IT Consultant Fined For Daring To Expose Shoddy Security (theregister.com) 102
Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.
With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.
In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.
With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.
In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.
unlawful data access from any password even ftp t? (Score:2)
unlawful data access from any password even ftp set to take any password?
apps with an fixed passwords?
apps with default passwords?
wifi where they give you the password on out in the open sign?
Re:unlawful data access from any password even ftp (Score:5, Insightful)
Sure, you can point fingers all over the place, and find horrible security almost anywhere
But, I read the excerpt and could not find where the paid IT consultant took this information to the customer, who pays them, and made clear warning about the extent of the threat.
Instead the story shows up in some journalist's hands where it proves to be a problematic for the employer of the IT consultant, who was given access to information and then leaked it to the press
If I was the client, I would be looking for a big hammer to hit the leaking IT consultant with, and it looks like it was conveniently right there in the law
FWIW, I suspect that you could turn every doorknob in your neighborhood and find some unlocked doors. You would still be charged with a crime if you were to take advantage of it, or leak that information to somebody else to use
Re: (Score:2)
Re:unlawful data access from any password even ftp (Score:4, Interesting)
The customer not only received the information, BUT ISSUED A STATEMENT based on the information after fixing it. It's right there in the text.
The problem the consultant had with that was that the statement was vastly understating the severity of the problem. He spoke out about this. That's why he was reported to the authorities.
Re: (Score:3)
That's his story, and TFA was written to support him.
The company said differently.
The court heard both sides and ruled that the preponderance of the evidence supported the company.
So, what's the truth? I have no idea.
Re:unlawful data access from any password even ftp (Score:4, Insightful)
No, that's not HIS story. The company MADE THE STATEMENT. That's not a story. That's WHAT HAPPENED.
There is no way to twist this to that the consultant somehow did not inform the customer about the situation, when they made a statement addressing the finds.
And trying to twist that into "his story" shows magnificent inability to analyze events.
Re: unlawful data access from any password even ft (Score:1)
Information filters through a lot of layers before it gets to the customer. He shouldâ(TM)ve addressed it first with the company, given them sufficient notice provided he was still contracted or it couldâ(TM)ve reflected badly upon his job, perhaps addressed it with regulators, or made a statement that his company disagrees and distances itself from the company. This would give the option to ethical third parties to review and take a clean room approach to the old and new binaries.
If what you say
Re: unlawful data access from any password even ft (Score:3)
FWIW, I suspect that you could turn every doorknob in your neighborhood and find some unlocked doors. You would still be charged with a crime if you were to take advantage of it, or leak that information to somebody else to use
Exactly this! I've also said this. Somehow many people think that it is fine to break into software if they just can, even if they think it is not okay to break into buildings etc. I wonder if it has something to do with the fact that you usually cannot be seen during the act, while you usually cannot break into buildings without at least the risk of being observed.
Re: (Score:2)
People would not be OK with a company leaving the door to archive of their customers' credit card numbers and personal data unlocked and without a guard nor security camera. If someone walked in they'd be more pissed at the company than the trespasser. And it's the same for digital doors.
Not breaking in (Score:2)
Somehow many people think that it is fine to break into software if they just can, even if they think it is not okay to break into buildings etc.
That's grossly misrepresenting the case here. He did not break into anything, he happened to notice a gaping security hole while doing his job which he reported to the company.
Suppose you work next door to a company and noticed that they had a key taped to their front door with a notice that said use this to get in. Curious, because you can't really believe someone would be this stupid, you try the key and find it does unlock the door but you do not enter, you close the door and put the key back. As a g
Re: Not breaking in (Score:1)
Not if it was your job to review security. But that doesnâ(TM)t seem to be the case. In this case, the equivalent would be that he saw the key, told the company about it which they understood to be âoehide it under a rock near the doorâ. Then he subsequently told the media, they just moved it from being taped to the door to hiding it under a rock which a thief subsequently abused this information.
