Child tracker outfit uKnowKids admits breach, kicks off row with security researcher The developers of child-tracker app uKnowKids have responded to reports of a data breach, admitting an issue had also exposed its proprietary IP. uKnowKids goes on to accuse the security researcher who uncovered its problems of "hacking" its data. The researcher involved, Chris Vickery, maintains he was acting in the public …
"Steve Woda, chief exec of uKnow and uKnowKids, admitted the issue while criticising Vickery and expressing doubt about his motives in an advisory to customers. 'The hacker claims to be a 'white-hat' hacker which means he tries to obtain unauthorized access into private systems for the benefit of the 'public good'".
And the basis for impugning Chris Vickery's motives are, aside from a desire to misdirect the attention of observers, what, exactly?
"And the basis for impugning Chris Vickery's motives are, aside from a desire to misdirect the attention of observers, what, exactly?"
Security researchers are less likely to check out that site, find problems, and report them. And if nobody reports problems that proves that there are no problems, doesn't it?
It is pleasing that they moved so quickly to get the breach fixed but even if they suspect that the person who found it had ulterior motives why does that need to be the the press bulletin, it just makes them look petty. A simple 'It is with significant regret that I share with you the news that uKnow had a private database repeatedly breached on February 16, 2016 and February 17, 2016.' followed up with specifics and full disclosure of the impact would have been much more grown up.
Perhaps it makes them look petty, because they are petty? So useful PR.
For example, whenever I see the "only a limited number of our customers have been affected" statement, I know that a) management don't give a shit, and; b) lessons will not be learned. Particularly given that "limited number" doesn't mean small, and is technically correct so long as all but one customer have been affected...
Of course when I see "lessons have been learned" I also know that no they bloody well haven't been.
Whereas our cloudy accounts are with a company who had an incident where their datacentre had a problem, which killed some hard drives, the fail-over didn't work and they lost a few hours of data. This was about a year before we signed up. After the event they published a decent discussion of what had happened, within a day or so to explain the problems to the customers. They then had about 10 further articles, over the following 3 months, giving a breakdown of what went wrong, what mistakes they'd made, what they'd learned and what they were doing to fix it, as they did it. Plus set up a system where you could have a backup sent to you each week, for peace of mind. They screwed up, but I've a lot more confidence they're doing things better now.
> only a limited number of our customers have been affected
I would go further and suggest that the number representing *all* the clients is "limited".
It is a meaningless word used to imply that the damage is small and could only be inappropriate when describing "infinity".
Other "useful" statements
A small number of our customers <- Meaning, all our customers, but that is a comparatively small number compared to , say, everyone on the planet
Only a percentage of our customers <- 100%
A fraction of our customers <- 10/10's
Save up to 30% <- Save somewhere between 0% and F.A.
Seems to me they're more interested in painting the hacker here, who has DONE THEM A FAVOUR as the culprit.
Typical knee-jerk defensive posture by the company, we see this all too often these days when they forget they should be busy apologising for the error, making good any fixes and shacking the hackers hand for having saved them from a world of ICO butt hurt.
They always seem to say that when they get caught, these days. As if that makes it OK. But on a site like this who cares about financial details, it's kids' safety they compromised with poor security, not a few f*ing credit cards.
From their perspective it's worse, they put their IP on the line along with their core business.
.. which makes me wonder why on earth they had not put in proper segregation. It's not like they were still starting up.
Woda had better be sure that his site really is secure now and that it stays that way. For a couple of reasons. Firstly, any subsequent visitors who find security holes aren't going to be the sort who report them back to him. Secondly by raising a bit of controversy he's painted a target on his back.
That's the main thing to take away from this story.
If you're going to cause a fuss about someone exposing a hole in your security, with even the slightest suggestion that they're the one at fault, you better be damn sure you're bomb-proof first. You've just attracted everyone's attention and a fair number of the people attracted aren't going to be half as nice. They're going to love making an example of you.
Locked drawers of a filing cabinet? Woefully insecure as the locks are easily popped. May I recommend an all steel safe with combination lock that only you have the combination to? Also immerse the safe in a large tank of seawater filled with hungry sharks. That should do it.
I don't understand how the hackers methods "unnecessarily puts customer data and intellectual property at risk."
Did I miss the bit where he published the information he'd found to the wider community?
Surely the company not securing the database in the first instance "unnecessarily put customer data and intellectual property at risk"?
At least the company did acknowledge that he had helped them out.
If I'd found that backdoor, I'd have ex-filtrated all the data, and leaked it anonymously, destroying the company for great justice.
