zlacker

[return to "‘BlueLeaks’ Exposes Files from Hundreds of Police Departments"]
1. voiper+83[view] [source] 2020-06-22 12:04:25
>>itcrow+(OP)
>“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

So they are spinning it as a user's fault? Not the fault of Netsential for allowing malicious content to be a problem...

◧◩
2. joekri+H5[view] [source] 2020-06-22 12:29:47
>>voiper+83
That's the first thing I thought, too - sounds like they are trying to spin it as some malicious user "broke in". If a "customer user account" is able to upload a malicious payload and exfiltrate huge amounts of other customers' data, there's a much larger, underlying problem here. Hard to see how Netsential could get through this fiasco and still have any business.
◧◩◪
3. Cthulh+sr[view] [source] 2020-06-22 14:46:45
>>joekri+H5
Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit. Some countries will protect whistleblowers, others have to flee and seek asylum abroad.

So don't deny whether or not law and/or contract was broken, instead focus on whether the action was justified. Yes the system was broken and open for exploitation, but the attack was not accidental: they intentionally uploaded a malicious payload, intentionally extracted data, and intentionally uploaded it to the internets.

◧◩◪◨
4. Walter+nH[view] [source] 2020-06-22 16:06:10
>>Cthulh+sr
I don't follow.

No attack is accidental. If a vendor fails to follow appropriate operational security, it is certainly the illegal actors fault. But it is also the fault of the vendor's negligence, and might also be the fault of whoever failed to properly vet the vendor. All three are potentially culpable.

Moreover, I took the parent comment to be referring more to customer flight rather than some judiciary judgement. 'I got mugged' is not what you want to hear from the person entrusted with your data security.

[go to top]