There are many things to do before you leak it to the media. Police, insurance, even market regul
Re: (Score:2)
If I read it right, the password to the database was in every distribution of the software they made, and it was freely downloadable, so literally everyone could get to it - customer or not. It's so blatently stupid, it's hard to even call it a "security' problem - it's just idiocy, crystalised in computer form.
With bone-headed approaches like that, his biggest mistake was expecting the company to act in any way competently or reasonably once this news got out.
I'd also say that likening this to someone leav
Re: (Score:2)
Ethically speaking, should he:
1. Report to the company he holds employment with. If applicable he may be sole proprietor contractor, I didn't quite get the German right.
2. Report to the audit contracting co
Re: (Score:3)
Do not think this means I agree with the court's decision.
Re: (Score:2)
The company is also required to properly protect sensitive data under the GDPR.
Only in USA. (Score:2)
>> You can still walk onto the land ... but it is illegal.
Only in USA.
Re: (Score:2)
So how does it work other places.
In much of the USA private land is open to pedestrians unless the owner indicates otherwise, usually by putting up sign, or some kind of barrier like a fence or wall, or the owner simply asks you to leave.
How does it work where you live? Are private land owners required to put up a physical barrier?
Re: (Score:2)
No, they are not required, but people can walk if there is no barrier.
Signs are usually not relevant...
Re: Only in USA. (Score:2)
Trespassing isn't illegal in the UK.
Re: (Score:2)
Depends on the country.
I live in Thailand.
Everyone can access any land that is not fenced or has an obviously inhabited house on it, AND: can feed his cattle on it. Unless there are growing fruits/crops of course. Thai means free. The land of the free.
In Viking nations you can rest and settle in every unfenced land for ten days, and in emergency situations like heavy snow: as long as you want. Germany used to be the same, but Nazis changed the laws, and after the war the laws were not changed back.
Do not th
Re: (Score:2)
Do not think this means I agree with the court's decision. you do not know anything what actually happened and the summary is poor. So nothing to agree with or disagree with.
Wow. You think you put the caveat so you won't get thumped "because you agree with it", but in stead you get thumped "because you don't know wat is happening".
Classy.
Re: (Score:1)
You do not know what happened, I do not know what happened.
The summary is inconsistent gibberish.
He most certainly did not got fined for disclosing something (to whom actually?)
Re: (Score:2)
If you really do want to accuse me of not knowing what to agree or disagree on, then at least specify what I am not disagreeing on. Because at the moment I'm having a hard time deciding if I agree with your comment or not. Because I really don't know what you are trying to say.
Re: (Score:1)
I said from the /. Summary it is not clear for what he was convicted.
If you know more you could have mentioned your knowledge.
Re: (Score:2)
Are you one of those that only read the
Re: (Score:1)
I did not assume anything. /. summary does not clearly explain what happened.
I pointed out the
Neither do you.
The topic is not interesting enough to follow the links.
Re: (Score:2)
Re: (Score:1)
You are bad in reading?
I only read the summary.
You said: you do not agree with the court decision. /. summary it is not really clear what it is about
I said: from the
Now, you nitpick about something I did neither say nor imply: and still fail to tell us what is in the other links you read. Aka: you fail to tell us what you know about the case which we do not know.
And: I told you already, the topic is not interesting enough to follow your links to learn more. So: you want to nitpick about something, and I do
Re: (Score:2)
Re: (Score:1)
I did not made an assumption. /. summary makes it pretty unclear what all that is about.
I replied to your comment: "I do not agree with the court ruling"
And I pointed out: the
So: what do you want to argue about?
Re: (Score:2)
Re: (Score:1)
You did not agree with the courts decision, but never explained why.
Anonymous reporting FTW (Score:4, Informative)
No good deed goes unpunished.
Of course, now anybody doing work with that client will just sell any vulns to the dark web instead, so I'm not sure what the point of this exercise was, other than attempting to save face.
