No hack involved blunders all round.
Nice and brief El Reg!
It must go into the books somewhere I'd suggest somewhere near JS after all 4chan couldn't hit an elephant at that dist.....
Off-the-cuff bravado aimed at internet pranksters has led to what must already rank as one of the worst ever data leaks, by the anti-filesharing solicitors ACS:Law. The personal details of thousands of ISP customers accused of unlawfully sharing pornography, as well as video games, are now freely available online. The …
While the fellow in charge of ACS:Law was clearly unaware of the temperature of the pot he was stirring with his comments, I am surprised that a website restoration would go THAT badly awry, and another fairly obvious explanation would be that a particularly adept 4chan type got into their network and surreptitiously "adjusted" ACS:Law's website with the private data. Certainly if I were ACS:Law that'd be my defense, anyway.
Perhaps I'm being misinterpreted. I'm agreeing that their data was clearly inadequately protected, and that they do deserve whatever legal punishment they face. What I'm wondering was who specifically exposed the data to the website? A stupid ACS:Law person, or a malicious 4chaner?
You guys think way to technically for this.
ACS dont have their own servers or anything of the sort, their account was previously hosted on a shared cPanel hosting account at Dataflame (probably costing them about a fiver a month) - When Dataflame cancelled their account following the DDoS they will have provided to ACS a backup of the account (cPanel will generate restorable account backups, including all email content) which ACS will have then uploaded to their new account with whoever their new shared cPanel host is, to then restore the backup into a working account.
Stupidity, however, meant that instead of uploading the backup to the account's root to be restored from there (which is not publicly accessible) they uploaded it to the account's public_html folder (which is).
While the media likes to make out that 4Chan is just a bunch of teenagers playing silly pranks, some of its members are extremely skilled hackers. If they put their heads together there's probably enough hacking talent on 4Chan to get into just about any system, let alone into the off the shelf website commissioned by that particular company.
The odds are that their security procedure was to turn automatic updates on and then leave to get on with things itself.
They probably just installed a web server package onto a second sever and plugged that into the net to cope with the extra demand caused by the DDOS, not realizing that the second server had sensitive information on it.
Thank you Chris for being the first of the higher profile news outlets to come out and say it. There was no hack involved. This was sheer incompetence. I've spent 24 hours trying to get other 'hacks' to correct their reporting of this and have finally given up now that the consensus appears to be that "4Chan hacked the site and stole the data"
It's was not even 4Chan which is just a means these people use to co-ordinate information.
True. And 4chan as an entity gets way too much credit for being behind stuff like this. It may be that one member of 4chan has some noobish "hacking" skills and manages to pull off a stunt and post the results to 4chan. However, in the press the whole community gets credit as some kind of elite hacking group rather than what it really is: a loose-knit community of mostly socially maladjusted teenage misfits looking for validation among other equally socially maladjusted teenage misfits, and not forgetting free pr0n.
It's amazing what a group of unremarkable people with unremarkable ideas can achieve simply when there is enough of them working together; however, even the few decent memes originating from 4chan are the result of one or two half bright individuals whose work just gets repeated ad infinitum by the millions of dullards that hang out on the boards until people can't help but take notice. OK so they invented LOLcats (for which I do have some appreciation) but you'd think they invented the Internet the way some people go on about them!
At least some 4chan members are self-aware enough to recognise and acknowledge they are the scum of the Internet and prefer it that way, rather than pretending they are its saviours.
If any of the news reporters spent more than 5 minutes on this site and giving it some independent scrutiny rather than slavishly following whatever they think will get them page views and Internet credibility they'd realise this and stop giving this website credibility and news time it doesn't deserve.
But it looks like all of the BT customers could also sue them too.
Might make for any court cases brought by ACS interest as well. The leaking of the data could well be considered to prejudice a fair trial, so the judge might well just chose to throw out all the cases.
Then there would be the reliability of the data, if the data can not even be handled in a legal way by the ISP who is to say that it was acquired is a way which includes sufficient safe guards to be used as evidence in a court case. Without strong encryption and signing there could be no proof that the data hasn't been modified. So again this would make a trial difficult.
Then of course ACS' clients might feel that that have screwed up any chance of their seeking legal redress and they might feel that they should sue ACS for professional incompetence. Hmmm the list goes on.
Maybe he should be glad of the long queues at the coffee shop. The legal profession are after him, the ICO are after him, his victims will probably be after him and now his clients. He might well need a job in a coffee shop when all this is said and done.
Only all the people I come across in coffee shops are better than that.
