From Chris Cope – Advent IM Security Consultant
What’s the difference between a ‘white hat’ security researcher and a hacker? As a general rule of thumb, if someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order. There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers. Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.
So why is a white hat researcher, Chris Vickery to be precise, in the news? Mr Vickery discovered a database on a website. The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children. The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’. However, the company claims that the information was not personal data and no customer information was at risk. Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability. However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised. By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.
Since the notification, uKnowKids has patched the vulnerability.
So what can we take from this? UKnowKids obviously intended for the database to remain private. Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected. Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train. Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties.
Before protecting information, an organisation needs to understand what information it holds, and what needs protecting. Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information. For electronic information, then one needs to consider technical measures such as access controls and encryption. When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.
In this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information. If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect. So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated. And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.