IT consultant in Germany fined for exposing shoddy security The Register

p
Oh no youre thinking yet another cookie popup
Well sorry its the law We measure how many people read us
and ensure you see relevant ads by storing cookies on your device
If youre cool with that hit Accept all Cookies
For more info and to customize your settings hit
Customize Settings
pp
Heres an overview of our use of cookies similar technologies and
how to manage them
You can also change your choices at any time by hitting the
Your Consent Options link on the sites footer
pp
These cookies are strictly necessary so that you can navigate the site as normal and use all features Without these cookies we cannot provide you with the service that you expect
pp
These cookies are used to make advertising messages more relevant to you
They perform functions like preventing the same ad from continuously reappearing ensuring that ads are properly displayed for advertisers and in some cases selecting advertisements that are based on your interests
pp
These cookies collect information in aggregate form to help us understand how our websites are being used
They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites If people say no to these cookies we do not know how many people have visited and we cannot monitor performance
ppA security researcher in Germany has been fined 3000 3300 2600 for finding and reporting an ecommerce database vulnerability that was exposing almost 700000 customer recordsppBack in June 2021 according to our pals at Heise an contractor identified elsewhere as Hendrik H was troubleshooting software for a customer of IT services firm Modern Solution GmbH He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor It turned out the password to access that remote server was stored in plain text in the program file MSConnectexe and opening it in a simple text editor would reveal the unencrypted hardcoded credentialppWith that easytofind password in hand anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution but data belonging to all of the vendors clients stored on that database server That info is said to have included personal details of those customers own customers And were told that Modern Solutions program files were available for free from the web so truly anyone could inspect the executables in a text editor for plaintext hardcoded database passwordsppThe contractors findings were discussed in a June 23 2021 report by Mark Steier who writes about ecommerce That same day Modern Solution issued a statement PDF translated from German summarizing the incidentppToday June 23 2021 at 809am an ethical hacker alerted us to a security vulnerability in our system Due to this vulnerability it was possible to access the password to our database and access unencrypted passwords and personal data Using this database password the hacker gained external access to our database and our ticketing system We currently do not know to what extent this data was passed on or further used by the ethical hacker and whether further access occurred We are working intensively to investigate the incidentppThe statement indicates that sensitive data about Modern Solution customers was exposed last names first names email addresses telephone numbers bank details passwords and conversation and call histories But it claims that only a limited amount of data names and addresses about shoppers who made purchases from these retail clients was exposedppSteier contends thats incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data which he said included extensive customer data from the online stores operated by Modern Solutions clientsppIn September 2021 police in Germany seized the IT consultants computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge he worked previously for a related firm and the biz claimed he was a competitorppHendrik H was charged with unlawful data access under Section 202a of Germanys Criminal Code based on the rule that examining data protected by a password can be classified as a crime under the Euro nations cybersecurity lawppIn June 2023 a Jülich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected But the Aachen regional court directed the district court to hear the complaint Now the district court has reversed its initial decision On January 17 a Jülich District Court fined Hendrik H and directed him to pay court costsppThe penalty order is all the more shocking because it is fundamentally wrong wrote Steier the blogger who helped bring the exposed database to light in a post on WednesdayppA password that has been saved almost in plain text does not constitute a special security which is required by 202 Its understandable that a judge cant evaluate that but then an expert would have had to be heard on exactly this question Unfortunately that didnt happenppAccording to reports the verdict is not yet legally binding as the two parties have a week to appeal which the IT consultant reportedly intends to doppIn a post to Mastodon Wladimir Palant a security researcher software developer and cofounder of Germanybased ad filtering biz eyeo expressed frustration with the courts decisionppI very much hope that there will be a next instance ruling overturning this decision again Palant wrote But its exactly as people feared no matter how flawed the supposed protection its mere existence turns security research into criminal hacking under the German law This has a chilling effect on legitimate research allowing companies to get away with inadequate security and in the end endangering users ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982024

p