and most widely known vulnerabilities?
It sounds like Webster found it by entering the wrong URL entirely by accident, in which case the company could get prosecuted instead for incompetence and mismanagement of Webster's finances and personal information.
And this is why so many white hats went black hat back in the day!
very easy to jump on one's soap box about this.
most companies do not support any kind of "testing" of their vulnerabilities without their prior consent. i also believe that most people who are taught about penetration testing are told this.
still it's unfortunate that they reacted in this way when it was brought to their attention, rather than saying something to the effect of thanks for bringing this to our attention, we'll check it out, but please don't try testing our site again without first checking with us
while it would also have been nice to see the original letter, minus any sensitive information of course, i think it is also fair that as a customer of this company, he should have been quite right in being
Shame on you First State Super
Instead of appreciating for Mr.Webster being honest and explained your vulnerability, you taking actions against him. This is where all TAFE CollegeTeachers held their Super and he was one good student promptly alerted you. The Teachers are proud of him…what is wrong with your attitude.