
How I found a data leak of a company during a college lecture - achillean
http://sijmen.ruwhof.net/weblog/937-how-i-found-a-huge-data-leak-of-a-company-during-a-college-lecture
======
caseysoftware
> On the next screen I just hit the connect button to see what would happen:

> Not really sure what it does, but I found several Droisys e-mail addresses
> in the database and decided to mail them that their database was exposed on
> the internet.

Oh man, this is a bad idea.

If you find something out there that you think you can connect to - poor
password, no password, etc - you must be _very_ careful.

In some cases, just reporting it will cause you problems. At this point, you
probably haven't broken the law but some companies are just jackasses.

But once you connect, the game changes. It is "unauthorized access" and it's
_probable_ that you broke your local laws. At that point, it's not just a
jackass company that gets involved, it's local law enforcement too.

And then you get data from the database. It's probably going to get even worse
for you.

When you go a step further and share a howto on the web... this is a bad idea
all around.

This is not proper disclosure. If I was him, I'd get a good lawyer.

~~~
13of40
I've always wondered about the legality of, say, going to google and entering
"not for public release filetype:pdf" then downloading (presumably
accidentally shared) confidential documents from someone's server. If no
authentication is required, is it fair game?

~~~
jsprogrammer
If Google has already accessed, indexed, and published it, you are in pretty
good company. At the least, you have the lawyers of a multi-billion $$$
company backing you.

~~~
dragonwriter
No, you don't. Knowledge and intent are key factors in many crimes, and you
and Google aren't similarly situated.

~~~
jsprogrammer
If google is providing you illegal knowledge, that is Google's problem.

~~~
dragonwriter
The law doesn't work that way: knowledge is rarely illegal. Knowingly
gathering without permission may be. Using a Google product as a tool in a
crime doesn't make Google responsible for the crime and relieve your
responsibility.

~~~
jsprogrammer
Can you construct a hypothetical situation where clicking a link on a Google
result page (or, any page, for that matter) would be a crime?

If such a thing were possible, I would view it as the ultimate betrayal of the
browser's "sandbox". Certainly it would be a top priority to categorize links
into "known safe to click" and "clicker beware". Who knows, maybe Google's
successor will be such an engine.

~~~
Zancarius
> Can you construct a hypothetical situation where clicking a link on a Google
> result page (or, any page, for that matter) would be a crime?

I'm not sure that's even necessary, and there's no point getting into a debate
about the browser (you commanded it to do something, after all).

IANAL, but I don't think you need to be one to appreciate the potential for
legal trouble. Depending on your interpretation of the CFAA and whether or not
you agree with the assertion that the Ninth Circuit limited the scope of the
CFAA's reach by requiring a certain degree of _intent_ [1], unauthorized
access alone could be construed as a crime. If you want a particularly extreme
interpretation of the statute, you can find such almost anywhere you look
(here's one from 2005 [2]).

In the latter case, it's notable that if you access material it 1) need not be
trademarked, copyrighted, a trade secret, or even particularly sensitive--it
need only be "valuable" and 2) unauthorized access is defined rather loosely
as accessing "information in the computer that the accessor is not entitled so
to obtain." One could argue that password protected resources or databases
that are not publicly advertised are not considered something for
dissemination to the public and therefore protected by statute.

So, if we apply the CFAA in a manner similar to what you might expect of a
prosecutor who is up for re-election this year, let's look at the abuses the
article's author committed:

Unauthorized access - check? There's no _obvious_ revocation of the right to
access Unilever's MongoDB database, but it probably passes the "reasonable
person" test that this information isn't intended to be public. Playing the
game of "intent" is a bit risky, so this might be another option in mounting a
defense.

"Valuable" information - definite check (the author stated rather plainly:
"Within the databases I found personal details like names, e-mail addresses
and also private chat logs;" I suspect this would be considered "valuable"
information). I don't think this is something I would have admitted. I
_certainly_ wouldn't have posted screen captures.

I admit the timing of this is funny, because I was just about to watch a few
videos on bosnianbill's Youtube channel earlier when I got to thinking about
how inconsistent lockpick possession laws are in the US, and it's interesting
how it applies to this story. In some states (notably Tennessee), simply
owning a lockpick without the appropriate license can land you a misdemeanor
(fine, maybe jail time, depending on my memory of their law), while other
states (like my own) require intent and/or possession of multiple "burglary
tools" (e.g. a crowbar in addition to a lockpick). While intent alone is
insufficient protection from particularly enthusiastic prosecutors, it does at
least afford _some_ defense if you wind up in front of a jury. Hoping for the
same under the framework of the CFAA is a bit like playing with fire even if
you successfully mount a defense (legal costs, opportunity costs from the time
wasted on defense, etc).

Not worth it.

[1] [http://www.bullivant.com/Computer-Fraud-Abuse-
Act](http://www.bullivant.com/Computer-Fraud-Abuse-Act)

[2]
[https://www.dorsey.com/newsresources/publications/2005/02/cf...](https://www.dorsey.com/newsresources/publications/2005/02/cfaa-
as-a-civil-remedy-national-law-journal)

