Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Crime Security The Courts IT Technology

IT Consultant Fined For Daring To Expose Shoddy Security (theregister.com) 102

Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.

In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.

This discussion has been archived. No new comments can be posted.

IT Consultant Fined For Daring To Expose Shoddy Security

Comments Filter:
  • unlawful data access from any password even ftp set to take any password?
    apps with an fixed passwords?
    apps with default passwords?
    wifi where they give you the password on out in the open sign?

    • by garyisabusyguy ( 732330 ) on Monday January 22, 2024 @11:23PM (#64181181)

      Sure, you can point fingers all over the place, and find horrible security almost anywhere

      But, I read the excerpt and could not find where the paid IT consultant took this information to the customer, who pays them, and made clear warning about the extent of the threat.

      Instead the story shows up in some journalist's hands where it proves to be a problematic for the employer of the IT consultant, who was given access to information and then leaked it to the press

      If I was the client, I would be looking for a big hammer to hit the leaking IT consultant with, and it looks like it was conveniently right there in the law

      FWIW, I suspect that you could turn every doorknob in your neighborhood and find some unlocked doors. You would still be charged with a crime if you were to take advantage of it, or leak that information to somebody else to use

      • It does seem in complete violation of responsible disclosure guidelines [owasp.org], which means he wasn't an "ethical hacker" at all. Given that the problem was discovered and made public in the same month he obviously didn't follow responsible disclosure, which could be why the court slapped him down.
      • by BadDreamer ( 196188 ) on Tuesday January 23, 2024 @12:37AM (#64181251) Homepage

        The customer not only received the information, BUT ISSUED A STATEMENT based on the information after fixing it. It's right there in the text.

        The problem the consultant had with that was that the statement was vastly understating the severity of the problem. He spoke out about this. That's why he was reported to the authorities.

        • That's his story, and TFA was written to support him.

          The company said differently.

          The court heard both sides and ruled that the preponderance of the evidence supported the company.

          So, what's the truth? I have no idea.

          • by BadDreamer ( 196188 ) on Tuesday January 23, 2024 @08:03AM (#64181649) Homepage

            No, that's not HIS story. The company MADE THE STATEMENT. That's not a story. That's WHAT HAPPENED.

            There is no way to twist this to that the consultant somehow did not inform the customer about the situation, when they made a statement addressing the finds.

            And trying to twist that into "his story" shows magnificent inability to analyze events.

            • Information filters through a lot of layers before it gets to the customer. He shouldâ(TM)ve addressed it first with the company, given them sufficient notice provided he was still contracted or it couldâ(TM)ve reflected badly upon his job, perhaps addressed it with regulators, or made a statement that his company disagrees and distances itself from the company. This would give the option to ethical third parties to review and take a clean room approach to the old and new binaries.

              If what you say

      • FWIW, I suspect that you could turn every doorknob in your neighborhood and find some unlocked doors. You would still be charged with a crime if you were to take advantage of it, or leak that information to somebody else to use

        Exactly this! I've also said this. Somehow many people think that it is fine to break into software if they just can, even if they think it is not okay to break into buildings etc. I wonder if it has something to do with the fact that you usually cannot be seen during the act, while you usually cannot break into buildings without at least the risk of being observed.

        • People would not be OK with a company leaving the door to archive of their customers' credit card numbers and personal data unlocked and without a guard nor security camera. If someone walked in they'd be more pissed at the company than the trespasser. And it's the same for digital doors.

        • Somehow many people think that it is fine to break into software if they just can, even if they think it is not okay to break into buildings etc.

          That's grossly misrepresenting the case here. He did not break into anything, he happened to notice a gaping security hole while doing his job which he reported to the company.