Re: (Score:2, Interesting)
Re:Anonymous reporting FTW (Score:5, Informative)
Unfortunately all I have to go on beyond the Register article is a google machine translation of the Steier article (https://wortfilter.de/warnung-datenleck-beim-jtl-partner-modern-solution-gmbh-co-kg/), but here's my understanding of what happened based on both sources:
1. Unnamed IT consultant was working for a customer of said company, found the password in the software from the company given to the customer to use. He then connected and found that everybody used the same password to connect to a single database.
2. Steier reports finding from unnamed IT consultant.
3. Apparently company figured out unnamed IT consultant gave Steier the tip and then sued him for using the password to connect to the database (presumably to check whether this password restricted access to the data that the customer he was working for... you know, his job.)
4. Courts originally sided with unnamed IT consultant, but upon appeal, sided with company.
If someone has more information to share, it would be nice.
Re: (Score:1)
seems he did a bit more than just discovery it (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Arguably knowing how serious it was or was not, was none of his business, and not a predicate to reporting it.
He may have been curious. I know I would be. But we all know what happened to the cat...
Re: (Score:2)
Arguably knowing how serious it was or was not, was none of his business, and not a predicate to reporting it.
He may have been curious. I know I would be. But we all know what happened to the cat...
Even if he had been a penetration tester hired by the company, he would/should have needed a contract that specifically allowed him to try to access data through vulnerabilities that he found.
Re: (Score:3)
Is it leaking data of the username and password were limited to that customer's own data?
If the software itself was single use for a business and the embedded password limited to that customers data I'm not sure?
Re: (Score:2)
Re: (Score:2)
If you have been given software which connects to a database using a hard coded password, and you connect to that database using the password you were given you've done nothing wrong.
It's also not wrong to access the data. The company gave you the software and the password, they are expecting you to access the data.
The fact that when you see the data you can determine that you have much more access than you should have is the vulnerability. You have no way to know this without looking at the data.
You can re
Re: (Score:2)
GDPR fine in 3, 2, 1.....
Re: (Score:2)
They didn't give him (or his customer) a password - they gave him client software. The client software was (probably) their property. He ran strings and realised he had the username and password because the software had dreadful, but unfortunately all too typical, security.
He connected to the database using the username and password he found in the client software. I don't know the intricate detail of the German law, but I imagine by now he has probably broken it. As a general rule you aren't allowed to cir
Re: (Score:1)
The article does not indicate he went to the press.
It is more like: he told his employer, who did nothing ... ... and got caught while digging.
And then dug deeper
The court was lenient. He got fined for a quarter or a fifths of a one month earning.
I guess the court was of his opinion, but in Germany the court has to follow the law, and not just say: oki oki oki, in this case we make an exception.
circumvent security by not useing the app? so wire (Score:2)
circumvent security by not useing the app? so useing wireshark on an app running on an local system you are working on = jail?
What if the app passed all kinds of DB data over the wire is it circumvent security to read that out?
Does the app have the legal power to tell you that you can not track data on your network? your PC?
I think this same issue happened with some shirty dentist software full DB read over the network with no security and most of the filtering work being done on the local app.
Re: (Score:2)
Hey Joe,
so useing wireshark on an app running on an local system you are working on = jail?
That's an extreme interpretation of 202a I think, but maybe (I'm relying on an English translation here which can sometimes miss important points). To understand if it is used that way you would need to see the case law. In this case I don't think obtaining the password was the offence, it was accessing the database.
(1) Anyone who gains unauthorized access for themselves or another person to data that is not intended for them and that is specially secured against unauthorized access by overcoming
Re: seems he did a bit more than just discovery it (Score:2)
Re: (Score:2)
I mean if you go to a bank and open one of those shitty bathroom doors you can just crawl under, you wouldn't expect to find that was the only thing protecting their vault.
Re: (Score:2)
Or more accurately...
