[ISN] ‘Hacking’ Journalists Case Dredges Up Security Research Legal Debates

http://www.darkreading.com/attacks-breaches/hacking-journalists-case-dredges-up-secu/240155428 By Ericka Chickowski DarkReading.com May 22, 2013 A legal storm is brewing between researchers who uncovered a cache of sensitive information about 170,000 consumers through a Google search and the company which left the information freely available online. It sounds like the typical disclosure scuffle that the security research community has come to expect as part of the territory, with the exposed firm threatening to ring up researchers for violating the Computer Fraud and Abuse Act. But this one comes with a twist: the researchers in this incident weren’t code slingers, they were word slingers. The exposed information was discovered by two journalists with Scripps-Howard news service who stumbled into the openly searchable information from data stores held by telecom vendor TerraCom Inc. through Google. Their search came while investigating a story on why so many consumer participants in a government subsidized cell phone program called Lifeline, a program in which TerraCom and its affiliate company YourTel participated. “The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,” Many in the security community say the incident and its legal fallout could stand to draw attention to a more mainstream audience some of the biggest legal and ethical problems facing white and grey hat hackers today. “I love this, this is a perfect example because what you effectively have here is a very innocent set of research. They stumbled on this data through simple searches,” says Trey Ford, Black Hat general manager. “The custodian of this data was not properly managing authorized access. And just because the custodian didn’t feel like they wanted this other company or the rest of the Internet to have ‘authorized’ access to this data, they cited a law that allowed them to hide and sue someone doing something that was ultimately trying to help them out.” […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org