Android (google play store), apple, instagram, facebook, twitter, and all other PRISM members ARE the bad guys. You don't fix that fundamental flaw by pouring security snakeoil all over it. You've just exponentially increased your (and your kid's) attack surface.
"If I'd found that backdoor, I'd have ex-filtrated all the data, and leaked it anonymously, destroying the company for great justice."
At first I was thinking that you sound like a cure that's worse than the disease, but then I thought you sound like another disease that's worse than the original disease; ever heard the phrase "two wrongs don't make a right"?
Paranoid much?
Ok, they were dumbasses, but a proportionate response is NOT to make the records of those kids and families available by leaking it anonymously.
1) Crusading for Justice does not involve potentially putting those kids at risk (does the phrase "we had to destroy the village to save it" ring any bells?), that is just stupid and malevolent.
2) Acting to deliberately take down a company you perceive to be recklessly incompetent is just vigilantism of those most cowardly order (doing it under "Anon"????).
3) As others have stated, 2 wrongs don't make a right.
A more responsible way to do it would be to notify the firm, allow/help them to fix the issue, get on with life. Which more or less is what happened. The company however might have been a tad better served not being such tools about it.
I know it's a knee jerk reaction to protect the researcher, but where I come from, people seek permission before they attempt to break or affect a site because they could otherwise be accused of attempting to break in (which they are) and thus committing a crime.
If you stray into a site because you're investigating something else (for instance, something using that site as a router or as a malware trap) you *still* ask permission, not only is it polite but it will also keep you out of jail longer.
That does not mean I fully agree with the companies' reaction, but the fact remains that our intrepid security researcher has taken possession of information that does not belong to him, has done so without permission and is hanging on to some of it for reasons I find not very convincing. "To keep them honest" - really? How is that going to work? The awkward question remains why he was seeking a vulnerability in that specific system in the first place.
Even just a quick note "my kids are in your system, do you mind if I have a look - happy to sign an NDA" is better than "Hey, guess what, your database leaks and here is a copy I made just to prove it to you - look at all the child pics I could grab" :).
If you want to be a white hat, it is best that you develop an approach that will avoid making you look like a black hat. "I'm a security researcher" can be seen as an excuse, so getting permission is a good move. If the site doesn't want to give it, leave them be. It's their loss.
Unscrupulous companies generally do not consent to white-hat hacking attempts, nor do they obtain the informed consent of their innocent victims. If protecting the innocent is your goal, you have to play hardball.
Speaking as a sysadmin, an anonymous hacker could get my attention by shutting down services. If I see signs of intrusion, I'll shut down the server and raise the alarm. I believe my current clients would do the right thing. Some site owners, however, would just fire me and find a code monkey willing to do the bare minimum to get the site running again.
In lieu of strong privacy laws, you have to wage a PR war against these jokers. It's not easy. You can't just leak everything. You can't announce that the site is insecure, thus inviting black hats. Probably the best you can do is to grab all their code/config to find more holes, and install backdoors, then keep taking the site down while anonymously leaking redacted evidence all over the internet, until the company closes up shop.
Again, easier said than done. Ideally "we" should legalize hacking (and grant immunity from lawsuits) and criminalize sloppy security/privacy practices instead. With prison time for proprietors, officers, directors, managers, sysadmins, devs... I guarantee nobody would touch other people's private info after that.
Not the door man. Even the most dense mouth-breathing door man wouldn't have a go at anyone who told them that people were sneaking in via the fire exit while they were guarding the front door.
He is more akin to the prat in the control room supposedly eye-balling the monitors, but instead has his face stuffed in a Victorias Secret catalog and giving himself a gentle rub.
But perhaps the concerns are more about estranged family members who see children as an indirect way to hurt/attack the custodial parent (EG: kidnapping the child during/after an ugly divorce). Or they could be concerned about kidnapping in general.
I would be a bit more concerned about someone getting that information and using it to set up a disposable credit history in the kids' names. If you think it's hard starting out with no credit history, imagine trying to start out "owing" several hundred thousand of the currency of your choice. - Which is why my kids' info will not be going into any tracking database as long as I can avoid it.
As always, there are two sides to every story, and it looks like BBC News just shared the other side of the story.
Pretty interesting revelations.
Chris Vickery may have some explaining to do too. Calling yourself a “researcher” does not automatically make you ethical.
Just sayin.
uKnowKids defends response to data breach alert
http://www.bbc.com/news/technology-35659828
I must have missed it, what was the other side? The story I saw on the BBC was:
- fellow found obvious site error using search tool
- site owner reacted with threats and bluster on the initial report
- fellow was concerned his issue would be swept under the rug
- site fixed a problem and is no longer indexed by the search tool
Which is exactly what I got from this article, too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
