Admin Admin, Part 1: From responsible disclosure to a prison cell

  • by

Here is the first instalment of a remarkable, sad, unbelievable yet true story of a guy I met through the infosec community on Twitter.

Alberto Daniel Hill (@ADanielHill) is a cyber security professional from Uruguay and what he is about to discuss here might disturb you.

Even I was in disbelief after I heard the whole story…

Without further ado, let’s hear what he has to say.

Who is Alberto Hill - his own introduction

“I am a computer engineer with more than 20 years of experience linked to Information Security (Consulting, Computer Forensics, Ethical Hacking, IT Security). I worked in many large companies in Uruguay and provided services for companies in other countries.

In 2011, I specialized in the  ISO/IEC-27000 standards, as well as Ethical Hacking and approved several courses related to a wide range of IT Security fields.

I am PMP-certified and have led many Information Security projects since 2011. I also have the Cybersecurity Fundamentals Certificate (CSX) from ISACA, organization that awarded me a PLATINIUM membership recognition.

The CSX certification in Cybersecurity demonstrates knowledge aligned with the National Institute of Standards and Technology (NIST), National Initiative for Cybersecurity Education (NICE), which is compatible with global cybersecurity issues, activities and job roles.

I have been part of the team of volunteers of the OWASP Uruguay chapter since 2012. I have been recognized worldwide for my knowledge of Blockchain and Cryptocurrencies as well as every aspect that involves their security. I was a speaker on those topics at some of the most important information security events in the world.

I am an ethical hacker, and no other hacker. I conduct a lot of research to know the tools that the bad guys use, but I am not a criminal. And money is not the motivator for me to do this stuff.”

Hey Alberto, thanks for agreeing to talk to me! As a former law enforcement member I can understand you might not be so keen to talk to somebody who was in the police…

Hello! Thanks for inviting me to your site! And thank you for the chance to clarify that I do not have any problem with the police or anyone working in law enforcement.

I just lost my respect for those who had shown me they are obviously not competent to perform their duties as they should do.

In particular in Uruguay, where the cybercrime police really lack the basics expected to do a competent job. To compensate for the lack of technical skills they use other ways to close investigations. And those ways are neither ethical, nor fair.

Prior to the story that I am about to tell, I always had good experiences with cops of any kind.

Even later, during my time in prison, my relationship with all the cops working there was great. They were great human beings and I am still in touch with them.

But I do have a problem with those who are not prepared to carry out their duties in a just and transparent way. Not doing their job right basically means sending somebody to prison. Somebody innocent.

How would you describe who you are, as a person, in 5 sentences or less?

After my experiences I cannot answer this question that way. I have to say who I was and who I am.

I was an upper-higher class guy who had it all in life. I had my degree, had the most beautiful girl in the world, and a job with a great salary. I had quite a one-sided vision of the world. Life was good.

Right now I am a person with PTSD under treatment. PTSD is a condition that I never thought could affect so much a life. My family is just my mom and I.

I do not have a job. But the number of offers I have received since I was released is something hard to believe. It is like my market value jumped to the moon after being in prison.

And I think that this is the rule in my profession, it is probably the only field in which this happens. After being in prison, finding a job is not easy for anyone, and finding a good job is almost impossible. I was offered dream jobs.

Right now however I am focused on learning as much as possible about legal system in Uruguay and make contacts worldwide while spreading my story at the same time.

Alberto in 2014, in his happier days

OK so let’s jump straight into your story. How did it all begin?

One Saturday afternoon, this was in late 2014, I was with my girlfriend at her house and she asked me to visit the website of her medical care provider, Circulo Catolico, to look for some information. She just told me the URL, and before she could tell me her login credentials, I started poking around on the website.

What do you mean by that?

The login page had an annoying captcha, and I started looking at the source code. I quickly discovered that all I had to do to get rid of that captcha mechanism was delete a parameter in the URL of the login form, and bingo!

The security features on the website were terrible. I discovered for instance that admin access was possible to gain by using the generic “admin” for both login and password. So not only could I get into the website, I could also obtain the administrator privileges.

This meant I theoretically could have accessed and altered patients’ health records, added new patients, delved into the company’s financial reports, and a lot more.

Email sent by Alberto Hill to the CERT in Uruguay in 2014

So what did you do then?

Within literally 5 minutes I sent an email to the Uruguayan CERT (Computer Emergency Response Team), cert@cert.uy, and reported the vulnerabilities.

In less than two hours, I got a reply saying they had verified that I was right. That was it.

I forgot about the website and its vulnerabilities, it was the company’s problem.

In 2015, so a year later, I visited that website again and decided to check it for vulnerabilities again. And guess what?

Within 15 minutes I was able to gain access to all kinds of information stored by the medical care provider. I simply modified some parameters of the URL. It was a deja vu scenario.

Again, within 5 minutes I sent another mail to the national CERT and informed them of the problem. And again, I forgot about it afterwards.

Second email sent to CERT in 2015, outlining website vulnerabilities

So one day you stumble upon a website with a vulnerability. What happened after was the beginning of a life altering sequence of events – so why the hell did you do all that? Why not just mind your own business?