          Suppose you work next door to a company and noticed that they had a key taped to their front door with a notice that said use this to get in. Curious, because you can't really believe someone would be this stupid, you try the key and find it does unlock the door but you do not enter, you close the door and put the key back. As a g

          • Not if it was your job to review security. But that doesnâ(TM)t seem to be the case. In this case, the equivalent would be that he saw the key, told the company about it which they understood to be âoehide it under a rock near the doorâ. Then he subsequently told the media, they just moved it from being taped to the door to hiding it under a rock which a thief subsequently abused this information.

            There are many things to do before you leak it to the media. Police, insurance, even market regul

      • If I read it right, the password to the database was in every distribution of the software they made, and it was freely downloadable, so literally everyone could get to it - customer or not. It's so blatently stupid, it's hard to even call it a "security' problem - it's just idiocy, crystalised in computer form.

        With bone-headed approaches like that, his biggest mistake was expecting the company to act in any way competently or reasonably once this news got out.

        I'd also say that likening this to someone leav

        • Also, he was auditing for a company that used Modern.Solution, so was his first responsibility to report to them or MS? I take it essentially that a company was using a product (and probably many others or frameworks or services) and hire guy to conduct security audit and found problem with MSConnect.exe.
          Ethically speaking, should he:
          1. Report to the company he holds employment with. If applicable he may be sole proprietor contractor, I didn't quite get the German right.
          2. Report to the audit contracting co
    • by Askmum ( 1038780 )
      Unlawful access is unlawful access. You only have to post a sign "no trespassing" to make it illegal to access your land. You can still walk onto the land because there may not even be a fence, let alone a locked one, but it is illegal. To make a parallel, posting "you are not allowed to use this system without proper authorisation" should be the same. Even if you find a password. Even if it is not password protected.

      Do not think this means I agree with the court's decision.
      • Yes and no.
        The company is also required to properly protect sensitive data under the GDPR.
      • >> You can still walk onto the land ... but it is illegal.
        Only in USA.

        • by DarkOx ( 621550 )

          So how does it work other places.

          In much of the USA private land is open to pedestrians unless the owner indicates otherwise, usually by putting up sign, or some kind of barrier like a fence or wall, or the owner simply asks you to leave.

          How does it work where you live? Are private land owners required to put up a physical barrier?

      • Depends on the country.
        I live in Thailand.

        Everyone can access any land that is not fenced or has an obviously inhabited house on it, AND: can feed his cattle on it. Unless there are growing fruits/crops of course. Thai means free. The land of the free.

        In Viking nations you can rest and settle in every unfenced land for ten days, and in emergency situations like heavy snow: as long as you want. Germany used to be the same, but Nazis changed the laws, and after the war the laws were not changed back.

        Do not th

        • by Askmum ( 1038780 )

          Do not think this means I agree with the court's decision. you do not know anything what actually happened and the summary is poor. So nothing to agree with or disagree with.

          Wow. You think you put the caveat so you won't get thumped "because you agree with it", but in stead you get thumped "because you don't know wat is happening".
          Classy.

          • You do not know what happened, I do not know what happened.
            The summary is inconsistent gibberish.

            He most certainly did not got fined for disclosing something (to whom actually?)

            • by Askmum ( 1038780 )
              Which summary? The one from /.? The one from The Register? The report from heise? The discussion at wortfilter.de? The section of the law he was charged with?
              If you really do want to accuse me of not knowing what to agree or disagree on, then at least specify what I am not disagreeing on. Because at the moment I'm having a hard time deciding if I agree with your comment or not. Because I really don't know what you are trying to say.
              • I said from the /. Summary it is not clear for what he was convicted.
                If you know more you could have mentioned your knowledge.

                • by Askmum ( 1038780 )
                  You never mentioned it was the /. summary. Do we have to infer that or is that just an uninformed guess?
                  Are you one of those that only read the /. summary? Don't follow the links? Why do you assume I do the same? The links are there for a reason. Click them. Read the articles that they link. Maybe you can't read the german articles, others can and will. Then tell others they're not informed. Well, you don't know how informed I am, it is just your assumption because you apparently don't want to read further
                  • I did not assume anything.
                    I pointed out the /. summary does not clearly explain what happened.

