[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] 'Hacking' Journalists Case Dredges Up Security Research Legal Debates
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2013-05-23 5:48:05
Message-ID: alpine.DEB.2.02.1305230102070.25935 () infosecnews ! org
[Download RAW message or body]

http://www.darkreading.com/attacks-breaches/hacking-journalists-case-dredges-up-secu/240155428

By Ericka Chickowski
DarkReading.com
May 22, 2013

A legal storm is brewing between researchers who uncovered a cache of sensitive 
information about 170,000 consumers through a Google search and the company 
which left the information freely available online. It sounds like the typical 
disclosure scuffle that the security research community has come to expect as 
part of the territory, with the exposed firm threatening to ring up researchers 
for violating the Computer Fraud and Abuse Act. But this one comes with a 
twist: the researchers in this incident weren't code slingers, they were word 
slingers.

The exposed information was discovered by two journalists with Scripps-Howard 
news service who stumbled into the openly searchable information from data 
stores held by telecom vendor TerraCom Inc. through Google. Their search came 
while investigating a story on why so many consumer participants in a 
government subsidized cell phone program called Lifeline, a program in which 
TerraCom and its affiliate company YourTel participated.

"The Scripps News team discovered the unsecured records while looking into 
companies participating in Lifeline. A simple online search into TerraCom 
yielded a Lifeline application that had been filled out and was posted on a 
site operated by Call Centers India Inc., under contract for TerraCom and 
YourTel," Many in the security community say the incident and its legal fallout 
could stand to draw attention to a more mainstream audience some of the biggest 
legal and ethical problems facing white and grey hat hackers today.

"I love this, this is a perfect example because what you effectively have here 
is a very innocent set of research. They stumbled on this data through simple 
searches," says Trey Ford, Black Hat general manager. "The custodian of this 
data was not properly managing authorized access. And just because the 
custodian didn't feel like they wanted this other company or the rest of the 
Internet to have 'authorized' access to this data, they cited a law that 
allowed them to hide and sue someone doing something that was ultimately trying 
to help them out."

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
[prev in list] [next in list] [prev in thread] [next in thread]