Keepnet kerfuffle: Firing legal threats at bloggers did infosec biz more damage than its exposed database

UK outfit gets a Streisand effect 101


Comment UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers' letters to bloggers in a bid to erase their reports of its blunder.

A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around five billion harvested records to the public internet, the firm admitted in a statement yesterday.

The database was indexed by a search engine, and came to the attention of noted infosec blogger Volodymyr "Bob" Diachenko, who wrote it all up. Keepnet disputed Diachenko's initial characterisation of the breach, and things spiralled from there.

As reported by news website Verdict, Keepnet was stung by Diachenko's initial post about the gaffe, which Keepnet interpreted as the blogger blaming the business for leaking its own customers' data – none of its own clients' data was exposed, but rather info from previous publicly known database exposures. Diachenko said the database contained email addresses, hashed passwords, the sources of the information, and other details, all gathered from previous leaks by hackers.

What actually happened, Keepnet later insisted, was that a contractor had screwed up by turning off a firewall. The 867GB database, claimed Keepnet, contained email addresses harvested from other data spillages that took place between 2013 and 2019.

"As part of the Keepnet Labs Solution, we provide a 'compromised email credentials' threat intelligence service. To provide this service, we are continuously collecting publicly known data-breach data from online public resources. We then store this data in our own secure Elasticsearch database and provide companies with the information relating to their business email domains via our Keepnet platform," the firm insisted.

Nonetheless, Keepnet responded to the bloggerati by sending lawyers' letters to all and sundry, demanding its name be removed from the posts about the prone Elasticsearch database. Unfortunately for Keepnet, one of those letters landed on the doormat of veteran infosec scribbler Graham Cluley. Not one to be cowed, Cluley removed the firm's name from his blog post – then tweeted about it.

In a subsequent post about the kerfuffle, Cluley said: "I gave Keepnet Labs multiple opportunities to tell me what was incorrect in my article, or to offer me a public statement that I could include in the article. I told them I was keen to present the facts accurately." This is best practice for bloggers and standard practice for reputable news organs.

El Reg has received its fair share of lawyers' letters commissioned by red-faced company execs determined to disrupt and deter news reporting of their doings. The letter sent to Cluley (seen by The Register and screenshotted at the link just above) seemingly complained that Cluley had defamed the company. It called out words that weren't actually in his blog post; cited part of an EU directive that has nothing to do with defamation law either in the political bloc or in the UK as justification; and threatened legal action, injunctions, costs and damages (£££) unless the entire blog post was deleted.

Whether the Elasticsearch database truly was exposed for just 10 minutes as Keepnet claimed, and whether those 10 minutes were long enough for it to be indexed, that index to be seeded through BinaryEdge, Diachenko to notice the new result, click around as required, download 2MB of it, inspect the download and then figure out who owned the database, is all moot. Keepnet's actions after the discovery eclipsed the original screw-up completely.

An unrepentant Keepnet said in its statement: "We have been working over the past few months to get in contact with the authors of posts who have shared inaccurate aspects of this story and have politely asked them to update their articles," which is a funny way of saying "hired a lawyer to threaten a defamation lawsuit unless the posts were deleted." This was only ever going to produce one result, and not the one Keepnet wanted.

As Cluley put it: "Security firms should be examples for all businesses on how to behave after a security breach. Transparency, disclosure of what went wrong, and what steps are being taken to ensure that something similar doesn't happen again are key to building trust and confidence from customers and the rest of the industry."

For what it's worth, El Reg didn't cover the breach at the time it was first reported because, well, it involved public information becoming public again. It is to be hoped that Keepnet's entirely self-inflicted reputational harm here teaches its founder a sharp and valuable lesson.

Keepnet did not respond last week when we asked the firm for comment. ®


Other stories you might like

  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading
  • NASA's Psyche mission: 2022 launch is off after software arrives late
    Launch window slides into 2023 or 2024 for asteroid-probing project

    Sadly for NASA's mission to take samples from the asteroid Psyche, software problems mean the spacecraft is going to miss its 2022 launch window.

    The US space agency made the announcement on Friday: "Due to the late delivery of the spacecraft's flight software and testing equipment, NASA does not have sufficient time to complete the testing needed ahead of its remaining launch period this year, which ends on October 11."

    While it appears the software and testbeds are now working, there just isn't enough time to get everything done before a SpaceX Falcon Heavy sends the spacecraft to study a metallic-rich asteroid of the same name.

    Continue reading

Biting the hand that feeds IT © 1998–2022