Tuesday, July 3, 2018

WTH: We left personal data exposed for months to catch "the" hackers.

I often mention that not a week goes by that someone doesn't give me something juicy to blog about.

Some weeks are just amazing.

So this will be an opinion piece since everyone is entitled to an opinion ;-)

If you want the short version, here it is: 

Short version:  Company exposes personal data of over 130,000 citizens is now considering hiring a security firm to test their sub-par application, says that they knew of the security issue for months and is convinced it was only there for 2 months and confirms they left it open to catch "the" hackers.

Short analysis:  They didn't know. and they couldn't have caught "the" hackers since most are in foreign countries and even law enforcement can't catch them.  Conclusion, they are clueless on security, and the cities who outsourced their services to these clowns is to blame for not doing ANY security due diligence.

The longer funny version: 

I blogged about this issue last week (see previous entry).  What has changed is a newspaper article was written on the subject, and it seems that the company in question has no idea how to handle a security incident (like most companies).  They are just opening their big mouths and the vomit that is coming out is so telling on their security maturity, that I will now be using this example as I teach to my students.

Strike 1:  for months "we left the site vulnerable so we could catch the hackers".

Comment 1: Stupidest thing I heard this month (but in their defence, it is only the first week of the month).  The hackers you could catch are the local ones checking out the vulnerability for the fun of it, and that wouldn't do much as they probably have no criminal intent.  The real ones are smart enough to route from another country or are actually from another country.  The fact that they think they will catch someone proves that their maturity is rock bottom.  The simple idea of leaving REAL data exposed in order to catch someone that they can't possibly do anything about is just wow.  This confirms a complete lack of understanding of both security and privacy regulations.  Also, let's see the police report since you obviously contacted law enforcement as soon as you knew someone was hacking you since you wanted to "catch" them.... oh wait... you didn't know about any of this until the journalist called...

Strike 2: Only a few accounts had Social Security Numbers.

Comment 2:  This seems to imply two things; first not much valuable data was exposed and secondly birthdates, home addresses and medical conditions aren't important.  It is important to note that the video I saw seemed to pick out accounts randomly and they all seemed to have Social Insurance Numbers, so I'm not even conformable with the declaration that only a few accounts have a SIN.  In fact, this entire story is a SIN  ;-)

Strike 3: We are looking into hiring an external security firm to test out our application.

Comment 3: What ?  Out of 200 municipalities, no one put this as a requirement! And why are you only looking at it now?  Haven't you proven without a shadow of a doubt that you desperately need adult supervision!?  When reporters started calling you... this didn't strike you as a great time to do this....

Strike 4:  We know exactly when the "bad code" was introduced and it has only been a few months so we know exactly which account have been breached and we are going to contact them.

Comment 4:  Yeah, you have clearly demonstrated that you are in full control of your ecosystem, and I feel confident that you actually "know" everything, had in place detailed logging that goes back years, that your software development lifecycle is solid to the point of finding other major issues in the past that have been introduced at other revisions.  I also feel very confident that you will take immediate action without a journalist calling you up to point out that your exposing all your customers data.  Is it beer time yet.....

UPDATE !:  La Presse just published an article giving even more ammunition to my rant.....

Strike 5 (Because this is that type of ball game):   They are claiming that only 30 personal records have been accessed.... yet an anonymous source sent me a series of videos containing a number way north of 30.

Comment 5:  This means that they have no clue who has accessed what or when.  For all we know, everything may have been scrapped by a bot and all the data ingested by a malicious actor.   Oh yeah... they could also be lying because that seems to come up a lot!

A recommendation for the company in question:  Next time, shut up and hire a professional to handle your PR/security issue.  Also, stop considering security and actually do it.  And as a final recommendation, stop lying and making it up as you go along.

A recommendation for the municipalities handing our private data to contractors:  According to GDPR and many upcoming privacy regulations you are responsable for handing off business processes to QUALIFIED firms.  This doesn't mean what you think it means.  It means they understand their duties.  For a software development firm, this means training developers on security and including security testing within the SDLC (Software Development LifeCycle).  It also means never level an exposed system... exposed.... so you can look at logs.  Oh wait... that was a lie.... since you had no idea you had a breach until the phone rang.....

I guess that is why I always tell senior executives to SHUT UP and let the qualified folks take the microphone.  Blurting out a bunch of incoherent crap like this only proves that you are either lying or incompetent.  

Big trophy for them this week, because in only a few statements they proved both.  Good job !


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...