[LINK] Super fund security breach lands good Samaritan in hot water

Stephen Wilson swilson at lockstep.com.au
Wed Oct 19 09:43:14 AEDT 2011 


On 19/10/2011 9:16 AM, Marghanita da Cruz wrote:
>  Jan Whitaker wrote:
> > Super bad: First State set police on man who showed them how
> > 770,000 accounts could be ripped off
> > 
http://www.theage.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html
> > From the article:
> > Asked whether the legal letter was heavy-handed given that Webster
> > could have just as easily released the vulnerability to the
> > hacking community, Dwyer said First State Super approached police
> > as a matter of course when there was a privacy breach.
 >>
> > [PRIVACY breach? This was a security breach. They report to the police,
> > which is good, but makes me wonder if this is standard practice.]
 >
>  <snip> It is the Privacy laws that may have been breached - there
>  isn't a general security law.

Actually there is the Cybercrime Act 2001.

On my reading, a conservative interpretation of that law says that if an 
unauthorised party circumvents an IT security system and accesses data 
to which they are not entitled, then they have committed a crime.  In my 
view, the 'good samaritan' seems to have overstepped when he chose to 
make his point by writing a script that automatically cycled through a 
number of customer accounts and uploaded their details (this according 
to this morning's SMH report). It probably doesn't matter that the 
institution's security is incredibly poor; the guy circumvented it and 
accessed quite a lot of data.

"Samaritan" he may be but he could have brought this problem to light 
without accessing others' data.

This is not the first time that the Cybercrime Act has been publicly 
tested.  Recall the case of journo Ben Grubb at AusCERT back in May, 
arrested for reporting on Christian Heinrich's "hack" of a rival's 
Facebook photos.  On my reading, the case was about Grubb having 
evidence pertaining to a possible breach by Heinrich of the Cybercrime 
Act.  Again, the security that was breached was very poor, relying on 
obscurity to inhibit ready access, but the fact was that Heinrich went 
to some effort to gain access to data that he was not authorised to 
have, ergo he may have broke that law.

The case against Grubb seemed to have been dropped.  I don't know if the 
police ever pursued Heinrich himself.

At AusCERT at the time I spoke with a number of security wonks who saw 
no problem in a 'white hat hacker' demonstrating that Facebook's 
security was poor.  Yet the technicality remains: if you circumvent a 
security system, you may be in trouble.

Hackers of all colours should take time to read the Act.

Cheers,

Steve.


Stephen Wilson
Managing Director
Lockstep Group

Phone +61 (0)414 488 851

http://lockstep.com.au <http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.

More information about the Link mailing list