After its discovery of a security hole in Snapchat was ignored for months, Gibson Security earlier this week released the API for the Snapchat application along with two exploits. One exploit lets hackers match phone numbers with Snapchat users’ names en masse; the other enables hackers to create huge numbers of fake Snapchat accounts. Together, the API and the exploits will let hackers duplicate Snapchat’s API and stalk the 8 million users the site is reported to have.
The ethical problem is not one of criminality. AS the author says, snapchat has no law enforcement that it can approach. I would point out that Gibson security or the 8 million users also do not have an avenue through law enforcement either.
I would rather have this bring the problem (in any industry really) out into the open than have some mass class action fill the newspapers for years.
Snapchat were warned and should have at least kept Gibson up to date with the speed of repairs.
I imagine they did not. Another dot.com too busy riding the wave of prosperity to do something simple like concentrate on guaranteeing the product they charge for, perhaps ?.
I don't know what world the author is living in but it is not this one: "should have waited until someone had launched an attack" indeed! Like the nice attackers are going to announce an attack. Just like the recent hackers of Target did instead of waiting THREE WEEKS for target to discover the attack. Yeah, right. Tell that to the 40 million Target customers and banks that are now at risk.
According to the article, Gibson waited over four months for SnapChat to fix and/or respond to their warning. That is more than adequate time for SnapChat to at least respond, if not correct, the vulnerability. I see no need to pamper the offender's arrogance with further warnings since they obviously are not listening and/or do not care. It was SnapChat's choice to ignore the private warning so maybe this will get their attention.
And McGregor is right - laws do need to be revamped - but NOT the way he suggested. The whistle blowers should be lauded; it is the irresponsible companies and their management that need to be punished! Laws should be strengthened to protect whistle blowers and punish those responsible for exposing assets to an insecure environment.
Companies that implement vulnerable systems, fail to implement and monitor basic security measures, or allow known exploits to go unmitigated should be punished by fines that hurt and the company officials responsible held personally liable, starting with the CEO. In fact, since monetary penalties are usually only borne by the company with only token penalties (at best), for the officials, I would advocate for criminal penalties for officials failing to ensure adequate security for company and customer data. Perhaps then we would see some meaningful change.
As in Japanese corporate culture and as Harry Truman so aptly stated, the head of the organization is ultimately responsible for the actions of its people. He/she is responsible for ensuring procedures and safeguards are in place to protect the company and its customers BEFORE an attack instead of being a spin doctor AFTER an attack trying mitigate the PR damages. Hiding behind a "I didn't know the details" is no excuse. It is the CEO who establishes the priority (or lack thereof), to security and his/her responsibility to ensure that they are adequate.
This highlights the need for the development of guidelines for reporting vulnerabilities, time to respond to notice of a potential exploit, escalation procedures/recourse if warnings are ignored and, perhaps, public security audits reports similar to annual financial audit reports.
Loading ...
Security Firm Spills the Beans on Snapchat Vulnerabilities
Posted by: Richard Adhikari December 28, 2013 05:00 AMAfter its discovery of a security hole in Snapchat was ignored for months, Gibson Security earlier this week released the API for the Snapchat application along with two exploits. One exploit lets hackers match phone numbers with Snapchat users’ names en masse; the other enables hackers to create huge numbers of fake Snapchat accounts. Together, the API and the exploits will let hackers duplicate Snapchat’s API and stalk the 8 million users the site is reported to have.
I would rather have this bring the problem (in any industry really) out into the open than have some mass class action fill the newspapers for years.
Snapchat were warned and should have at least kept Gibson up to date with the speed of repairs.
I imagine they did not. Another dot.com too busy riding the wave of prosperity to do something simple like concentrate on guaranteeing the product they charge for, perhaps ?.
According to the article, Gibson waited over four months for SnapChat to fix and/or respond to their warning. That is more than adequate time for SnapChat to at least respond, if not correct, the vulnerability. I see no need to pamper the offender's arrogance with further warnings since they obviously are not listening and/or do not care. It was SnapChat's choice to ignore the private warning so maybe this will get their attention.
And McGregor is right - laws do need to be revamped - but NOT the way he suggested. The whistle blowers should be lauded; it is the irresponsible companies and their management that need to be punished! Laws should be strengthened to protect whistle blowers and punish those responsible for exposing assets to an insecure environment.
Companies that implement vulnerable systems, fail to implement and monitor basic security measures, or allow known exploits to go unmitigated should be punished by fines that hurt and the company officials responsible held personally liable, starting with the CEO. In fact, since monetary penalties are usually only borne by the company with only token penalties (at best), for the officials, I would advocate for criminal penalties for officials failing to ensure adequate security for company and customer data. Perhaps then we would see some meaningful change.
As in Japanese corporate culture and as Harry Truman so aptly stated, the head of the organization is ultimately responsible for the actions of its people. He/she is responsible for ensuring procedures and safeguards are in place to protect the company and its customers BEFORE an attack instead of being a spin doctor AFTER an attack trying mitigate the PR damages. Hiding behind a "I didn't know the details" is no excuse. It is the CEO who establishes the priority (or lack thereof), to security and his/her responsibility to ensure that they are adequate.
This highlights the need for the development of guidelines for reporting vulnerabilities, time to respond to notice of a potential exploit, escalation procedures/recourse if warnings are ignored and, perhaps, public security audits reports similar to annual financial audit reports.