And I couldn't honestly be that hard on the techies who bungled putting the site back up while under pressure.
But what idiots thought leaving documents like that unprotected on the website was a good idea? The only thing protecting them was people didn't know there were there. No doubt some idiot solicitor demanded he be able to access them anywhere, passwords were too hard to remember and it had to be NOW.
All works fine until you rebuild your Apache and have the wrong default document configured.
You are absolutely correct
“Ali, just one more thing concerning the LoC generation, would you kindly remove password protection on the PDFs, as requested by the fufilment centre during the last run of data. Thanks.”
By all means, remove passwd protection on the PDF’s. That way, if the backup ends up in the webroot someday, the world will be able to see everything ))
that is ACS:LAW and their relationship with our ISP's and the courts according some sources.
I'll bet a few ISP are wringing their hands as well. It will be interesting to see when everything has been read and analysed who really is fighting our corner and who is stiffing us.
So why didn't BT read it?
If they had encrypted the data sent to ACS:Law, of simply used a password protected link to an SSL site, sensitive details of their customers downloadng habits would not be all over the internet.
It is not just ACS:Law who should be paying fines of £500,000.
Ian Livingston should be digging deep into his pockets too. Their incompetence is inexcusable.
I haven't read Bruce's book. Despite having implemented some email encryption solutions... But I expect BT could argue that they transmitted the document in question over an encrypted TLS channel and that further encryption wasn't required.
Many email servers now use TLS first and fall back on plain text.
Whether a company as large as BT has sufficient log history to prove that is debatable.
Whether the connection was forced to be TLS (if indeed it was) or if it was just "luck" is also debatable.
Whether anyone has ever checked certs from both ends is unlikely.
The fact that ACS Law stored and published highly sensitive data unencrypted on their own web server doesn't imply or mean that this data wasn't sent to them securely by ISPs who provided this data, presumably because it would have been illegal not to do so because a court warrant was obtained.
The "criminal" attack on their website is different to their criminal breach of Data Protection Laws by ACS:Law. Thank you, El Reg, for making this so clear.
Andrew Crossley knows this, I'm sure, but is trying to spin for PR (in my humble opinion).
It was serendipity on that part of Anons, from all corners of the net, not just 4chan but anti-anti-piracy activists and good people who never/rarely to go 4chan. Never underestimate the creativity or a bored bunch of teens.
Partyvan.info has always been the main hub, but as it's very decentralised, there are lots of little hubs.
I would remind people with weak stomachs not to peruse the 4chan boards.
Are you sure that they're teens? Not middle aged men pretending to be teens?
There appear to be more teens on the web than there are teens in the world. Half of them are little kids pretending to be older, and the other half a adults pretending to be younger. There's probably a couple of real teens there. Just by pure chance. They are the ones who are sitting around looking confused while everybody around them talks about Hannah Montanna and The Who.
There's a lot of us teens online because we have a shitload of free time as compared to adults doing say a typical 9-5, and we've grown up with technology so are for the most part familiar with it's basic workings (unlike some people, I'm not going to go so far as to say understand it...)
I find it rather odd that this only "could" cost them up to £500K. A breach like this could actually bring some real harm to those named, yet the firm responsible has only the relatively toothless ICO to answer to, while filesharers are pursued for many thousands per song.
I'm not arguing that filesharing is right or wrong, but it's a nice demonstration of the the complete lack of a sane perspective on things.
If a company destroys the privacy of thousands, they might get a (very) tiny dent in their end of year bottom line, but an individual who torrents an album will be dragged through the courts for years or bullied into payment.
I would assume (but IANAL) that this is a penalty that is imposed in addition to damages claimed in any civil cases brought by people harmed by the disclosure. In this instance I would imagine a couple of ambulance chaser lawfirms have downloaded the lists and are currently approaching potential clients in a class action case.
If this is true, both ACS and BT can be fined by the ICO and, presumably, sued by any of those who encounter any loss as a result of this leak. Could they be sued anyway, even if there is no attributable loss?
Sky claim that the information they divulged was appropriately encrypted when it was passed to ACS so they may be in the clear. The situation with PlusNet is not clear yet AFAIK.
Crossley certainly pissed on his chips though, what a prize plonker he looks now!
You do know that a "pieces of eight" are in fact silver silver coins right?
They are called "pieces of eight" because they were scored so they could be broken into eight pie shaped bits. Useful for transaction costing less than a full coin, like getting a shave and hair cut (which used to only cost two bits in some places).
