First the Belgian computercrime law is pretty clear is some-one has not the permission to attack your computer or your network than it is illegal. Even for securityresearchers and reporters like me it is extremely difficult to do much more than to google or use external sources and copy them. The moment we would test the real possiblities to get at the data it is possible for the subject of our article to attack us. The fact that they wouldn't hesitate for one moment to do so makes it extremely difficult to do so and has resulted in the last ten years in sometimes very difficult and extremely stressful situations for me and some other securitybloggers. In the end we could prevent the complaints and investigations but the very vague terms of the Belgian computercrime law makes it the most efficient censor after all. I know that some securitytests in Brussels against public wifi-installations were abandoned because - contrary to the situation in other European countries - the legal hurdles were so great that it wasn't worth it. Because in the end it all depends on the interpretation of the judge of your intent and there is no way that you can foresee how any judge would react, even if you think that on paper you have done everything possible to proof that all your intentions were good.
This is also the reason why we need to have a 'responsable disclosure policy' for which normally the CERT would have to be responsable but for the moment I don't think they are doing anything. It would change a lot of things and it would for example make it easier to disclose to the people responsable for the security the things they have to fix and if they don't answer or take much too long than you have the right to disclose it to the public - putting the pressure on the securitypeople to respond and act on the problems. We don't even want any money for it (for now) - just the possiblitiy to give this kind of information and to be sure that it would be treated would already be a great improvement.
So the hacker on TV was illegal and the journalist was illegal because he was an accomplish and the fact that it was on TV shouldn't make it legal. Every time a journalist decides to get a hacker and tries to hack something would make it legal and all right ? This is not journalism. A journalist can't try to rob a bank just to see if it is possible. He would be arrested and prosecuted. Well this is the same. Maybe it is time for the Organisation of Journalists to have guidelines about this because this isn't the first and won't be the last incident.
But anyone of the 26.000 victims of which the personal information was downloaded, the hospital and its IT-firms or any other victim can go to the FCCU and file an complaint because some-one who wasn't authorized entered the ITsystem and got access to his files and received them on a computer that wasn't authorized to have them.
And maybe some-one ought to do this, this will make it mandatory for the big newsorganisations, for the organisations of journalists to have guidelines and for the hospitals and those responsable for itsecurity to get their act together.
The action of the tv-programmers was also stupid stupid stupid
Stupid because how can you really guarantee that by this hacking or penetration no things were changed so that the installation at the hospital or the other installations became more vulnerable, that the hacker created other backdoors, that there is a copy somewhere of the data and that not all data has been destroyed ? The only way to be sure is that the hacking is done on a special computer and that the transport of the data is under full control. The other thing is that if you do a penetration test (because this is in fact what it is - only you don't really download 26.000 datasets over the network to proof your case, the moment you can show that you have the data and that from the whole database you can download one testset with dummydata that has the same rights as the other data is proof enough of success). It is also for this reason that penetration tests are always done in the presence of security and Networkpeople of the infrastructure that will be tested because you are never sure that something that isn't foreseen will happen or will have unforeseen consequences. In this case the people at the other end who are watching the network and the securityinstallation (and see the penetration happen but won't intervene) will be able to contact the penetrationtester and the securitypeople if there are such problems or when it is interfering with other situations. It makes it also possible to intervene if one see that at the same time another hacker is penetrating or trying to penetrate the network with the same methods (that weren't monitored before). In this case the test can be called off and the operation changes in a discovery and cleanup operation because you have a real incident and eventually hacking. When the resecurisation has been done afterwards, you can do a new test - even if this one should be harder.
So no, I don't think that those conditions were met and so I think there are multiple risks with this operation.
Another question I have in my mind is if the securitypeople at the VRT were informed and if they have been consulted for advice because if this test is not following the standards and the VRT is responsable and brought before the courts than this is another of the questions that will be asked. As a good journalist and as a good housefather have you taken advice from different people from different perspectives to be sure that enough care and time has been given to the different operational aspects of this investigation.
And if the securitypeople of the VRT didn't give the advice as described above when they were contacted than the VRT has a problem .....
but it shows another time that itsecurity in Belgium is build upon the fear for a very vague law and a very powerful and competent FCCU and investigations that make a headline to disappear afterwards totally. Everybody thinks that our medical data and ehealth networks are safe because we suppose that this is the case and we suppose that this is the case because we suppose that there is enough money, enough ITsecurity people, enough external controls and enough guidelines and laws to make it secure.
it is another proof that this is NOT the case (and now I will hear all the ehealth defenders and businessinterests say that this is the new world, that this makes it more efficient, that they are doing everything that is possible, that I am paranoid and so on.... (hurting Belgian industry interests and jobs is another one)
but I know three things
* medical data is for the moment the most valuable data on the black market (and a real business in the US where certain firms buy or consult them without leaving any fingerprints in the official explanations (for example why you don't get an insurance)
* medical installations are as buggy and full with securityleaks as any other new technology or hardware because nobody worries in the beginning about security, that comes always much later
* I only believe what I see and the e-healthprocess is not transparant and there are not enough external controls and audits (and if there were, they surely didn't go to this place)
we already mentioned to the privacycommission that there are websites with a logon from doctors and pharmacies that were hacked or hackable and we have found some Belgian medical information online and transferred that to the cert and the FCCU. (this was a file from a bloodtransfusion center)
because of the law on computercrime we didn't test anything and didn't go any further and wouldn't advise you to do so to (because you aren't protected by a camera) - even if this leaves our medical data and infrastructure vulnerable because there are not enough mandatory independent audits and tests.