The bank gave you access to the vault because you are their customer and you have a safe deposit box there, but when you go in you notice that neither the vault itself nor any of the safe deposit boxes are locked (including yours) and anyone could take the contents of any of them.
Re: (Score:2)
or more likely that the key for your safe deposit box also opens all other safe deposit boxes.
Re: (Score:2)
Maybe - but if all you do is walk in thinking "woah - this is really an open vault? I wouldn't have believed it if I hadn't seen it!" then the maximum fine ought to be about $50, with no recourse for the plaintiff on lawyer fees. Otherwise the outcome will inevitably lead towards corporations making weak, cheap security decisions and just suing anyone who talks about it instead of dealing with the problem.
Re: (Score:3)
Re: (Score:2)
Yes, a distinct lack of professionalism was what struck me about the whole mess.
First from the IT company for having shoddy security, second from the IT consultant for a complete lack of professionalism, and finally from the journalist for, correct me if I'm wrong, failing to coordinate with the IT company so that they could patch their leaky boat before dropping the story
Re: (Score:2)
This is probably what's gonna happen now.
Companies with such glaring security holes rarely have only one. And yes, most of us are very much in favor of responsible disclosure, i.e. report it only to the maker of the software, give them ample time to fix it and only after the fix has been released, also release the information to the public.
But pull a stunt like that and the gloves come off.
Re: (Score:2)
'... pull a stunt like that and the gloves come off' comes with Streisand Effect.
The odds of my trusting you (the company) or hiring you just went to zero. Bad security, and utter douchery in how the consultant is being prosecuted. Talk about not learning the right lessons...
Re: (Score:2)
The odds of me reporting any security flaws I find in your company dropped to zero. That will go on the black market and if nobody wants to pay, Reddit and 9chan it is.
Re: (Score:3)
In all seriousness, unless they have a bug bounty programme I'd hesitate to even contact them. The risk of being sued is too high, so I'd probably just find a way to anonymously disclose it. Ideally to them, but if it wasn't fixed a week later, to the world.
Re: (Score:1)
You do not disclose it to the world.
You get a lawyer.
Sue them under GDRP. And make them PAY!
Cybersecurity law. (Score:2)
I fully support full disclosure, but it does seem upon finding the vulnerability he then exploited it to examine what he could get. That is a step too far. Report/disclose the vulnerability but just like if someone leaves the bank vault open you are going to be screwed if you walk in and take what you are not entitled too.
This is rather key here:
Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law.
Quite frankly, with that law in place I'd say it makes it a bit difficult for any consultant specifically hired to test and validate cybersecurity. That said, IF you were to engage in such activity, what IT consulting firm would do so without a contract in place that specifically authorizes them to do so within the context of the job and contract? Law or no law, that's just CYA-grade common sense.
Hell, there are vulnerability scanners you can configure that can basically automate a
Re: (Score:2)
No, that's not quite what happened. However, this is generally a mess.
From what the article says, he found a hard-coded database password. This is problematic all on its own, but he assumed that it would lead to the data for that one client. He checked, and found that it led to the data for *all* clients. And only when he saw that to be the case, did he realize that this was a major security hole. Fair enough, ethical hacker finds a security hole and reports it. However:
The company claims that he only wou
access to the source code you get some with an dec (Score:2)
access to the source code you get some with an decompiler or it maybe in some config.yaml file in the apps directory.
Re: (Score:2)
Your hot take sucks balls bro.
How can he report on something he does not KNOW. How would he know that password would work for ALL accounts if he didn't look? If he didn't look, there wouldn't be anything for him to report and the vulnerability would have remained exploitable until it was actually exploited and discovered to as being used for malicious purposes.
This guy stopped all that nonsense and reported a serious vulnerability without taking material advantage of it. That is all.
Re: (Score:1)
This is more or less how I understood this, too.
Hello Streisand? (Score:5, Informative)
Is this a case of the software company announcing loudly there is an issue and that suing someone is better than fixing it? Did they fix it?
