Hacker News new | past | comments | ask | show | jobs | submit login

>“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

So they are spinning it as a user's fault? Not the fault of Netsential for allowing malicious content to be a problem...

That's the first thing I thought, too - sounds like they are trying to spin it as some malicious user "broke in". If a "customer user account" is able to upload a malicious payload and exfiltrate huge amounts of other customers' data, there's a much larger, underlying problem here. Hard to see how Netsential could get through this fiasco and still have any business.

Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit. Some countries will protect whistleblowers, others have to flee and seek asylum abroad.

So don't deny whether or not law and/or contract was broken, instead focus on whether the action was justified. Yes the system was broken and open for exploitation, but the attack was not accidental: they intentionally uploaded a malicious payload, intentionally extracted data, and intentionally uploaded it to the internets.

I wasn't commenting in any way on the legalities. IANAL and, frankly, I just don't think it's germane to my point.

Netsential clearly had a massive security vulnerability in their system that allowed one user to access the data of all other users. That's very much on them.

Consider a company that provides physical storage units and advertises that they are secure and can only be accessed by their owner. Then it turns out that there was a back alleyway running behind all the units that allowed any owner who had access to one unit the ability to access any other unit, without a key. I don't think anyone would suggest that would be anything other than a massive security oversight by the storage company. Yes, what the thief did was illegal and should be dealt with. But you'd have a hard time convincing me that the company itself wasn't primarily at fault for such a huge oversight in the first place. And I certainly would never use them again.

I don't follow.

No attack is accidental. If a vendor fails to follow appropriate operational security, it is certainly the illegal actors fault. But it is also the fault of the vendor's negligence, and might also be the fault of whoever failed to properly vet the vendor. All three are potentially culpable.

Moreover, I took the parent comment to be referring more to customer flight rather than some judiciary judgement. 'I got mugged' is not what you want to hear from the person entrusted with your data security.

Actually this is not whistleblowing. Technically, you need to have legal access to the data to whistleblow. If you have to acquire access to the data illegally to then release it its just illegal.

Worked for the Pentagon papers.

>>Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

I dont think anyone is saying it was not illegal are they? but just because it is illegal does not resolve the security issue at the service provider

If I leave my home unlocked it is still illegal for you to steal my TV but you can bet my insurance company is going to give me crap (if not deny my claim out right) due to my negligence for not securing my property

>>That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit.

It can, but not always, and in the case of true whistleblowing there are laws in place that would provide an affirmative defense to otherwise illegal acts (like breaking an NDA). This is akin to self defense. Murder is always illegal but self defense is an affirmative legal defense one can use to justify their action making them "not guilty" of the law under those special circumstances. Whistle blowing as a few of these affirmative defenses as well

Yes but "the law" cuts deals all the time to address bigger crimes. (for example)They let off a small time drug dealer with a couple months in jail for ratting out a hitman for the mafia. I think sometimes it takes lesser crimes to bring justice bigger crimes like police brutality and murders that go unprosecuted because cops/DAs protect one another. I think that might be the case here. Independent hacktivists can now comb through that data and find cops that have lots of repeats offenses that obviously show a pattern of abusing the system and citizens whereas before that couldn't happen because such information was hidden from the public.

Probably just a way to justify a new contract for Netsential. Notice most of the leaked info is damaging to witnesses and victims, not the police.

Big companies don't hire properly for sysadmin/security - you don't think law enforcement knows what they're talking about here, do you?

* Lifelock enters the chat

This smells of legacy PHP where any PHP file uploaded to a web-accessible folder can be executed.

Likely, I've unfortunately had the displeasure of being a victim of that, probably an off-the-shelf scanner that exploited a Wordpress weakness.

That said, I do think PHP software should be distributed in such a way that the files are both locked for editing by the PHP process itself, and verified regularly. I've been using XenForo on my website for a while and it's giving me e-mail warnings that a file has changed (I did a customization), so it does exist.

But yeah, that particular category of error can be mitigated via config; disallow PHP execution in an upload folder, disallow PHP to add or edit files in the application folder, etc.

The main thing I do to avoid this is to host files on a separate server w/o PHP or a block storage service like e.g. S3 or B2. Make sure the domains are different too so you can't steal cookies.

You can also run a ClamAV scan to catch very obvious threats.

Modern PHP frameworks solve this problem just like the other languages solved this problem from the beginning - any inbound HTTP request goes into an entry point (the HTTP router library) which then loads the different classes and dispatches the request accordingly. The web server never executes anything but the entry point PHP file, regardless of what path the request is actually for.

The problem is all the legacy applications which are a mess of random PHP files and rely on the web server itself to dispatch requests based on the path of the file - in this case any PHP file can get executed if it happens to be in a location served by the web server. Rather than disallowing PHP execution in select folders, how about allowing PHP execution only for specific paths - those that you expect incoming requests to hit? That way no malicious code can run unless it manages to overwrite an existing file.

The article mentions a compromised user account so the attackers were probably able to just upload files directly through the compromised hosting account. Plus what's interesting is they don't mention the server itself being compromised. I'm wondering if this was a permissions issue that allowed the attackers to traverse directories on the server to the other hosted sites.

Or a sqli in the client portal?

If that's the goal, they're doing it poorly, because the only spin I smell from this description is the tacit admission they failed to successfully security-compartmentalize one user from attack via another user's credentials.

The fault is spread though. Sure, the data portal was broken, but if you store secrets which can put people's lives at risk, you have to assume the portal is broken. There should be a number of checks on top of basic authentication and also in the LE network. If they found out about the leak from the leak itself, there are many teams that failed.

But not the sales team! Good job guys!

Looking at the netsential website does not exactly inspire confidence that they employ state of the art infosec methodology.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact