
NullCrew attack on Bell Canada was SQL injection and Bell knew weeks ago - lelf
http://www.databreaches.net/nullcrew-attack-on-bell-canada-was-sql-injection-and-bell-knew-weeks-ago-nullcrew/
======
hluska
In Bell's defense, a chat with a tech support person is not exactly what I'd
call responsible disclosure. However, I've spent the last twenty minutes on
Bell's website and in that time, I have not found a single way to notify them
of a security breach.

In my opinion, responsible companies (aka - the kinds of companies we should
give our data to) assume that they are vulnerable to attack and make it easy
for researchers to report possible problems. Having a disclosure policy and a
simple, secure way to contact professionals on yourdomain.tld/security would
prevent so many of these problems from ever happening.

------
Yver
It's bad that the Bell support employee was unwilling or unable to recognize
it had to be escalated to a supervisor, but that's not exactly what I'd call a
"disclosure" (and obviously not a "responsible" one.)

I don't expect the average help desk employee to know what SQL is, or what
"owned" or "sploit" means. Half of their customer interactions consist in
asking whether the modem is plugged into a wall socket and there's electricity
in the rest of the house.

------
chollida1
Nothing in this post seems to back up the assertion that Bell was notified of
the security breach.

All I see is a cryptic conversation with a low level help desk employee who
would have no possible ability to know what the crackers were talking about.

------
teh_klev
NullCrew seem to have a problem differentiating between an exploit that is
specific to MS SQL Server 2008 R2 and a generic SQL injection attack.

~~~
duiker101
pretty standard "teenager with too much time" behaviour.

------
forgottenpass
This is what happens when you use frontline staff to unilaterally isolate
anyone worth talking to. The isolated miss things that, if asked, they would
choose to hear. Everyone is ignored as if they were an asshole with a bone to
pick about the company.

Sure there is weight to the argument the attackers could have made better
attempts to contact Bell, or use clearer communication with support staff.
Anybody trying anything can always try harder or improve their methods. But at
some point the responsibility for failure to communicate has to swing on to
Bell. They decided they don't want to hear from customers, just help grandma
connect to the service so she doesn't cancel. This is exactly what they asked
for.

~~~
resemc
>Sure there is weight to the argument the attackers could have made better
attempts to contact Bell, or use clearer communication with support staff.
Anybody trying anything can always try harder or improve their methods.

Careful: that turns into a "no true Scotsman" argument fairly quickly if we
stray too far down that road.

~~~
forgottenpass
Yup, that's the kind of detrimental reasoning I want to sidestep with that
statement. There are no steadfast absolutes in what is reasonable to expect
from Bell or the hackers. Even if you don't think the hackers made every
attempt at contact they could/should have, that's no good reason Bell's
bureaucracy can't also be at fault.

