igor - Fotolia
Child social media monitoring service uKnowKids has come under fire for its response to a security report regarding its IT systems.
The report claimed that a database belonging to UKnowKids – containing the personal details of more than 1,700 children – was accessible online.
The US-based firm provides a service that enables parents to monitor and analyse their child's social networking and mobile phone activity.
uKnowKids was informed of the exposure by security researcher Chris Vickery who discovered the database was configured for public access, requiring no authentication or password.
This meant that – in addition to the breach of names, email addresses, dates of birth, social media credentials and other details – more than 6.8 million text messages and nearly 2 million images were unprotected.
Vickery said there was no way to know for sure how long the data has been exposed to the public internet, or how many people had accessed the data.
According to Vickery, the company’s initial email response was positive, thanking him for the opportunity to fix the problem which “could easily” have threatened the business.
However, in a subsequent phone call, he said uKnowKids chief executive Steve Woda “tried all manner of intimidation tactics” against him.
Vickery said Woda had tried to convince him that anyone reporting the data exposure could face liability under the US Children’s Online Privacy Protection Act (Coppa).
Read more about vulnerability disclosure
- Qualys CTO Wolfgang Kandek discussed the hot topic of responsible vulnerability disclosure policies, and the friction between Google and Microsoft, at RSA Conference 2015.
- Swiss research group Modzero disclosed a vulnerability that enabled remote attacks onXceedium's Xsuite privileged access manager.
- Google's Project Zero has added more leeway to its vulnerability disclosure policy, but industry observers are split on whether 90 days is enough time to fix software flaws.
uKnowKids late to notify users
In a blog post, Woda said that a “hacker” had repeatedly breached a private uKnowKids database in an “unauthorised manner” and notified the firm of the data exposure on 17 February 2016.
Although Woda claims the problem was fixed in 90 minutes, uKnowKids has been criticised for notifying those affected by the breach five days later.
“I think that UKnowKids.com was a little late on disclosing the breach, which is concerning, since I'm sure there are parents out there who do not want their children’s personal information and pictures out on the internet for everyone to see,” he said.
Disclosure provokes hostility
Glenn said that, instead of threatening security researchers, companies should be treating them with respect and consider them an extension of their own IT department.
“They need to realise that these individuals aren’t trying to do anything malicious with their knowledge – they shouldn’t be threatened with lawsuits or the authorities being called on them. If a good guy can discover a hole, so can the bad guys,” he said.
At the DEF CON 23 hacker conference in Las Vegas in August 2015, security firm Rapid7 told Computer Weekly that – despite the importance of security vulnerability disclosure – it can be challenging to open up channels of communication with non-security companies.
Reporting a security vulnerability in a product or service is often perceived in a negative light by non-security companies, because it is “like someone in the security community telling them their baby is ugly”, said Tod Beardsley, security engineering manager at Rapid7.
Woda said uKnowKids had been “locking down on the facts over the last few days” with a forensics analysis of all systems.
“We plan to disclose all of the relevant facts to our customers, the media and the appropriate legal authorities, as soon as we are confident that our facts are 100% accurate,” he said.
Firm takes preventative measures
According to Woda, no financial information or unencrypted password credentials were vulnerable, and the data that was exposed related to “about 0.5% of the children that uKnowKids has helped parents protect”.
He said the company has reconfigured all encryption keys and data schemas, to “dramatically mitigate any previously breached data”; hired two security firms to penetration test the company’s systems, to identify any future vulnerabilities as quickly as possible in the future; and is updating its existing internal security policy and frameworks, so that there is “zero ambiguity with respect to the daily, weekly and monthly security procedures” that the company will follow to protect customer data and corporate assets.