No, you don't need some sort of licence. If you're processing personal data you have to have a registration under the Data Protection Act, and you have to say for what purpose(s) you are processing data and from what classes of data subject. The notification process is explained here: http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/keeping_the_register.aspx
For all the people suggesting that ACS:Law can be sued by the data subjects who's information has been compromised:- I don't think the Data Protection Act gives them the ability to sue, unless they can demonstrate actual harm. And they don't have a professional relationship with the company, so malpractice suits are out. IANAL, of course. These are the Interwebz. Nobody is a lawyer here.
there's the law of tort which can make 3rd parties party to a contract in certain circumstances.
For example, even though none of the people on the leaked list had any contract with ACS:Law, they certainly had a right to expect their data be held in confidence. The fact that ACS:Law managed to fail every basic element of data security and caused those details to become public certainly places ACS:Law in a tricky position legally. And they needn't sue under the DPA, although it's breaching would be taken into account - they could just sue for libel.
I now understand that the database also contained comments by ACS:Law against certain individuals. Since I have no reason to believe ACS:Law are any better than any other company, I can guarantee that a proportion of those comments will be uncomplimentary, and a proportion of those will be libellous.
Unfortunately for ACS:Law, the glare of publicity on this case has meant that some of these people will find out. And they will sue.
This is my favourite Reg story of the last year. It just gets better and better.
It's funny that Andrew Crossley, who is dealing with activity on the internet is so clueless that he thought taunting Anonymous was a good idea. Presumably he didn't know who they are but he probably does now.
I have a huge smile on my face as I type this (hence the icon) - Crossley, you are a prize plonker and it looks like you will finally get what you so richly deserve.
Something along the lines of
'Dear Sir, follow press announcement of your illegal release of personal data, please fullfil my information request....'
http://www.ico.gov.uk/upload/documents/youth/template_sar_letter.doc for a template.
I'm not even a subscriber to any of the ISPs that have been mentioned. But then, I've no way of knowing what other providers they may have been incontact with.
I believe if they DONT answer, they'd be up for trouble from the information commissioner, again.
This one could run and run.
Let's explore the idea a bit more....
"How can we deal with this boss, we need to answer all these within 40 days?"
Options appear to be:
1. Just fail and take the punishment.
"It's a thought, the ICO's a toothless fellow anyway".
2. Try and take a short cut to get all the replies out in time:
"Just fire back a boilerplate response to them all that we hold no details, they're all just troublemakers anyway". - All well and good until someone slips through who they're chasing, there's at least one name on the list that appears to have a typo so a straight forward search won't match him. Of course they could make this an acceptable route by deleting all their data, but that certainly ruins this business (of which it seems that this file sharing scam is the vast majority), or they also risk giving a cast iron escape route from their sham to anyone who's on one of their lists.
"Ignore the ones that aren't recorded delivery, if they can't be bothered to pay for that, they'll have forgotten about this in 40 days and be on their next hobby horse". - Well yes, apart from say me, who will have a certificate of posting, and has already set a reminder 40 days hence.
As a parting comment, I thought that Hovis had a loaf named after Crossley, but on closer inspection it said "thick cut".
Am i the only one wondering why such a company was using a Cpanel Server hosted outside their company for their internal emails? Any competent company would have a local mail server in house for internal email, from the emails ive seen ACS had 1 server for all, web based, and running cpanel .. incompetence at the highest level.
What if your office has next to no physical security? Or there is no central office? It does happen!
Having a hosted solution then makes far more sense in some cases.
There's many reasons for not having local servers. Space is always another factor.
Hopefully that shouldn't mean your email is open to the world....
Possibly because ACS is a very small firm, and 'outsourced' almost everything. It has one solicitor (Andrew); it rents serviced office space (is there any other option in London?!); apparently uses a contractor for IT support on an ad-hoc basis; and makes extensive use of paralegals (par for the course) and bought in temp staff to cope with additional workload. Incidentally, a majority of the staff appear to work from home - so, UK managers, see, it can be done ;-)
But soooooo glad this happened...
Previously I'd assumed that 4chan etc were a bunch of script kiddies, who generally amused themselves baiting Scientologists along with their less public-spirited hobbies. Actually the lack of any hacking on their part in this (other than the DDoS attack) can't deny them a glorious victory over a man whose smugness and arrogance has lead him to have some very difficult questions asked of him (what was he doing with that info in the first pace?) and hopefully some respectable fines and a class action suit.
