Sunday, August 31, 2014

FUD and Bullshit: The case of Sam Bowne

What with the express purpose of our organization being responsible disclosure and security research, I felt it necessary to discuss the recent case of Sam Bowne. Here is a link to Mr. Bowne's report of the situation, which is incredibly thorough. But for those of you with the attention span of a goldfish: Sam found an anonymous FTP server via google dorking, Found Patient PII data, notified the organization of what appears to be a HIPAA violation RESPONSIBLY, and NOT as a classroom demonstration as SC magazine and thenewsstar.com seem to be implying.

Behind every bullshit story is a potential grain of truth. Perhaps Sam discussed the incident and the school/health system's response or lack thereof as an example during a class regarding computer system vulnerabilities, and some student misinterpreted Sam's story. More likely to me is media spin by SC magazine and news star looking for clickbait.

Conjecture aside, this is an issue near and dear to us, because it's a core mission for us to notify companies of potential problems just like this. I feel that in information security, a lot of companies still have a "shoot the messenger" mentality, which ultimately led to this situation.

A few people we've spoke with through social media regarding this story state that working with ISACs ( Information Sharing and Analysis Centers -- organizations that handle sharing sensitive information to organizations within a certain sector -- E.G. REN-ISAC for higher education, ES-ISAC for electrical/gas scada, FS-ISAC for finance, etc.) and CERTs as a proxy or partner for disclosure has the advantage of insulating oneself from fallout like this.

WeAreTheArtillery partners with Law Enforcement,  Private organizations, ISACs and CERTs worldwide to ensure that information is disclosed properly and issues are resolved fully, especially if we do not get a response from organizations we speak to directly. Thus far, we've fared remarkably well and have suffered no fallout, but situations like Sam's are troubling to say the least.

It is a risk that comes with the territory. Ultimately, there will be misrepresentation of facts, and corporations with shoot the messenger mentality like this. Our sysadmin who set up this system can do no wrong, but the security researcher who is telling you there is a problem and attempting to assisting in resolving it? fuck that guy.

No comments:

Post a Comment