Always be professional (or at least don't piss off a security researcher) 1

Always be professional (or at least don’t piss off a security researcher)

Yesterday someone asked the twitter account of a popular cellular service in Europe if they stored their passwords in plaintext. I don’t know where it came from, but they must have known something because the representative replied that they only look at the first 4 characters of a password, implying that they do.

This opened up a storm for the company. Multiple individuals questioned the practice and instead of staying silent or trying to answer with some policy or procedural reason, the telecommunications representative started to get defensive and claimed that they have ‘amazing good security’. This was just the start of it.

Researcher after researcher started conducting a grey hat penetration test and posting pictures of their websites robots.txt, server information, and one even used what I assume is SQL injection to have an alert pop up on one of the sites.

I agree that what this representative did was wrong. If someone says your security is not good, and you have no idea what you are talking about, do not try to respond to that. In fact, that should go for anything in life, if you don’t know, you don’t know, don’t try and pretend like you do. Getting defensive isn’t the right wayeither, especially when this all started with someone just innocently pointing out a bad policy.

That being said, what happened afterwards was irresponsible. I believe in penetration testing and bug bounty programs as an ethical means of improving security. Hacking a website and publicly shaming a company for poor security is not the way, it is what a bully does.

If the ethical hacking community wants respect, they have to act responsibly and educate the world about better security practices. They can’t harass people and embarrass them. I feel like the responsible thing to do if I were a researcher in this case would have been to write an email to a higher up representative, the CISO or some other vp within the company. This way someone who hopefully understands security and can actually effect the changes within the organization is made aware of the issues.

I’m new to the ethical hacker community, but I’ve always approached the world with a humble, respectful and professional attitude. I don’t know everything and people generally answer my questions because I don’t pick fights with them first. The respect goes both ways, but one side has to be the ‘big boys and girls’ sometimes and overlook a little disrespect, as many of the researchers I follow do.

Leave a Reply