~~~
dragonwriter
Federal prosecutors -- the only ones that can prosecute for criminal CFÀA
violations -- are Presidential appointees, they are never up for election. So
that scenario never actually occurs.

------
opaque
In the words of Phineas Fisher:

"NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL, new databases came into style that lack
authentication by design."

From his account of the Hacking Team Hack, worth a read if you missed it.

[http://pastebin.com/raw/0SNSvyjJ](http://pastebin.com/raw/0SNSvyjJ)

~~~
ethbro
Step 1) Bemoan how {OldSoftwarePackage} doesn't do X, Y, Z

Step 2) Write {NewSoftwarePackage} that does most of what {OldSoftwarePackage}
did + X

Step 3) Spend an order of magnitude more time than expected finishing Y, which
turns out to actually be rather hard because {Messy Real World Engineering
Details}

Step 4) Never get to Z & eventually come up with a narrative about how Z was
stupid anyway

~~~
MichaelGG
Not sure what exactly you mean wrt NoAuth DBs, but having a simple on-connect
password would be an improvement to all those databases.

Things like Elasticsearch not having even a basic password (esp since it's
HTTP so it's trivial) is simply silly. And it's probably not a good idea to
support no-auth connections at all - if it's really a hassle, just set the
user/pass to the host name.

~~~
pyre
> Elasticsearch

Yea. I found that surprising when it came time to use ElasticSearch for my own
purposes. If you want security, you need to setup something _between_ the
ElasticSearch server and the clients to moderate.

~~~
jrgnsd
Setting up nginx to proxy to Elasticsearch with HTTP auth on top is fairly
trivial. There's a couple of good articles on the web if you google for it.
Also, should you have an Elasticsearch support contract, you get access to the
Shield plugin which has extensive access control.

But yes, the fact that it is open OOTB is frustrating.

~~~
pyre
This is exactly what I do, but the fact that it's wide open and relies on you
to use a different (and de-coupled) service for permissions was surprising to
me (at the time).

------
kba
So you do everything you can to hide the IP address, but reveal that the
domain is-savvy.nl resolves to it.

Either you're not actually that good at IT security or you're just making a
huge brain fart.

    
    
        $ dig +short is-savvy.nl
        37.59.238.165
    

So it's not really a mystery what the X.X.238.165 and X.X.238.166 addresses
actually refer to.

------
0x0
Wouldn't it be better and easier to do a WHOIS lookup on the actual IP
address, and email whoever shows up there? Sometimes you'll get the hosting
provider (and they can contact the customer for you, maybe even anonymously),
and sometimes you'll find the company itself.

At least you're not bouncing around domains which can be pointed anywhere

------
microcolonel
I don't know why he bothered to blank out the IP address for is-savvy.nl. DNS
will tell you that there is literally one A record which matches the last two
bytes.

------
jsumrall
>The database had no username and password configured to protect it, so I
assumed it was a public database with data for everyone to see ;-)

No, a wink won't protect you in court. You illegally accessed someone's data.
As they say: just because the house is unlocked doesn't mean you're allowed
in. Pray this doesn't get you in trouble. Sjonge jonge jonge...

------
0x54MUR41
For those having a trouble to access the site, this is the archive version:
[https://web.archive.org/web/20160514214255/http://sijmen.ruw...](https://web.archive.org/web/20160514214255/http://sijmen.ruwhof.net/weblog/937-how-
i-found-a-huge-data-leak-of-a-company-during-a-college-lecture)

------
mitm2mitm
A few years back I anonymously reported a huge data leak. Weeks later they
asked for my name and address so they could "send me a gift".

To this day they still haven't fixed the leak. And I took a pass on that
"gift".

------
cs2818
What kind of laws apply in this locality?

In the US I wouldn't be able to connect to their MongoDB server without it
being a crime, password or not.

