Security researcher Chris Vickery has exposed serious lapses in information security, by locating databases that lack basic security practices, like passwords. What started as a hobby turned into a contract blogging about his work for MacKeeper. Through his research, Vickery found the Mexican voter database without password protection. He also discovered one database at a child tracking firm configured for public access.
In a conversation with CIO Dive, Vickery discusses his work finding publicly accessible, unsecured databases that threaten data security, leaving sensitive personal and proprietary information at risk. This conversation has been condensed.
What exactly do you do? Is white hat hacking your full time job?
Vickery: Well I stay away from the word 'hacking.' That complicates things greatly when I deal with legal authorities and entities. Law enforcement know that once they hear the word hack, they immediately think criminal activity. They don't think of it as the tech industry does.
To hack something is technically to figure out a way to use it that it wasn't intended to be used. But, as far as legal authorities go, they think it's criminal activity.
An interesting comment that I got out of the Mexican (voter database) situation was that what I do is more similar to journalism then straight up hacking, per se, because I'm not actually hacking anything.
All I do is find publicly available information and then publicize its existence, which is done in a very high tech way. But I'm not doing anything that a normal person couldn't do really. I just happen to know where to look.
Then should we call you a security researcher?
Vickery: That's kind of the preferred term.
Is there a such thing as a white hat hacker? When people are going into these kind of breaches and they're looking for exploits, isn't that still just a hack?
Vickery: Well it kind of comes down to the legal term 'mens rea.' It's a Latin term that means 'the state of mind.'
When somebody refers to a white hat hacker, they may be exploiting things the same way a black hat hacker might exploit things, but the outcome, the disposition and the mens rea are two very different things.
The white hat hacker is going to alert the company and let them know that that exploit exists and they're not going to take advantage of it and harm anybody. Whereas the black hat hacker would use it for selfish purposes and would end up probably harming the end users. So I think there is a difference, although they are both pushing the lines of legality.
Do you do this work privately?
Vickery: I have a normal day job. I do IT support at a law firm here in Austin, Texas and in that capacity I just keep things running. If attorneys have problems with their computers I fix them. Then a hobby of mine, that kind of just evolved out of interest, was finding data breaches.
Their ultimate response was 'hey, let's not persecute this guy. Let's hire him to kind of look at our site and also blog for us.' So, I do the security research independently but I'm contracted to blog about it on the MacKeeper website. They kind of see it as a public service to raise awareness about data breaches.
When you present your findings to a business, what is the reaction?
Vickery: The first reaction is usually, 'Oh that's a test database, it's not real data, it's fake. There's no breach.' However that's almost always a lie. There is some law firm or some organization out there coaching people, I believe, to say that data breaches are fake data.
When I am able to contact somebody in an IT department, usually we can talk the same language and they're very grateful and they realize that I saved their bacon by finding this. Even if it's going to get publicized and they're going to get a little embarrassed, they ultimately are coming out better in the situation.
However, when I get talking to PR departments or CEOs, that's when the accusations of hacking start coming out and they start to get a little more aggressive and they start to push back a little bit.
They say the 'alleged vulnerability' or 'this exploit that you took advantage of,' when really I've taken advantage of nothing.
How long do you give these companies to secure their systems before you publicize the findings?
Vickery: To secure it? I expect it to be secured immediately.
Once I notify somebody that has the power to secure it, I expect it to be secured within a couple of hours. I don't expect them to be able to let it go on days and days and days unsecured.
Now, time to publicize about it is a little bit different because sometimes they need to get a PR team together and they need to properly address their users. They don't want their users to read about it in an article before they have a chance to send out an email. I'm sympathetic to that.
So when you approach these companies, are there bounties involved?
Vickery: I have never been paid a bug bounty at all. The only reward I've received, really, is MacKeeper contracting with me to blog on their site.
What's in it for you? It sounds like this is pro bono work, so why do it?
Vickery: Well at first it was pro bono work, kind of a hobby. It's very exciting to me to hunt down these types of things and it makes me feel very good to know that the million people I just secured are not going to be victims of identity theft. It makes me feel good inside.
How do you find out that there is a vulnerability in these systems?
Vickery: Well like I said, I'm very careful about using the word 'vulnerability.' It's more of an exposure because there isn't a vulnerability. The only vulnerability is they forgot to put a password on it. But it's more of an exposure at that point.
