From their press release:
The company behind Sparks, the app that is designed to help you connect with and meet new people nearby with whom you have shared interests, and which was first presented at SXSW in 2012, has given details of an attempted Denial of Service attack allegedly undertaken by an employee of their sub-contractors, an outsourcing development company based in Ho Chi Minh City, Vietnam.
Stephen Smith, Founder of Paragon Proximates Ltd, states: “Sparks was developed under contract with our own parent company, Digital Proximates Limited. We terminated our relationship with the sub-contractors at the beginning of January after it became apparent that the software the sub-contactors had delivered was not what was specified and, in the event, totally unfit for purpose. It was following this termination that the app was attacked.
“We have proof that the alleged attack was initiated by one of the employees of the Vietnamese developing company, one of the app developers who not only had knowledge of how to attack, but who also had previous knowledge of, and access to, our IT assets. The target of the attack was a known weakness in the system, one we had repeatedly asked the sub-contractors to rectify.
“This particular weakness had in fact been identified by ourselves and after the sub-contractor’s repeated refusal to rectify it, we took remedial action on January 3rd 2013. But until it was addressed it was the cause of numerous outages. At the onset of the attack over 1,000 requests per minute originated from a PC in Vietnam, with one single user account. As a mobile application with our entire user base connecting via their mobile devices – this was the only connection from a PC. The activity itself lasted for several hours and data-scanning activity was logged during this period.
“Through a detailed examination of the logs the next day we were able to identify a specific employee of the Vietnamese developing company. Given the fact that we were able to trace the source of the alleged attack back to the sub-contracted development company, we informed the company’s management in Ho Chi Minh and San Francisco, which in turn acknowledged our communication and committed itself to an investigation. However, in a later communication they denied that it was anything to do with them.
“Whilst researching the alleged hacking, it became clear that the Vietnamese developing company were copying our data to their own servers – when we asked them to delete that, they instead claimed IP over the content.”
Paragon Proximates Limited, the company behind Sparks, has reported the alleged attack and the data theft to the Information Commissioner in the UK and, with the kind assistance of the British Embassy in Hanoi and the HM British Consul in Ho Chi Minh City, to the Ministry of Information and Communication in Vietnam, and is working with law enforcement agencies in the appropriate legal territories.
The sub-contracted development company in Vietnam was established in 2008 by a team of US and European executives and claims to be a specialist in new product development with offices in Ho Chi Minh City and San Francisco.
Source: Sparks
Well, if a company KNOWS of a vulnerability in the system, and some one is unwilling to fix the issue, then it falls back on the individuals who had requested the vulnerability be fixed.
If the company was ignorant that they would get no retaliation from the 3rd party, they guessed wrong. in business, anything that has a risk of 50 / 50 its probably a bad bet to trust something that might potentially go wrong. if they felt hings were going to go sour quick, they should have been proactive and killed all access to servers and workstations. If the relationship went sour quick, they should have geo-blocked any IP activity that may have come from that regoin of the world. I consider remote access one of the biggest no-no’s on the planet. its left open and ignored, passwords are never changed, and logs are never reviewed until its too late.
The “we” have proof, to me, means that they probably tried to handle this in house, meaning they have been digging into logs, servers and workstations, tainting any credible evidence. This may have been the only credible way to prove your case in court. If I were them, I would ensure that anything they identified removed from their system be identified. Find the earliest known date, file size and specifics of the files, which may show proof of ownership.
Unless the company has specific proof – the peron actually logging in with a UNIQUE username and password, there are ways for them to qiggle out of this. They could easily say malware, worm or other malicious code was present on the workstation and caused the issue.
Unless they worked very closely with the 3rd party contracting team, I do not see how you can say you identified a specific person performing a specfic action. It’s hearsay – even though you could give an individual some priviledge information, unless there is a rock-solid way, like through non-repudiation, it is very hard to pinpoint any specific actions down to a specific person.
Even if there is just one user account on the workstation, it does not matter; proving that a specific individual sat down and participated in a malicious act toward a company takes alot. do you rquired CAC, Biometrics, or have unique user name and passwords that can be absolutely positively b linked back to an individual ? Most will say no. Most will say its too expensive. But in this case, when Source code or trade secrets are in question, you now wish you had a way to prove, without a shadow of doubt that puts some one at the other end of all this.
Showing evil intent is very difficult; Why? How do you know which side is actually at fault? A company that complains first is not always the innocent side. What we hear is one side of the story. We don’t see the paperwork or contract or deliverables to see if the material delivered was as per the contract, but the company then decides to change things mid stride without any contract modifiecations, or compensation for the extra hours worked to keep it on schedule. Though this is hypethetical, it is a possibility.
First mistake was taking this into their own hands. now if a non-biased 3rd party forensics team comes in, they might have a very very difficult time proving any of this.
In respect to the copying of their data – if that data is backed up to say, a removable hard drive and removed from the company premises, who is to know? Its best to flush any influence of what this 3rd party did, and redo it yourself. You can fight a legal battle, costing a ton of cash, or you can allocate those funds to obtaining a “clean” version of the software all over again.
Its a tough decision. You should report it, but to what extent do you pursue legal matters if you do not have positive proof that this will hold up in a court, especially when it crosses through other countries.
Short of giving the 3rd party a bad rep via the press, good luck on any sort of compensation. =\