Re:Hello Streisand? (Score:4, Funny)
Is this a case of the software company announcing loudly there is an issue and that suing someone is better than fixing it? Did they fix it?
Yes, they got some expert PR advice from Barbra Streisand.
Creative Commons Immunity Agreement (Score:2, Informative)
Its not as strong as the American 5th amendment, but its good enough for most situations.
Re: (Score:1)
You have a weird definition of "irresponsible discolosure". Maybe, in your infinite wisdom and evidently superior insight, you could share with us what responsible disclosure looks like?
The company commited the programming equivalent of crapping the bed. The consultant did the responsible thing. The company lied, blatantly, about the scope of the issue. Publicly. They took the issue public, not the consultant. Once it's in the public domain, they don't get to pretend they did not lie.
Instead of owning the
Streisand effect? (Score:2)
Modern Solution stock took a hit? Once this became public, why would anyone sign with them?
Re: (Score:2)
If people stayed away from every company that did some stupid security practices we'd all be bashing rocks together to make fire. This isn't a normal case of responsible disclosure by a white hat. The fact that it has gone through multiple levels of court cases should make that clear.
On the flip side it seems the company responded with a public announcement on the same day, which puts them head and shoulders above a lot of other tech companies.
Also it's kind of hard for a small private family owned company
Reward vs stupidity (Score:2)
The law is equal for everyone.
If it was not agreed upon that you were hired to find exploits and test the system, you will be judged the same way any criminal breaking the law would, the law don't see variations, it's just the law.
However - you could also argue it would be smarter to reward him for exposing the vulnerabilities, especially since he came forward voluntarily with the findings, only an idiot executive would hold that up agains the law, the smart ones would patch the system and reward those who
Re: (Score:2)
Ponder the implications of this move.
Person A finds a security hole in your system and reports it to you. You decide to sue them because you never hired them, and the whole shit becomes public knowledge because it gets reported in the press.
Person B finds a security hole in your system. Question: Will they report it? Or sell it to the highest bidder? If I'm criminal either way, I can as well match the crime to the verdict.
Re: (Score:2)
They are more or less all pieces of shit in the corporate world, so protect yourself and don't give them an iota of a chance to blame you.
Atop that, telling them anything truthful is probably not in your best interest. Keep your head down and avoid scrutiny.
Long story short... (Score:1)
Don't do the right thing. It WILL get you into trouble
The EU's legal system has an abysmal grasp of technology and should be roundly villified for it.
Everyone confusing the discovery, verification and reporting of this idiotic exposure with something wrong is a joke. Hard-coded passwords are evil and the perpetrators should be brought to book.
Re: (Score:3)
> Don't do the right thing. It WILL get you into trouble
This is where moral relativism comes in.
In an Oligarchy, covering up for the corporations is the "right" thing. Systems are set up to incentivize this now.
You're talking about systems that benefit the individual and society. I prefer those too.
Politcal scientists agreee that's not what we have.
But good luck getting the oligarchy's serfs to fight against it when they're modestly fed and warm.
Then again those oligarchies now want to tax farmers out o
Re: (Score:2)
Lying publicly about a data leak or downplaying, is illegal under the European GDPR law!
So not German laws, European law.
Just like... (Score:2)
Lessons Learned (Score:2)
This story suggests to me that it's too risky to ever do business with this company.
And also German data companies in general because I now understand that their laws incentivize coverups and punish privacy diaclosures.
This is really useful because I was going to use a German medical company for some lab testing due to its strong privacy laws on the books but now I understand that's just window-dressing - the real incentives are to skip security and threaten.
MSConnect.exe ? (Score:2)
Windows - the gift that keeps on giving.
And this is Germany we're talking about. Shut up and pass the lignite.
How is the IT consultant liable? (Score:3)
restrict that user still gives it acess to all dat (Score:2)
restrict that user still gives it access to all data over each customer as giving each customer it's own user is to much work.
Don't do it. (Score:1)