For many of these cases, has it just been simply that the companies have not put a password on their servers?
Vickery: That's it in a nutshell. They simply either remove the password or never put one there. That's the easiest way to explain it.
Why would a company not put a password on all of their proprietary information?
Vickery: Convenience and laziness. Human laziness.
They A) don't think that anyone's going to find it. B) some don't know that other people can find it. C) they want easy access to it without having to program the passcodes into all of their apps that access it. And D), they hired staff that are too lazy to do the work and want the easy way out.
It all comes down to bad business practices.
Is it possible that in some cases it's just merely an accident?
Vickery: Well yeah, there's possibly the situation where somebody is not familiar with (a system) and simply didn't know that they have to put a password in there.
Normally people that (have) deployed these types of servers at least know that you need to put a password on it.
What are businesses doing wrong when it comes to securing their systems?
Vickery: What they're doing is they get tunnel vision and they see it from their side. They go to work and they access it and they think that they are the only ones that can access it.
What people need to do is try to access things from your home computer as well. Get your important IP address, your important websites and just try to access them from the outside. Kind of escape that tunnel vision. Think outside the box.
If people did that more, about 90% of the breaches I find wouldn't happen.
Are there any stories that come to mind of a particular company not being very receptive?
Vickery: I found an escrow firm that had $3.5 million in dispersible funds sitting in their system and I found a database with the administrative credentials and all of their client logins, many of them plaintext.
I called and I was able to get in touch with their IT guy and he asked for a week before publicizing it.
Turns out, he thought I meant a week to secure it. I woke up early the next morning, (on) Christmas Day, and decided to just double check to make sure he got it down and it was still exposed. I was livid.
I was like, 'What is this guy doing?' He's got $3.5 million dollars there that somebody could take advantage of. And so, in a funny twist of events, you know how I found the the U.S. voter registration database as well? The 191 million people? I looked up his CEO's home phone number in the voter registration database and called his CEO at 2 a.m. in the morning Christmas Day to explain to him that his $3.5 million dollars was at risk. Half an hour later, 2:30 a.m., it was secured.
What was the name of the company?
Vickery: The name of the company was Three Lock Box.
To me it seems like you're finding these shortcomings in security kind of just by poking around. Meaning anyone could find one. Is this correct?
Vickery: Exactly. Everything that I do anybody in the world can do, which is why I'm surprised it's taken so long to really get a spotlight shining on this. I have theories that there's a lot of people doing it and just not saying anything because they don't want to get sued, they don't want to get called a hacker or they're actually malicious and into trading data around.
Because every company that I find a data breach for they say, 'oh, Chris Vickery was the only one that accessed that. Our logs show that he was the only one to access it.' That's just statistically not possible.
What keeps you up at night in terms of security challenges?
Vickery: I would probably worry most about the human aspect. Humans are the weakest link in the chain.
At my law firm I worry all the time about somebody just clicking on a bad attachment, because we get so many of those and people are just not that bright usually. I think we've been very fortunate in my firm to not have suffered a large scale breach like many have because we train our users and we ram it into their heads, 'don't trust anything,' even if it looks like it's coming from somebody that you know.
Everyday there are stories of malware hitting systems and wreaking havoc, but your findings have nothing to do with that. This is about human error, is that correct?
Vickery: Yeah this is just plain gross negligence.
I was called by some FTC attorneys a little while ago. They're very interested in following the work that I do because the FTC can't go after a company that's been hacked because the company that has been hacked is a victim and they usually took proper security protocols into account. And if there was a zero day vulnerability, you can't do anything about that. There's no patch to stop that. However, a company that failed to put a password on their database? The FTC has no problem completely ruining their day.
When will companies start working to make sure their systems are actually secure?
Well there's no end in sight for this type of thing. It's just going to keep getting bigger.
This is not going to get better until it starts to affect profits and profits are not going to be affected until the laws has some teeth to them. Right now, companies are getting away with a slap on the wrist for giving away millions of Social Security numbers and health insurance records. It is just not affecting their bottom line. It's too profitable to be willy nilly with our personal information. What needs to happen is we need to make some big examples of big companies and ruin them because of what they have done to people's lives.