Consider this: A hacker finds a security hole on your website that exposes hundreds of thousands private customer data including names, emails, and even passwords. The hacker does not steal this information. Instead, he quietly alerts you via email; but at the same time he makes the security vulnerability public information on his blog.
Do you: A) Thank the hacker for bringing the security vulnerability to your attention? Or, B) seek legal action against the hacker who damaged your company’s reputation by alerting the public about your sloppy security?
This is the controversy surrounding “HackersBlog.org” – a blog where anonymous hackers alert the public about security vulnerabilities. Each blog entry lists the site hacked, how the data was captured, and what private information is accessible.
The site made its first splash when a Romanian hacker named “Unu” hacked the databases of Kapersky – ironically, one of the leading companies in the security and antivirus market. “Seems incredible but unfortunately, its true,” writes Unu, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”
The next target, which occurred the very next day, was BitDefender – another antivirus software company. Unu used an SQL injection to show how data could be easily extracted.
In an official statement, Kapersky denied the attack was successful. BitDefender called the hack an attack and portrayed it negatively even though “the action did not intend to steal information but simply show a vulnerability.” Usually when sites are hacked, the companies are left scrambling to put out the public relations fires.
So, alerting the website via email about the found vulnerability? That sounds white hat enough. So why expose the flaw to everyone publicly on the Internet and wreck the reputation of that company? “If we just send an email, without making it public they would fix only that parameter that we announced,” says Unu, “and it is possible [for there] to be others too.”
It seems that HackersBlog owes its allegiance to the public and not to the companies who allow for these breaches in security. “I’m not a criminal, I [am] not a burglar,” says Unu, “You do the work of a [pentesting firm] that could test the security of the site or [sic] server at the request of the owner. The difference is that the firm makes this for a big sum of money, a very big sum of money, and we do it as a hobby, for pleasure, free, and most of the times we do that much better, but we don’t even get a simple ‘Thank you.’”
Leave me a comment and let me know what you think about this Hacker Blog site!