Friday, January 26, 2024

The dangerous side of IT security

Security researcher fined for revealing insecure system:

After discovering and reporting a vulnerability in an e-commerce database that was putting customers and their personal information at risk, a security researcher in Germany was fined €3,000 for doing so.

In 2021, a contractor, known as Hendrik H., said he was troubleshooting software for Modern Solution GmbH when he realized that password access to the remote server was stored in plain text in MSConnext.exe. This easy access would make the password simple for many to find, and a threat actor could access data to everything stored on the database server, including customer information.

There is a lot of back and forth on this between the company and the researcher, with court appeals (and more planned).  But this seems odd to me.  If the researcher was working for the company (as stated) then why did he not have a "get out of jail free" card from company management for what he was doing?  This is basically a letter (typically from the Chief Information Security Officer) saying the researcher is authorized to poke around and that the company will hold him harmless.  It also will have non-disclosure and other restrictions so that the researcher won't up and publish embarrassing info.

 It doesn't seem that any of this was in place, so I'm wondering what sort of "research" this guy was up to.

2 comments:

Igor said...

Not enough detail, but, yeah....

Inquiring minds want to know. Even though the Euroweenies are rather anally stoopid.

Old NFO said...

Good question!