The idea that a finder of a security lapse could face brickbats instead of bouquets from a less than grateful company may sound ridiculous but that’s exactly what seems to have happened to Australian security researcher Patrick Webster.

Webster’s troubles began after he alerted his investment fund First State Super of a glaring security lapse - a lapse so heinous that it ranks at fourth on OWASP’s top 10 list of application security risks. However, instead of accolade Webster was thanked with a legal threat and notice that he just might be billed for the security fix.

As brought to light by Patrick Gray on Risky.biz, First State Super's law firm, Minter Ellison sent Webster a letter on October 14 demanding that he turn over his computer.

According to Gray's account, First State Super threatened to track down the costs incurred "in dealing with this matter" if Webster did not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.

The trouble with direct object reference

Webster's sin was to uncover the fact that his pension fund allowed logged-in members to access their online statements via what's known as direct object reference, wherein other members' statements could be accessed by changing a single digit in the displayed browser URL.

Webster says that he cooked up a script to demonstrate the flaw to the investment fund's IT staff, downloading some 500 account statements and then promptly deleting the information in September.

Here's the company's rationale for not only closing his pension fund but also for potentially sending Webster the bill for the security fix:

 “ Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.

Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.

[....]

In addition, the Trustee reserves its rights to require you to allow it's IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.

In the meantime, the Trustee has suspended your online access to the Member Section of the Fund's website.”

No good deed goes unpunished. But one would hope that most good deeds go without prosecution against the do-gooder.

One would most fervently hope that most good deeds don't result in companies, especially ones with such glaring security issues, make onerous demands to punish those who would point out their insufficiencies.

Re-evaluating best practices

What's ironic is that this news crosses my desk on the same day in which I had a conversation with Akamai's Josh Corman about the subject of how, in these post-Anonymous days, we have arrived at a place where organisations are becoming more transparent about their victimisation through security breaches.

"Looking across the swaths of security compromises both in the security and the non-security industries in the last 12-18 months... [and] watching incident response and public relation successes and failures," Corman has noticed that the current state of predation by Anonymous, LulzSec et al. is forcing the industry to re-evaluate best practices for communicating breaches.

"I think there's a shift from 'keep quiet and hide it' to more modern expectations from the installed base," he said.

In other words, we're seeing more transparency about what happened in a given security breach and how the situation was attended to. It's an evolution to a new set of best practices in crisis management, Corman explained.

So are things better, more transparent in the Northern Hemisphere compared to Australia?

Actually, this isn't even a question of lack of transparency, it’s not a question of a company going mum and hiding under a rock. No, this is a situation in which the company is hurling the rock at an innocent researcher's head.

Now, it’s probably unfair to think that Australia is completely backward when it comes to understanding communications, computers and the internet. But in this instance, something's certainly flowing backwards.

Fortunately for Webster, First State Super has updated its website with a statement about the incident - notifying its broader customer base of the security issue - and explaining that it plans to take no further action against him.

Lisa Vaas is a technology writer for Sophos, see her profile and other articles here.