[LINK] Super fund security breach lands good Samaritan in hot water
swilson at lockstep.com.au
Wed Oct 19 09:43:14 AEDT 2011
On 19/10/2011 9:16 AM, Marghanita da Cruz wrote:
> Jan Whitaker wrote:
> > Super bad: First State set police on man who showed them how
> > 770,000 accounts could be ripped off
> > From the article:
> > Asked whether the legal letter was heavy-handed given that Webster
> > could have just as easily released the vulnerability to the
> > hacking community, Dwyer said First State Super approached police
> > as a matter of course when there was a privacy breach.
> > [PRIVACY breach? This was a security breach. They report to the police,
> > which is good, but makes me wonder if this is standard practice.]
> <snip> It is the Privacy laws that may have been breached - there
> isn't a general security law.
Actually there is the Cybercrime Act 2001.
On my reading, a conservative interpretation of that law says that if an
unauthorised party circumvents an IT security system and accesses data
to which they are not entitled, then they have committed a crime. In my
view, the 'good samaritan' seems to have overstepped when he chose to
make his point by writing a script that automatically cycled through a
number of customer accounts and uploaded their details (this according
to this morning's SMH report). It probably doesn't matter that the
institution's security is incredibly poor; the guy circumvented it and
accessed quite a lot of data.
"Samaritan" he may be but he could have brought this problem to light
without accessing others' data.
This is not the first time that the Cybercrime Act has been publicly
tested. Recall the case of journo Ben Grubb at AusCERT back in May,
arrested for reporting on Christian Heinrich's "hack" of a rival's
Facebook photos. On my reading, the case was about Grubb having
evidence pertaining to a possible breach by Heinrich of the Cybercrime
Act. Again, the security that was breached was very poor, relying on
obscurity to inhibit ready access, but the fact was that Heinrich went
to some effort to gain access to data that he was not authorised to
have, ergo he may have broke that law.
The case against Grubb seemed to have been dropped. I don't know if the
police ever pursued Heinrich himself.
At AusCERT at the time I spoke with a number of security wonks who saw
no problem in a 'white hat hacker' demonstrating that Facebook's
security was poor. Yet the technicality remains: if you circumvent a
security system, you may be in trouble.
Hackers of all colours should take time to read the Act.
Phone +61 (0)414 488 851
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
More information about the Link