Firstly, it was professional curiosity. I am a certified cybersecurity professional after all. Once I discovered the first minor flaw I decided to dig deeper because I thought about the medical information of hundreds of thousands of people. Sensitive data like that should be properly protected.

It was “responsible disclosure”, which means that if you want to help to solve a cybersecurity vulnerability, act in a way that will not make the initial problem bigger or affect the system in a more negative way.

I reported the problem correctly and responsibly. I did not take advantage of the vulnerability.

But I must admit that talking about it now, I do regret reporting the whole thing.

So in hindsight, what would you have done differently?

I would have probably walked away from everything and said nothing to anybody.

I tried to help a company that ultimately I did not know, that I had no relationship with.

I did point out security issues which could have potentially affected thousands of people.

I did all this without any incentive or prospects of a monetary reward of any kind.

I guess I was naive. I did not expect my life to be turned upside down as result of this.

Screenshot of the website's admin page with various configuration and access tabs

And how did all that happen, step by step?

In September 2017 police called to my apartment. But there was nobody there. My landlord passed on the message that the police wanted to talk to me, so the next day I went to the local police station.

I could not have imagined I was not going to return home for many months. I could not have imagined what was going to happen.

Not expecting anything bad, I walked into the local police station. The police officers there did not know what happened and did not know who I was. So I told them my details and just waited there patiently.

After some time they radioed their colleagues from the Interpol office and everything changed.

I got arrested, handcuffed, brought into the cells, told to hand over all property, remove my belt, shoes… I’m sure you know the drill.

Funny enough (or not so funny) the local cops did not tell me my rights or the reason for the arrest. I don’t think they knew themselves.

So what happened then?

I was taken to the Interpol facilities in Montevideo. The police officers asked me if I knew why I was taken there, and I said no.

So they told me the name of the health institution, Circulo Catolico and that the arrest was related to a cyber crime committed against that company.

I immediately felt a great relief, because I remembered everything I did and I knew I had helped with improving the security of that website.

Or so I thought.

I was questioned for about 2 hours and I was being honest in all my answers.

The final question was whether I had sent an email (or more than one) asking to be paid in Bitcoins for not disclosing sensitive medical records of the health institution.

That took me by surprise and of course I said I did not.

The investigation file preamble outlining the alleged offences

Correct me if I’m wrong – my understanding so far is that the police must have received a report from Circulo Catolico that somebody accessed their site, stole their data and then blackmailed them threatening to disclose their information?

Circulo Catolico reported the “hacking attack” to the police. They produced the records from their firewall and handed them over to the CERT in a printed format. Can you believe this?

Digital evidence should be preserved as it is and stored in its original format. The evidence should be retained properly, chain of custody of evidence intact, and certified by a competent person as to its integrity. None of this happened.

When you think about it, what is a printout of logs? I could be “printing out logs” right now and accusing half of the population of Uruguay of hacking!

Without preserving the original digital logs, you can’t extract any data, you can’t trace the IP address, you can’t prove anything.

I can’t see how any of this links me to this crime. But the CERT had the two emails I sent to them previously in 2014 and 2015 and I guess there were no other people who reported the website’s security flaws to them.

I am guessing, and this is so frustrating, that they decided to go for the easy win and focus on me.

What was the legal basis for your arrest and detention?

It was not anything related to any computer related offences. The main crime the police were investigating was attempted extortion. Attempted as the company did not pay any Bitcoin so the person who sent the email did not extort anything.

The penalty for extortion was minimum 4 years in prison.

There was also the lesser charge of fraudulent knowledge of secret information. That one is not punishable by prison, it’s just a fine.

Interestingly, I was not being investigated for hacking or unauthorised access to the computer system.

Why not?

It’s hard to believe this but these things at the time were not actual crimes!

Our country’s penal code did not have these offences. And it still doesn’t.

Disclosure of confidential or sensitive information, whether done by photocopying documents or accessing a computer system, is perceived by the law in the same way.

The penal code focuses heavily on disclosure or alteration of documents / information. So if I decided to hack a website today from my home IP address, the police would arrive, search the place, seize computers, even arrest me but they would not be able to charge me unless I disclosed, threatened to disclose or alter information.

At some point in time, the law in Uruguay just stopped following the developments in technology. It’s the year 2020 but sometimes it feels like the law is still stuck in the 1900s.

Tell me more about what happened during your detention.

I spent the whole day in custody. I was confused, I did not know what my situation was.

I wish I had a lawyer with me…

At one point the police told me they had records from my Internet service provider showing that the extortion email was sent from an IP address that was assigned to me when the mail was sent.

Apparently there was also one connection to the website from the IP address that was assigned to me at that moment. 

According to the paper printouts of the firewall logs supplied by the medical provider, a port scan against their website was conducted from my IP address checking if certain ports were open or not.

There was actually no detailed information so I cannot tell you more.

But there was no evidence of any login to the system, no download of information, nothing. Not even on the paper printouts.

I knew that was not possible, but that was the beginning of my worst nightmare.

To my detriment, I also owned some Bitcoin and that only made the matters worse…

END OF PART 1

Leave a Reply

Your email address will not be published.