Filtered By: Scitech
SciTech

Malware whistleblower 'threatened' by Australian firm


In a sad twist of irony, a security researcher who found a security flaw in an Australian firm's website got a legal threat from the very firm he was trying to help. Researcher Patrick Webster's woes started in September when he informed his pension fund of a security flaw in its website, Risky.biz reported. "The annoying part is that I contacted First State straight up. I gave them my number, email... and full details in my email including LinkedIn and they called the cops," Webster said. He said he had contacted the firm, First State Superannuation, to inform it of the problem. Webster said the firm's initial response was positive, praising him for taking time to notify it. But on Oct. 12, two New South Wales police officers sought Webster at his home and said they were "after" him, and that the case was "about downloading files" from First State Super. Risky.biz said the company has also suspended online access to Webster's account. On Oct. 14, First State Superannuation's law firm, Minter Ellison, sent Webster a letter demanding he turn over his computer to the investment fund. The letter threatened to pursue Webster for costs incurred "in dealing with this matter" if he does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again. But Webster maintained he deleted the information in September. He said some member information, around 500 statements, was downloaded to his computer when he tested a bash script that would demonstrate the flaw to the company's IT staff. Risky.biz noted that had Webster found the bug in a Facebook or Google Web application, he "would have actually received compensation for his time, not reported to the police and threatened." (http://www.risky.biz/minter) First State: Webster's actions a breach of privacy First State said that while Webster claimed his "unauthorised access" was meant to highlight a security weakness and not to commit fraud, "his actions were nevertheless a serious breach of privacy legislation." Thus, it said it was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner. "On legal advice First State Super also reported the incident to the NSW Police so we could ensure that any unauthorised copies of the member statements involved were destroyed. We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information," it added. "First State Super appreciates that the actions of the person involved has allowed us to address an undetected weakness in our online security. Subject to his compliance and cooperation in ensuring that the unauthorised statements he downloaded have been destroyed, we have no intention of taking any other action against him," it said. Defense fund? For its part, computer security firm Sophos hinted it may support Webster if he sets up a legal defense fund. "And if Mr. Webster sets up a legal defense fund, let us all step forward and send a bit of coinage down under, in support of his efforts to point out a simple security error before people's funds were compromised, and to attempt to rectify the cockeyed misdirection of police time and the backwards misflow of blame," it said in a blog post. — TJD, GMA News

Tags: malware, sophos
LOADING CONTENT