It seems lawyers have little or no imagination. If only they'd thought to fake a file with random names and addresses, and take a leaf from James May by leaving a message through the first letter of each line explaining how it was a trap to display the incompetence of the script kiddie community. Leave that up to be found & distributed joyously by the kiddies, they might have been able to put a serious dent in their attackers' credibility.
As it was they'd have gotten away with it too, if it hadn't been for those meddling kids.
I'll get me coat.
" Spent much of the weekend looking for a new car. Finances are much better so can put £20-30k down. May go for a Lambo or Ferrari. I am so predictable!"
He can kiss that idea goodbye then, it'll be a succession of stress free waits for the train from now on.
Payback is a bitch and this time she's brought her sisters.
How about sending a letter to Ambulance Chasing Shysters:Law threatening legal action but offering to settle out of court for 5000 pounds? They should already be in possession of a template they can use for this letter...
I wonder how much more amusement this saga is going to provide.
If it turns out that they were sending customer information across unencrypted via email. Very interesting stuff, I wonder what it'll do for the Digital Economy Act.
BTW there's a torrent with a PE version of Thunderbird which makes it trivial (so I'm told) to search through and see how sh*tty this company really is/was.
From one of the many, many emails:
From now on, if you find a response to a third party letter, do not send a security letter. Instead, please move the letter into the ABANDON HOPE folder in General Paras.
This is because Andrew and Adam will be drafting a new letter so we can drop a couple of hundred cases over the next couple of weeks, putting pressure on those who we do not drop to settle.
If you find someone who is blind, one legged and dying, and you think they are not worth pursuing due to the possibility of bad PR, please also put them in there. However, the majority of cases will be continued.
Enjoy your evening,
ACS Law Solicitors
Someone who is a better privacy lawyer than me will work out whether the ICO registration for Andrew Jonathan Crossley (Z186195X) actually covers him to have these ISP customer names at all, see http://www.ico.gov.uk/ESDWebPages/DoSearch.asp?reg=4806426.
The purposes notified are Staff Administration; Advertising, Marketing & Public Relations; Accounts & Records; and Legal Services, the last of which defines data subjects as Customers and clients; Complainants, correspondents and enquirers; and Relatives, guardians and associates of the data subject.
Nowhere AFAICS does the notification cover data subjects who are the targets of legal action; I'd expect to see a notification for the purpose called Administration of Justice, and/or to see "Offenders and suspected Offenders" included in the Legal Services category.
Tum tee tum...oh dear....have I done something wrong...Oh SHIT....!
I've seen novices do this before.
They've either reset their web server software or reinstalled it and made the fundamental mistake of putting private files on it or allowing access to LAN shares which exposed this stupid error.
Their web master needs to leave their office and never come back....
My very good friend called me a couple of weeks ago. He was more than a little bit distressed at having received a letter from ACS:Law demanding upwards of £400 for his illegal downloading of some porn.
It was rather cruel perhaps that my immediate reaction was to deep belly laugh down the phone at him, but he's so far followed my advice and ignored the hell out of the letter.
It will be interesting to see if they go out of business before they get around to sending him a second letter.
"Ignore it" is probably the worst advice that you can give your friend - other than "pay them" of course - despite their activities its still a legal letter from a solicitor (although how long he actually continues to practice is down to the professional body)..
http://beingthreatened.yolasite.com/ is one of several sites giving advice on letters of denial.
Sensitive personal data has no place on any server exposed to the Internet in this way, and especially not on a web server, as it's only one remove from being hacked. Such information should be held on a further server hidden behind a firewall and only accessible via a secure network or VPN using strong authentication. Of course this law company is a very small operation which probably lacks the technical resources to implement such a thing, although the hosting company would (I hope) be able to put something appropriate together.
However, this is going to happen more and more as sensitive personal information becomes available to many smaller companies. The security is only as good as the weakest link.
I know this is going off on a tangent, but these thoughts came as a result of seeing this article and the fact they're keeping data on suspected targets.
If a company such as this one writes to you claiming infringement, are you able to simply respond asking them, as required by the data protection act, to delete all of your data from their database? I'd expect exceptions where it's gone to court, but as I understand it, this bunch of lawyers don't bother with the court bit.
im sure the media industry, or the government whom are stooges for the industry, will get to the Information Commissioner and make sure any fine is minimal as they are "fighting the good fight" and give acs:law a slap on the wrists for breaking the law!
they will say shit like "lessons need to be learnt" as acs:law & others are allowed to continue their extortion racket..
Andrew Crossley sets up a business model that one day will require a court to believe that his company understands the Internet and can provide reliable evidence that his clients have been injured by the conduct of people on it. He then goes on to offer proof-positive to the world that they don't.
