8 comments

[ 3.0 ms ] story [ 32.7 ms ] thread
Nothing in this post seems to back up the assertion that Bell was notified of the security breach.

All I see is a cryptic conversation with a low level help desk employee who would have no possible ability to know what the crackers were talking about.

It's bad that the Bell support employee was unwilling or unable to recognize it had to be escalated to a supervisor, but that's not exactly what I'd call a "disclosure" (and obviously not a "responsible" one.)

I don't expect the average help desk employee to know what SQL is, or what "owned" or "sploit" means. Half of their customer interactions consist in asking whether the modem is plugged into a wall socket and there's electricity in the rest of the house.

In Bell's defense, a chat with a tech support person is not exactly what I'd call responsible disclosure. However, I've spent the last twenty minutes on Bell's website and in that time, I have not found a single way to notify them of a security breach.

In my opinion, responsible companies (aka - the kinds of companies we should give our data to) assume that they are vulnerable to attack and make it easy for researchers to report possible problems. Having a disclosure policy and a simple, secure way to contact professionals on yourdomain.tld/security would prevent so many of these problems from ever happening.

NullCrew seem to have a problem differentiating between an exploit that is specific to MS SQL Server 2008 R2 and a generic SQL injection attack.
pretty standard "teenager with too much time" behaviour.
This is what happens when you use frontline staff to unilaterally isolate anyone worth talking to. The isolated miss things that, if asked, they would choose to hear. Everyone is ignored as if they were an asshole with a bone to pick about the company.

Sure there is weight to the argument the attackers could have made better attempts to contact Bell, or use clearer communication with support staff. Anybody trying anything can always try harder or improve their methods. But at some point the responsibility for failure to communicate has to swing on to Bell. They decided they don't want to hear from customers, just help grandma connect to the service so she doesn't cancel. This is exactly what they asked for.

>Sure there is weight to the argument the attackers could have made better attempts to contact Bell, or use clearer communication with support staff. Anybody trying anything can always try harder or improve their methods.

Careful: that turns into a "no true Scotsman" argument fairly quickly if we stray too far down that road.

Yup, that's the kind of detrimental reasoning I want to sidestep with that statement. There are no steadfast absolutes in what is reasonable to expect from Bell or the hackers. Even if you don't think the hackers made every attempt at contact they could/should have, that's no good reason Bell's bureaucracy can't also be at fault.