                    Neither do you.

                    The topic is not interesting enough to follow the links.

                    • by Askmum ( 1038780 )
                      You assumed that I did not know what happened. You assumed I only read the /. summary. I am now assuming that you tell everybody they don't know what happened. It's right there

                      You do not know what happened

                    • You are bad in reading?

                      I only read the summary.

                      You said: you do not agree with the court decision.
                      I said: from the /. summary it is not really clear what it is about

                      Now, you nitpick about something I did neither say nor imply: and still fail to tell us what is in the other links you read. Aka: you fail to tell us what you know about the case which we do not know.

                      And: I told you already, the topic is not interesting enough to follow your links to learn more. So: you want to nitpick about something, and I do

                    • by Askmum ( 1038780 )
                      That you only read the summary does not mean I only read the summary, so any assumption you make about me not understanding what it is about is your assumption and may be as far from the truth as grass is blue. And then you want to attack me for not understanding what it is about? No, that does not fly.
                    • I did not made an assumption.
                      I replied to your comment: "I do not agree with the court ruling"
                      And I pointed out: the /. summary makes it pretty unclear what all that is about.

                      So: what do you want to argue about?

                    • by Askmum ( 1038780 )
                      Ok, for your sake, should I have written "agree or disagree"? I honestly do not understand what you are whining about.
                    • You did not agree with the courts decision, but never explained why.

  • by silentbozo ( 542534 ) on Monday January 22, 2024 @08:38PM (#64180961) Journal

    No good deed goes unpunished.

    Of course, now anybody doing work with that client will just sell any vulns to the dark web instead, so I'm not sure what the point of this exercise was, other than attempting to save face.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      he wasn't punished for reporting, he was punished for using what he found to access data.
      • by silentbozo ( 542534 ) on Monday January 22, 2024 @09:08PM (#64181009) Journal

        Unfortunately all I have to go on beyond the Register article is a google machine translation of the Steier article (https://wortfilter.de/warnung-datenleck-beim-jtl-partner-modern-solution-gmbh-co-kg/), but here's my understanding of what happened based on both sources:

        1. Unnamed IT consultant was working for a customer of said company, found the password in the software from the company given to the customer to use. He then connected and found that everybody used the same password to connect to a single database.
        2. Steier reports finding from unnamed IT consultant.
        3. Apparently company figured out unnamed IT consultant gave Steier the tip and then sued him for using the password to connect to the database (presumably to check whether this password restricted access to the data that the customer he was working for... you know, his job.)
        4. Courts originally sided with unnamed IT consultant, but upon appeal, sided with company.

        If someone has more information to share, it would be nice.

        • by Anonymous Coward
          There seems to be step or three missing between 1 and 2? What the heck motivated the consultant to go to the press in the first place? Did they report it to Modern Solution GmbH who just dismissed it out of hand, or refused to do anything about it? Without more information I'm finding it difficult to side with the contractor.
  • by bloodhawk ( 813939 ) on Monday January 22, 2024 @08:40PM (#64180967)
    I fully support full disclosure, but it does seem upon finding the vulnerability he then exploited it to examine what he could get. That is a step too far. Report/disclose the vulnerability but just like if someone leaves the bank vault open you are going to be screwed if you walk in and take what you are not entitled too.
    • by Anonymous Coward
      Did he take the data, or did he just investigate to see the full scope of the data exposed - something that is necessary to know how serious the vulnerability is before reporting it.
      • Arguably knowing how serious it was or was not, was none of his business, and not a predicate to reporting it.

        He may have been curious. I know I would be. But we all know what happened to the cat...

        • Arguably knowing how serious it was or was not, was none of his business, and not a predicate to reporting it.

          He may have been curious. I know I would be. But we all know what happened to the cat...

          Even if he had been a penetration tester hired by the company, he would/should have needed a contract that specifically allowed him to try to access data through vulnerabilities that he found.

