+ Comments IT pro Rob Dyke said an NHS-backed company not only threatened him with legal action after he flagged an exposed GitHub Repository containing credentials and insecure code, he was even called of the police to him.
Dyke, who has formerly appeared in this organ, in March it was said that he had received letters from lawyers representing the Apperta Foundation after he told the business that he had found a public repo containing source code for an insecure online portal and its database containing usernames, hashed passwords, email addresses, and API keys.
We were told the container contained two branches, and was dated 2019. Obviously it shouldn’t be public because it can be used to view internal purchasing, receipts, budget, and spending information through the portal. The material has been left public for so long that the Internet Archive reflects a copy of it, stating that the files were dedicated to GitHub by a deleted account that appears to belong to an older Apperta person.
What followed united infosec professionals around the world as well as triggering a crowdfundraiser and a backward legal war: Apperta told us that it sent legal requests to Dyke, and followed them up by accuses the police that he broke Britain’s computer security law.
The story isn’t straightforward though showing that the revelation of vulnerability and the response to disclosure can be a minefield – especially if both sides have a past history of falling out with each other.
Found some things you don’t want online
The public -facing repository was discovered at the end of February, and the company was notified on March 1 with a written report of its findings, Apperta’s initial response was good, Dyke said The register, and the organization thanked him. “The repo quickly went private, and their portal website was taken offline,” he said.
We understand Apperta – which is a not -for -profit company that provides tech, support, and funding for health and social care – has removed its GitHub repo, and replaced the exposed API keys.
Here’s where the wheels came from. When his findings were privately disclosed, Dyke told Apperta that he would keep a copy of the files he found for three months. As he writes on his crowdfunding page, set up to raise £ 25,000 to land his legal bill to oust Apperta:
Apperta provided this as the unlawful copying of its data, and this internal information is maintained by a third party without permission for an unknown purpose. A week after receiving Dyke’s report, company attorneys wrote to him requesting to destroy his copy of the files.
‘Data you took illegally’
Why keep data at all? Dyke told us he held the information in case it would be needed again as the situation unfolded, after the disclosure. “It’s a record of my actions,” he said. “And it’s important that I keep it up in case there’s a broader cyber incident that I’m not aware of.”
Views on the ethics and legality of obtaining copies of exposed data vary. In the UK, it’s frowning.
Dyke, who is a cloud platform engineering lead at a global consultancy, reminds Apperta that he only views webpages that are publicly accessible, that he will remove a fork he made in the repo on GitHub to analyze it , and said he would destroy his copy of the data three months later, among other tasks. The next morning, Apperta’s lawyers said this was not enough, and urged him to sign a document promising that he had removed the materials.
Lawyers also picked up something Dyke put in his report: he said Apperta’s portal “should be considered compromised” because of the code, database, and vulnerabilities it has presented for anyone to look for many years.
“And this is where a little bit of domain reading knowledge goes a long way,” Dyke told us. “So in my report to them, I said, you should consider the Apperta portal compromised. Now there’s a technical word here; it has meaning in infosec.”
Apperta, Dyke said, translates the word “compromised” as a threat or entry of malicious activity by Dyke himself. His tweets in which he said he found and analyzed the content of the repo, without naming the owner, were taken by the company as boasting of “unlawful taking” of its data and as a threat to deduct nonprofit files. Dyke said this interpretation is untrue.
All this led to the solicitor requesting that he sign a document that provided …
“As I’m not stupid, there’s no way for signing that I’m going to sign that,” Dyke said, because it’s pretty much signing a confession that he “illegally obtained” data from Apperta’s systems. If Apperta had not asked him to admit a criminal act, he would have signed their agreement, he added. Instead, things stopped as Dyke’s lawyers responded to Apperta’s lawyers, back and forth for weeks, as Apperta clarified that it wanted to apply to the High Court of England and Wales for a command against the IT pro. Such a court order would prohibit him from publicly disclosing any information he obtained.
Eventually, Dyke surrendered before it reached court, and informed Apperta that he had deleted the files and, he told us, sent them some evidence. “I’ve already sent them the summary with screenshots, and a copy of the repo and my report. I’ve deleted those things,” he said.
Dyke also named Apperta on Twitter, and did his public findings. The infosec community rallied around him.
Security researcher @robdykedotcom recently discovered and responsibly disclosed security vulnerabilities in @AppertaUK about sensitive information stored in their publicly available repositories. He now faces legal retaliation. Let’s help him.https://t.co/cq6dXwxVNg
– Hacking is NOT a Crime (@hacknotcrime) April 27, 2021
At the time of writing, his crowdfunding effort has raised more than £ 15,000 towards paying his legal fees. Dyke also tweeted a High Court claim form and penalty notice, which was partially filled out, which he said was sent to him by Apperta’s attorney.
If you haven’t seen high court order papers before, allow me
– Rob Dyke (@robdykedotcom) April 25, 2021
For Apperta’s part, it confirmed the The Reg that this brouhaha did not get up to going to court, and that its actions were justified. It also surprisingly claimed that there was an “unauthorized intrusion” into its systems:
It also said: “While Mr. Dyke claims to be acting as a security researcher, he used many techniques beyond the boundaries of good faith research, and he did so unethically,” adding that it was “confirmed by independent experts.”
It doesn’t detail what those techniques were or to whom it retained to review Dyke’s work.
So, we met again
Dyke said he had previously worked with Apperta on open-source NHS projects. In fact, he had a copy of its information security policy from that time, he told us, and claimed he followed that when he disclosed the GitHub blunder to Apperta.
We have heard allegations of personal collapse between those involved in this case, with vested interests in the disclosure of vulnerability and legal response. As long as the disclosure went, The register has seen evidence that the repo in question was uploaded two years ago by an elderly Apperta person, and it should not be made public.
Northumbria police have confirmed to us that its officers have failed an investigation a report of “computer misuse,” with a spokesman saying: “We can confirm there is no further investigation.”
As for any potential civil disputes, since Dyke provided legal work to Apperta, as confirmed by both parties The register separately. He thanked his legal team and infosec bod Sick Codes, Disclose.io, and Twitter campaign account HackingIsNotACrime for their support.
Comment: What can be learned here?
Vuln disclosure can be a whole process. Someone in Dyke’s position in the future might be better off asking a trusted organization or confidante to disclose a security hole to him rather than doing it personally, especially in a situation where an existing relationship has become sour for whatever reason. Bug bounty schemes and similar volcanic disclosure programs are the best methods where available because there must be a well -defined process for passing on evidence and details in a way that does not result in a report. police.
Telling an organization that has breached its security, especially its lawyers, that you keep a copy of leaked data will rarely trigger a positive reaction. Post-remediation data retention should not be the norm, we think.
In another context, Westminster Magistrates’ Court in London, England, said that copies of leaked hardware data seized by police were a strong reason do not return the hardware to the rightful owner.
If the company in question directs its attorneys to you, get your attorney. Dealing with legal negotiations on your own can have an expensive and painful outcome. Some household insurance policies have legal cover and it is worth looking at it carefully. ®
Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of knews.uk and knews.uk does not assume any responsibility or liability for the same.