Tuesday 28 May 2013

Investigative journalists threatened with felony for exposing security flaw

Investigative journalists with Scripps News Service have discovered a major security lapse, in turn accessing the private data of tens of thousands of cell phone customers in the United States.

Scripps isn’t being hailed for exposing the error, though, and has been accused by telecom attorneys of hacking into computers to gain access to the records — a claim the reporters dispute.

According to the journalists, they uncovered the files using nothing more than a simple Google search.

Reporters with Scripps were investigating Lifeline, a government benefit-program that provides low-income Americans with discounted phone service, when they came across the sensitive data.

“While looking into companies participating in the program, the Scripps News investigative team discovered more than 170,000 records posted online listing sensitive information such as Social Security numbers, home addresses and financial accounts of customers and applicants of Lifeline,” the news service wrote this week.

According to Scripps, Oklahoma-based TerraCom Inc. and an affiliate, YourTel America Inc., were up until recently hosting around 170,000 files just like these on the Internet, unencrypted and easy to find for anyone looking in the right spot. In fact, the journalists say they discovered the records by keying in a basic search query into Google.com.

“A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,” Scripps reported.

When another journalist conducted a follow-up Google search of the website, Scripps was presented with a trove of documents that were all hosted online without any security system in place to restrict access. From there, they used a computer code to download the publically available records and eventually possessed the entire trove without ever hacking any passwords or posing as an unauthorized party.

The reporters put the number of Lifeline applicants whose privacy was breached at around 44,000, spanning 18 states in the US.

San Antonio, Texas resident Linda Mendez, 51, was among the thousands of customers whose personal info was compromised due to the lack of security. When Scripps presented her with a completed TerraCom application she was shocked.

“How can they make it so easy like this for people to steal somebody’s identity?” Mendez asked.

Scripps asked similarly of TerraCom but was met with a shocker as well. Shortly after they presented their findings to the telecom, the files disappeared off the website. Then came a warning from TerraCom’s attorney.

“The person or persons using the Scripps IP address have engaged in numerous violations of the Computer Fraud and Abuse Act,” insisted TerraCom’s lawyer, Jonathan Lee, “by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”

“Shoot the messenger,” wrote a blogger for NetworkWorld. “Reporters found a gaping security hole exposing 170,000 Lifeline phone customer records online, but were labeled Scripps Hackers and accused of violating [the] CFAA.”

Lee continued:

“If the purpose of the hacking was journalistic and the Scripps Hackers have not made and do not intend to make any further disclosure of the hacked data, then any financial or other risk for those applicants would be minimal and notification of the breach may not be necessary under the law of about half of the states involved. However, the downloading of more than 120,000 files over a period of several weeks may not be consistent with solely journalistic intent.”

New York-based attorney Tor Ekeland represented security researcher Andrew Auernheimer during a CFAA case that ended earlier this year with a federal judge sentencing the so-called hacker to 41 months in prison. In Auernheimer’s case, he was convicted of gaining unauthorized access to the personal details of thousands of AT&T customers after he discovered — and disclosed — a major security flaw that exposed the data of Apple iPad users in a major breach.

“I don’t see much difference between what happened in that case and what happened here,” Ekeland wrote on his website this week, “[e]xcept maybe that the DOJ might be a bit sensitive about going after reporters given their current track record on that front.”

“By not defining its key operative phrase ‘unauthorized access’ as requiring  bypassing a password or some other type of technological access barrier, it allows corporations to be negligent regarding their infosec,” or informational security, wrote Ekeland. “The corporations know that someone else, and not themselves, will suffer the consequences for discovering their confidential data that the corporation has displayed for all to see on the open Web. Why should anyone disclose any computer security flaw in that type of set up? Why risk a felony conviction? Better to keep your mouth shut and let all sorts of criminal organizations and foreign governments harvest the information than to incur the wrath of the Department of Justice and a vexatious and costly civil suit.”

Before being sentenced, Auernheimer himself wrote that “in an age of rampant cyber espionage and crackdowns on dissidents,” the only ethical way to disclose security exploits was to avoid going to the company involved or the government that might prosecute you. “In a few cases, that individual might be a journalist who can facilitate the public shaming of a web application operator. However, in many cases the harm of disclosure to the un-patched masses . . . greatly outweighs any benefit that comes from shaming vendors.”

Scripps’ attorney, David Giles, responded much akin to Ekeland that TerraCom was misinterpreting the CFAA. “Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote. “Rather, in the process of gathering newsworthy information, the bureau accessed – via a basic Internet search – personal and confidential information that apparently is available to anyone with a computer, an outlet and access to electricity.”

Scripps requested an on-camera interview with TerraCom before and after making their disclosure in order to show the company face-to-face how they “hacked” into their network. TerraCom acknowledged the breach on their website and told customers that “names, addresses, Social Security numbers, tax information and other government forms used by our company to determine applicant eligibility for the federal Lifeline program” were all compromised.