        • by AvitarX ( 172628 )

          Is it leaking data of the username and password were limited to that customer's own data?

          If the software itself was single use for a business and the embedded password limited to that customers data I'm not sure?

      • If you notice the bank vault is open, you report it you don't just stroll in and start checking to see which safety deposit boxes were left unlocked, and then run out into the street shouting "Hey everyone, this bank vault is wide open and all the boxes inside are unlocked, too!"
        • I mean if you go to a bank and open one of those shitty bathroom doors you can just crawl under, you wouldn't expect to find that was the only thing protecting their vault.

        • by Bert64 ( 520050 )

          Or more accurately...

          The bank gave you access to the vault because you are their customer and you have a safe deposit box there, but when you go in you notice that neither the vault itself nor any of the safe deposit boxes are locked (including yours) and anyone could take the contents of any of them.

    • Maybe - but if all you do is walk in thinking "woah - this is really an open vault? I wouldn't have believed it if I hadn't seen it!" then the maximum fine ought to be about $50, with no recourse for the plaintiff on lawyer fees. Otherwise the outcome will inevitably lead towards corporations making weak, cheap security decisions and just suing anyone who talks about it instead of dealing with the problem.

    • by Lehk228 ( 705449 )
      with this company it's no longer report what you found it's fire up 7 proxies and post it on 4chan and let all hell break out for the lulz
      • Yes, a distinct lack of professionalism was what struck me about the whole mess.

        First from the IT company for having shoddy security, second from the IT consultant for a complete lack of professionalism, and finally from the journalist for, correct me if I'm wrong, failing to coordinate with the IT company so that they could patch their leaky boat before dropping the story

      • This is probably what's gonna happen now.

        Companies with such glaring security holes rarely have only one. And yes, most of us are very much in favor of responsible disclosure, i.e. report it only to the maker of the software, give them ample time to fix it and only after the fix has been released, also release the information to the public.

        But pull a stunt like that and the gloves come off.

        • by ediron2 ( 246908 )

          '... pull a stunt like that and the gloves come off' comes with Streisand Effect.

          The odds of my trusting you (the company) or hiring you just went to zero. Bad security, and utter douchery in how the consultant is being prosecuted. Talk about not learning the right lessons...

          • The odds of me reporting any security flaws I find in your company dropped to zero. That will go on the black market and if nobody wants to pay, Reddit and 9chan it is.

      • by AmiMoJo ( 196126 )

        In all seriousness, unless they have a bug bounty programme I'd hesitate to even contact them. The risk of being sued is too high, so I'd probably just find a way to anonymously disclose it. Ideally to them, but if it wasn't fixed a week later, to the world.

    • I fully support full disclosure, but it does seem upon finding the vulnerability he then exploited it to examine what he could get. That is a step too far. Report/disclose the vulnerability but just like if someone leaves the bank vault open you are going to be screwed if you walk in and take what you are not entitled too.

      This is rather key here:

      Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law.

      Quite frankly, with that law in place I'd say it makes it a bit difficult for any consultant specifically hired to test and validate cybersecurity. That said, IF you were to engage in such activity, what IT consulting firm would do so without a contract in place that specifically authorizes them to do so within the context of the job and contract? Law or no law, that's just CYA-grade common sense.

      Hell, there are vulnerability scanners you can configure that can basically automate a

    • No, that's not quite what happened. However, this is generally a mess.

      From what the article says, he found a hard-coded database password. This is problematic all on its own, but he assumed that it would lead to the data for that one client. He checked, and found that it led to the data for *all* clients. And only when he saw that to be the case, did he realize that this was a major security hole. Fair enough, ethical hacker finds a security hole and reports it. However:

      The company claims that he only wou

    • Your hot take sucks balls bro.