This person is a legal "professional" handling personal data. He ought to understand the Data Protection Act. However he demonstrates that he has either no concept of or complete contempt for it.
IMO it doesn't matter if the information released got out as a result of hacking or not. I don't believe that information should ever have been on a public-facing server in the first place.
I guess this is the big test of whether or not the DPA protects people. If there was ever a case of a breach of the Data Protection Act that Christopher Graham ought to be able to successfully prosecute then this must be it. Can anyone think of any of the Act's fundamental principles that haven't been broken here? If Mr.Graham doesn't hang ACS high and impose a penalty that is truly meaningful then I can't see any point in DPA or the ICO existing. I hope my lack of faith is proved wrong.
ICO are toothless.... they usually just issues slaps on the wrist.
However, I have heard rumour there may be credit card details in there. And storing those in plaintext is a major breach of PCI-DSS. In which case he could get a bill from Visa / Mastercard for both non-compliance fines AND the fraud costs.
Yep, seen that before, in places where I could not believe my eyes.
The problem is the management culture. Something is deemed a negligible risk simply because it has never happened before. A potentially fatal assumption.
Now, that a small law firm has trouble keeping up with new technologies doesn't surprise me.
That a telecommunications giant fails to grasp even the very basics of secure communication, however, is inexcusable.
Somebody must be sacked over this, otherwise this culture won't change, and the next data disaster will make this one look harmless.
As ACS:Law admit, this threat is pure BS -
“since you are the account holder of the internet connection associated with IP address xx.xxx.xx.xxx, as confirmed by your ISP, British Telecommunications (BT), and are therefore responsible for any and all activities that occur over your internet connection including the infringement of copyright in our client’s Work.”
Their own legal assessment of this threat?
"There is NO case law to support such a general assertion without physical evidence on the infringer’s computer and ALL case law points to the opposite interpretation of that statement."
From perusing the offending data it seems that:
- the court orders instruct BT et.al. to supply the data encrypted on CDROM or similar. If they did this, and can't see any reason to say otherwise, then they are in the clear.
- ACS:Law decrypt it, then email the spreadsheets to ng3sys.com for them to load onto a databses and print the letters.
- in at least one instance, ng3sys. email back a url to a public zip file in the root of /their/ webserver containing the letters !
Notwithstanding the idiocy of using an off-site mailserver in the first place, why the hell is all this being emailed about unencrypted and even put in such public places?
BT confirm that their data was sent by email, unencrypted, in direct breach of the court order.
"The ruling, ordering internet service providers to hand over data to ACS:Law, states that it should be provided in an "electronic text format by way of Microsoft Excel file saved in an encrypted form to a compact disk, or any other digital media"."
How many more revelations before we get proper, multi-agency investigation into this whole catalogue of breaches?
they also stipulated that it needed to be treated with confidence and stored securely (despite it being transmitted, rather insecurely).
What's even more interesting, and sure to make all the freetards crap their pants, the dates of the offenses registered are from late 2009. i.e. About a year ago.
In other words, there is another years worth of data to sift through and for other lawers to issue lawsuits. Just because you haven't been caught downloading that movie 6 months ago, does not mean you won't.....
If you are a freetard, you can expect your letter in the post.
attributing this to 4chan is dangerous, 4chan itself is filled with horrible little toerags who spend their days getting people they don't like fired from their jobs, ruining good people's lives etc.
they are like the bullies in school who push each other to do more and more f'ed up things
and didn't they convince 1 teenage girl to commit suicide or something ?
If only the ICO had enough teeth to just shut these cowboys down as of yesterday.
I hope every person they ever wrote to presses charges for:
- libel/defamation of character (accusing them of viewing hardcore porn with no evidence)
- fraud (pretending there's a 'lawsuit' that can be 'stopped' if they pay up)
- blackmail (we know where you live and what you've been watching. Pay up or else)
- multiple DPA breaches (just read the article)
- being dickheads of the highest order
The jmiller emails for a para-legal position include some 30+ CVs, have these people been notified that their personal information in now in the public domain?
Half a million pounds is no where near enough ACS and the Directors should never be allowed to hold personal information again and all the para-legal applicant should be compensated against future identity theft
On Usenet there is a thunderbird portable with the mail file loaded. I particularly like this exchange:
"I have a software solution for you that is almost ready to go (2 weeks). It does everything you could ask for and some of the things you haven't even thought of yet.
I would not recommend running your business on Google Docs. It is a massive target for hackers:"
Biting the hand that feeds IT © 1998–2019