A Texas company is threatening to press criminal and civil charges against a Minnesota Public Radio reporter after she uncovered a security lapse that exposed sensitive data for at least 500 people. Bellaire, Texas-based Lookout Services admits that misconfigurations on its website left databases containing names, dates of …
Suing a news agency AND a government agency?
Good luck with that! Journalists are kind of held sacred over here, and I can see the court saying the public interest overrides their wishes in both instances. I think they'll have more success pissing up a rope.
Sounds Like Another Case of Mistaken Corporate Responsibility
Sounds like a company scrambling, too late, to cover its lost assets. Clearly, they had missed their own due diligence work, in how they put their web systems together. The blame is not that reporter's right to take, no matter how hard that company tries to push it onto her, and off their ... assets.
"It would appear Lookout isn't quite as savvy."
Damn N00BS! To much money, not enough brains. Oh gee, they had a whopping "TWO" companies test their website. That should cover about 0.000000001% of hacking techniques performed by most blackhats. :p
Security is only as good as the weakest exploit. Funny how SecurityMetrics and Adhost missed something so pathetically simple.
"..added and subtracted things from the web address, finally getting through to the state info."
Even N00bie script-kiddies know how to do this! ;)
What a bunch of Morons. :p
Typical fucking yanks.
- I fucked up
- Someone found me out
- I'll sue them for finding out
Jesus fucking Christ you morons - fix you website and be thankful the exploit wasn't published as well.
"They breached the security of the database without authorization"
What bloody security?
As to the CEO's statement "..website was recently audited for security by penetration testers from SecurityMetrics and Adhost", firstly, is Adhost a security expert company? (dunno about the other), but then she fails to give the results of the audits. Might have been damning. McKinnon would've been a better choice of 'penetration tester'.
IANAL, natch, but they haven't got a leg to stand on, as far as I can see. As far as PR goes, a lawsuit would be a disaster for SecurityMetrics and Adhost. Maybe they'll counter-sue.
Talk about brass neck!
Have to sort of agree with Gene Cash, in as much as if they tried it over this side of t' Atlantic, they probably WOULD get away with it.
It's the sort of 'defensive' tactics you'd expect from a govern-mental department.
Well we all know about Lookout's technical failings now. Who's fault is that - MPR or Lookout? Worse is that the technical incompetence appears to insignificant compared to their managerial/PR/business skills. I don't think MPR even reported on that. Not own goal but own hat trick or more ...
IMaybe his defence should have been that he was a reporter instead of having Aspergers. Might have had more luck.
The CEO is an attorney
Elaine Morley is an attorney. I don't know what she hopes to get out of it. She should be smarter and not waste money on these lawsuits. We may not have noticed anything but now that there is publicity she will have egg on her face and I doubt very many companies and gov organizations will want to deal with Lookout Services. The company does I9 verifications, for heaven's sake. That means it has/processes records of a HUGE number of employees. I can bet larger organizations have already crossed Lookout Services from their list for next year's renewal.
As they say, everything comes from the top. MS could have cared less about security till gov organizations decided to twist its arm. Then Bill Gates and Steve Balmer ordered security as the top priority and drove it down to the line engineers.
Lookout Services taking a stand against whistleblowers implies that Lookout Services is going to litigate out of the mess. Fine. It is tainted now.
"Tell us what you saw and how you did it"
This seems to admit that the company concerned don't know what has been accessed nor how this was achieved - I can't believe they would want to acknowledge how little they know. AFAIK, all the individuals whose personal data has been exposed must be informed of the breach(es). I wonder how many of them might sue, given that the CEO acknowledged that they "screwed up by caching credentials on several web pages".
Publxih and be damned
Lookout Services reminds me of a sign I once saw in a Texas bar in El Paso.
Beware of the bullshit!
Lookout Services is obviously an immature company, and not too reliable, either. Hopefully some of the people exposed will sue Lookout Services so they know who did wrong, certainly not the reporter.
This could backfire nicely...
The news person should get a class action with the 500 people and sue the morons for the information leaking out (sure in the US there bound to be a case for distress and trauma).
They should prosecute themselves
By creating the insecure system that allowed the reporter to obtain access to the insecure accounts, the company has AIDED AND ABETTED any so-called crime.
Thus, the fault is entirely with the company.
Never shoot the messenger. In doing so, you only draw yet more attention to your own INCOMPETENCE.
Someone finds a substantial hole in their security and instead of fixing the problem and keeping quiet, they launch into a bunch of yelling and posturing... Interesting tactic for keeping your company name from receiving bad publicity. I don't think it is working.
Sued for rattling doors
So, someone was walking down the street rattling doors on storefronts, and found one that had been left unlocked, though there was a "authorized personnel only" sign on it, there was no guard.
She told the company and a few people who have an interest in the company that the door was being left unlocked, then wrote a story about it.
So the company sues her for telling the world that they don't have their door locked? Brilliant business tactics, that.
Oh, and from personal experience, website testing is usually totally automated. All they do is to scan for open ports and what version of various software you have installed, and report potential vulnerabilities. They don't check for bad programming on your site; you could have any number of vulnerabilities in your own website code, they'll never find it. You need a human with some knowledge to take a peek to discover those problems.
Another perfect example...
... of the Streisand Effect!
How many people would have heard of the vulnerability of this system if they hadn't been so stupid as to try to sue someone for helping them?
Your Typical Redneck Texans
They don't like to be messed with and sure as hell don't like to be proven vulnerable!! So yeah blame it on someone else, shoot the messenger!!! Don't take responsibility for your own stupidity or thank the person for finding your problem!!! STOP this nonsense now before you have no company!! Apologize to MPR, the reporter and thank them for finding your bug and get on with salvaging your business or you won't have one left!!! TAKE RESPONSIBILITY FOR YOUR OWN MISTAKES!!!!!! WE ALL MAKE THEM, GET OVER IT!!!