zlacker

[return to "‘BlueLeaks’ Exposes Files from Hundreds of Police Departments"]
1. voiper+83[view] [source] 2020-06-22 12:04:25
>>itcrow+(OP)
>“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

So they are spinning it as a user's fault? Not the fault of Netsential for allowing malicious content to be a problem...

◧◩
2. joekri+H5[view] [source] 2020-06-22 12:29:47
>>voiper+83
That's the first thing I thought, too - sounds like they are trying to spin it as some malicious user "broke in". If a "customer user account" is able to upload a malicious payload and exfiltrate huge amounts of other customers' data, there's a much larger, underlying problem here. Hard to see how Netsential could get through this fiasco and still have any business.
◧◩◪
3. Cthulh+sr[view] [source] 2020-06-22 14:46:45
>>joekri+H5
Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit. Some countries will protect whistleblowers, others have to flee and seek asylum abroad.

So don't deny whether or not law and/or contract was broken, instead focus on whether the action was justified. Yes the system was broken and open for exploitation, but the attack was not accidental: they intentionally uploaded a malicious payload, intentionally extracted data, and intentionally uploaded it to the internets.

◧◩◪◨
4. joekri+kJ[view] [source] 2020-06-22 16:14:47
>>Cthulh+sr
I wasn't commenting in any way on the legalities. IANAL and, frankly, I just don't think it's germane to my point.

Netsential clearly had a massive security vulnerability in their system that allowed one user to access the data of all other users. That's very much on them.

Consider a company that provides physical storage units and advertises that they are secure and can only be accessed by their owner. Then it turns out that there was a back alleyway running behind all the units that allowed any owner who had access to one unit the ability to access any other unit, without a key. I don't think anyone would suggest that would be anything other than a massive security oversight by the storage company. Yes, what the thief did was illegal and should be dealt with. But you'd have a hard time convincing me that the company itself wasn't primarily at fault for such a huge oversight in the first place. And I certainly would never use them again.

[go to top]