Hacking Journalists Case Dredges Up Security Research Legal Debates

Telecom firm TerraComm seeks to sue Scripps-Howard journalists for Google searches that uncovered sensitive info freely available online

A legal storm is brewing between researchers who uncovered a cache of sensitive information about 170,000 consumers through a Google search and the company which left the information freely available online. It sounds like the typical disclosure scuffle that the security research community has come to expect as part of the territory, with the exposed firm threatening to ring up researchers for violating the Computer Fraud and Abuse Act. But this one comes with a twist: the researchers in this incident werent code slingers, they were word slingers.
The exposed information was discovered by two journalists with Scripps-Howard news service who stumbled into the openly searchable information from data stores held by telecom vendor TerraCom Inc. through Google. Their search came while investigating a story on why so many consumer participants in government-subsidized cell phone program Lifeline -- a program in which TerraCom and its affiliate company YourTel participated -- were having their identities stolen.
The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,
Many in the security community say the incident and its legal fallout could stand to draw attention to a more mainstream audience some of the biggest legal and ethical problems facing white and grey hat hackers today.
[Why does SQL injection linger? See
10 Reasons SQL Injection Still Works
.]
I love this, this is a perfect example because what you effectively have here is a very innocent set of research. They stumbled on this data through simple searches, says Trey Ford, Black Hat general manager. The custodian of this data was not properly managing authorized access. And just because the custodian didnt feel like they wanted this other company or the rest of the Internet to have authorized access to this data, they cited a law that allowed them to hide and sue someone doing something that was ultimately trying to help them out.
But the slippery topic of motivation is what has some other researchers torn on whether the journalists acted appropriately.
They definitely came up on some very poorly secured information and I completely agree that poorly secured information needs to be pointed out, says Wade Williamson, senior security analyst for Palo Alto Networks. But I think that when you download all those records and start reaching out to contact people [from those records] for a quote in a story, youre very much using that for your own personal gain.
The split in opinion even among security experts shows how nuanced the perception problem can be in these disclosure cases. For his part, Ford believes the Scripps reporters acted appropriately to get the story out for the benefit of affected consumers.
I actually appreciate the fact that they took the time to do some user awareness training, saying, Hey, you have got information out there, you trusted your information with these people and they didnt manage that, how do you feel about that? he says. I mean, thats effectively what news is at the end of the day.
Regardless of the security community weigh-in, though, the true litmus test could be how the courts decide. If things were based strictly on precedence, things wouldnt look good for the Scripps scribes.
To me I really dont see much difference between that and the teenagers that get sent down for a long time, Williamson says, other than saying Were doing this for the public good. A lot of people say theyre doing it for the public good.
Thats the exact argument that Andrew weev Auernheimer made when defending himself in a
case against him spurring from his disclosure of personal details of 120,000 iPad users to media site Gawker after finding a business logic flaw in the AT&T website
. Hes currently serving three years for his actions.
But if the courts are consistent in their judgments it could mean an extremely negative potential outcome for the industry that only serves to work against the ultimate best interest of companies like TerraCom that pursue legal action, says Marc Maiffret, chief technology officer at BeyondTrust.
If there are going to be cases where people get in big trouble with potential jail time, its going to make everybody stop pointing vulnerabilities out and all that means is that the bad guys are the only ones doing it because they dont care about the law, he says. Its a balance. You want to have a way for good people in the world to not feel like theyre going to jail for pointing out something wrong that a company is doing, whether they know it or not.
But the unusual nature of the case and the legal resources of the journalists news organization could potentially help set a new precedence of its own. According to Ford, the experience of of the Scripps journalists is very dissimilar to the typical researcher because of the professional backstop journalists have in this instance.
This is a good example of what researchers deal with all the time, the only difference is they dont have the backing of a strong media arm to protect them, Ford says. Theres also a certain amount of protection afforded to members of the press compared to some random Joe Schmuck hacker dude thats trying to say I found something, Im worried for you and I want you to know about this. When they say, what are you talking about, Im going to sue you, the journalist says Im going to quote you. Thank you. Theres some level of accountability when you say something like that to a member of the press.
Robert Rsnake Hansen agrees that theres a contrast between a journalists experience disclosing and a traditional security researchers struggle. He thinks it underscores the difficulties many independent researchers face in order to be heard.
Precisely because hes a member of the press, it makes it naturally not like every other researcher, says Hansen, Black Hat Review Board member and a long-time fixture in the security research community. Someone who writes for a magazine or whatever can really shape the conversation in a way that some researcher who may not even speak English very well is trying to explain some very complex thing, and explain a history with a company that may be extremely complicated.
However, if this case does go anywhere, it could potentially benefit the research community if it brings enough attention to the lowlights of the legal framework around computer manipulation and ethical hacking. A big part of the problem is even legally defining what hacking really is.
My personal definition of hacking is if you can find it through a Google search and its out there open to the public, thats not really hacking because youre not specifically manipulating the system based on a security weakness to get the information out of it. But thats not necessarily what the law says, Maiffret says. The law has definitely not evolved with the rate of innovation and the changing of how society is communicating and data is flowing.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact Dark Readings editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hacking Journalists Case Dredges Up Security Research Legal Debates