Friday, 26 February 2016

How not to deal with your own incompetence

Image result for database no passworduKnowKids, which was already a creepy, dangerous firm, was recently told by White Hat Chris Vickery that their database jam packed with detailed information about children didn't even have password protection.  He was able to download texts, images and "detailed profiles" from, to and about kids without ever having to enter so much of a password.

He then told uKnowKids about it.  They didn't react well.
When Chris Vickery discovered the security risk and alerted uKnowKids, it accused him of hacking its systems.
Um.... and?  The issue isn't whether the site was 'hacked' (by whatever means they'd like to qualify the term). Every prominent site will be hacked sooner or later.  The issue is whether uKnowKids did everything reasonably possible to protect the data.
The MacKeeper security expert said the database was not password protected. uKnowKids' chief executive Steve Woda put this down to "human error" saying a third-party had installed it.
Oh, well of course that's perfectly all right then.

Mr Woda's extraordinary lack of awareness continues.  Vickery deleted most of the data he'd grabbed but held on to a few screenshots as leverage in case the company didn't fix the problem (apparently they did).  Woda said:
"I have no animosity. I just wish he would have respected our customers' data."
I'd say that Vickery respected the data a shitload more than Woda did.
The row highlights the grey area in which ethical hackers operate - seeking out security weaknesses and vulnerabilities and informing the data owners rather than exploiting them. They typically act without obtaining consent in advance, and deal with very sensitive material.
There's no grey area. It's not the ethical hackers who are at fault here, it's the companies who refuse to learn from their mistakes.
"Anyone researching security has a duty of care," said cybersecurity expert Professor Alan Woodward from Surrey University.
I.... don't even know what that means.  Of course they don't. The duty of care rests with the people collecting and storing the data. If they do it wrong, it's their fault, not that of anyone pointing it out.
"As this data concerns children, I would have hoped that the researcher would have exercised great caution and acted in such a way that he was not adding to the risks of the data being copied into the wild - notwithstanding that the data was publicly visible anyway.
Me too, and apparently he did.  He quietly informed the firm that their security didn't exist. He didn't splash the news all over the web until after the problem was fixed. He put exactly nobody at risk whereas uKnowKids certainly did. And would certainly still be doing if Vickery hadn't pointed it out.
"I think both sides in this story could have handled it better."
Bullshit. Vickery handled it just fine.  He told uKnowKids that their security was - to put it mildly - broken and they accused him of nefarious acts.

From the uKnowKids site:
uKnowKids Makes Parenting Easier, and Keeps Kids Safe Online and on the Mobile Phone 
uKnowKids has helped parents protect more than 260,000 kids in more than 50 countries around the world. 
Better than parental controls, uKnowKids is the world's leading parental intelligence service.
Not....particularly safe. It seems that the company has contributed significantly to the potential danger of its charges.  Fuck this kind of service anyway.  Spying on your kids will not keep them safe and any service that offers to make parenting "easier" ought to be ashamed of itself.

No comments:

Post a Comment