      How can he report on something he does not KNOW. How would he know that password would work for ALL accounts if he didn't look? If he didn't look, there wouldn't be anything for him to report and the vulnerability would have remained exploitable until it was actually exploited and discovered to as being used for malicious purposes.

      This guy stopped all that nonsense and reported a serious vulnerability without taking material advantage of it. That is all.

    • This is more or less how I understood this, too.

  • Hello Streisand? (Score:5, Informative)

    by Midnight Thunder ( 17205 ) on Monday January 22, 2024 @09:06PM (#64181005) Homepage Journal

    Is this a case of the software company announcing loudly there is an issue and that suing someone is better than fixing it? Did they fix it?

  • Usually prevents these kinds of things from happening.

    Its not as strong as the American 5th amendment, but its good enough for most situations.
  • Modern Solution stock took a hit? Once this became public, why would anyone sign with them?

    • If people stayed away from every company that did some stupid security practices we'd all be bashing rocks together to make fire. This isn't a normal case of responsible disclosure by a white hat. The fact that it has gone through multiple levels of court cases should make that clear.

      On the flip side it seems the company responded with a public announcement on the same day, which puts them head and shoulders above a lot of other tech companies.

      Also it's kind of hard for a small private family owned company

  • The law is equal for everyone.

    If it was not agreed upon that you were hired to find exploits and test the system, you will be judged the same way any criminal breaking the law would, the law don't see variations, it's just the law.

    However - you could also argue it would be smarter to reward him for exposing the vulnerabilities, especially since he came forward voluntarily with the findings, only an idiot executive would hold that up agains the law, the smart ones would patch the system and reward those who

    • Ponder the implications of this move.

      Person A finds a security hole in your system and reports it to you. You decide to sue them because you never hired them, and the whole shit becomes public knowledge because it gets reported in the press.

      Person B finds a security hole in your system. Question: Will they report it? Or sell it to the highest bidder? If I'm criminal either way, I can as well match the crime to the verdict.

  • Don't do the right thing. It WILL get you into trouble

    The EU's legal system has an abysmal grasp of technology and should be roundly villified for it.

    Everyone confusing the discovery, verification and reporting of this idiotic exposure with something wrong is a joke. Hard-coded passwords are evil and the perpetrators should be brought to book.

    • > Don't do the right thing. It WILL get you into trouble

      This is where moral relativism comes in.

      In an Oligarchy, covering up for the corporations is the "right" thing. Systems are set up to incentivize this now.

      You're talking about systems that benefit the individual and society. I prefer those too.

      Politcal scientists agreee that's not what we have.

      But good luck getting the oligarchy's serfs to fight against it when they're modestly fed and warm.

      Then again those oligarchies now want to tax farmers out o

      • Now the big funny thing:

        Lying publicly about a data leak or downplaying, is illegal under the European GDPR law!
        So not German laws, European law.
  • ... Hungary. Shame, Germany, shame!
  • This story suggests to me that it's too risky to ever do business with this company.

    And also German data companies in general because I now understand that their laws incentivize coverups and punish privacy diaclosures.

    This is really useful because I was going to use a German medical company for some lab testing due to its strong privacy laws on the books but now I understand that's just window-dressing - the real incentives are to skip security and threaten.

  • Windows - the gift that keeps on giving.

    And this is Germany we're talking about. Shut up and pass the lignite.

  • by Murdoch5 ( 1563847 ) on Tuesday January 23, 2024 @12:42PM (#64182355) Homepage
    Since the password was plain text, and no meaningful protection was offered to secure it, or the upstream systems, can't the argument be made that Modern Solutions intended for it be found, and used? Let's assume it made sense to hard code the MySQL password, I'm sure many of us have done that before, why not protect who, and what can remotely access the upstream? Not only that, why not restrict that password so it can only Insert, and Update, with limited and locked user scope?
  • Since 2010 I've stopped participating in any public security event even if just for fun. I've seen what people can go through, don't do it. Keep to yourself, stay low profile and have good working contracts.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...