I do love it when some PHB's brilliant plan to sick the legal eagles on someone falls apart.
Keepnet kerfuffle: Firing legal threats at bloggers did infosec biz more damage than its exposed database
UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers' letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after …
Wednesday 10th June 2020 19:06 GMT Blazde
Wednesday 10th June 2020 19:16 GMT DavCrav
"The 867GB database, claimed Keepnet, contained email addresses harvested from other data spillages that took place between 2013 and 2019."
867 GB just containing e-mail addresses? That's either a terribly written database, or a lot of addresses. If there's other stuff as well in there, like PII, then I start waving GDPR at this UK-based company.
Wednesday 10th June 2020 19:44 GMT diodesign
"just containing e-mail addresses?"
FWIW Diachenko said the data silo contained:
* hashtype (the way a password was presented: MD5/hash/plaintext etc)
* leak date (year)
* password (hashed, encrypted or plaintext, depending on the leak)
* email domain
* source of the leak (I was able to confirm a few of the most prominent ones: Adobe, Last.fm, Twitter, LinkedIn, Tumblr, VK and others).
Wednesday 10th June 2020 23:48 GMT IGotOut
Keepnet an information security company can keep information secure.
What a joke.
Maybe they should just become patent trolls instead, although their lawyers seem as incompetent as the security team.
Before Keepnet, the information not-sec team blame the contractor...
... WHERE THE FUCK WERE YOUR CHANGE CONTROLS?
Thursday 11th June 2020 02:41 GMT Anonymous Coward
So about that EU directive...
It's a bit of a reach, but it looks like the lawyers were trying to play on the EU's limited equivalent to DMCA, where immunity from hosting liability ends if the hoster is made aware of illegal content:
Article 14Of course the extremely clever and magnificently competent lawyers have begged the question of content illegality by assuming it's defamatory. And they've failed to cite a proper legal basis for the reporting being defamatory. They claim it's untrue, but fail to quote any statement that is demonstrably untrue let alone one that actually appears in the post. What's the betting this was a template letter and the quoted statement appeared on some other site? Really earning those 6-minute billing increments, folks.
1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:
(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.
Thursday 11th June 2020 04:36 GMT Joe Montana
"We then store this data in our own secure Elasticsearch database"
This statement has proven to be false, their database was demonstrated to not be secure.
If all it contained was a mirror of already-public data then noone would have cared anyway.
Also what is it with hiding known insecure services behind a firewall? The service should have been configured to use a secure form of authentication first, and then placed behind a firewall as a second layer. If one layer still fails you still have others.
Thursday 11th June 2020 10:08 GMT Anonymous Coward
Some people are worse even than that.
People who, when told "it's not a good idea to put, what is intended as a LAN product, directly acessible from the internet, you should secure it", respond with "it's ok, were going to put an SSL certificate on the server".
And these were resellers.
Of security products.
Thursday 11th June 2020 12:34 GMT heyrick
Thursday 11th June 2020 16:33 GMT TonyJ
Re: truly was exposed for just 10 minutes as Keepnet claimed
truly was exposed for just 10 minutes as Keepnet claimed
Doesn't really matter. 10 minutes, 10 hours, 10 days...
What matters is that it was exposed, and that it was noticed. And accessed..."
Quite. "I am sorry I murdered you but at least it was a quick death!." Still dead.
Thursday 18th June 2020 08:26 GMT Robert Jenkins
On the subject of GDPR - how is that database content in any way legal?
OK, the the leaked database contains other peoples information.
How can a company legally retain data that was never legally released to them or its use authorised by the people who it relates to?
Anyone want to play "Spot the GDPR Brteaches?
Have they contacted every single person whos data is involved?