On insecurity
There's a fascinating article in Wired, on the recent e-burglary.
Last March, LexisNexis revealed that intruders gained access to a database belonging to one of its subsidiaries and obtained the personal data of as many as 310,000 people through numerous name searches. The breach occurred at Seisint, a Florida-based company that LexisNexis bought last year, which maintains databases for law enforcement, legal professionals and others through a service called Accurint.
[...] A friend of Krazed [the hacker] masqueraded as a 14-year-old girl online and engaged a Florida police officer in a chat session, the hackers said. The friend sent the officer an attachment, which he said was a slideshow containing naked pictures of the girl he was pretending to be. When the officer clicked on it, a Trojan horse downloaded silently to his computer, which gave Krazed complete access to the computer's files.
How many things are wrong with this picture? Let's skip over the child porn allegations (which may be nothing more than a clever diversionary tactic) and stick to the security issue. It gets worse:
In the meantime, a 19-year-old hacker ... searched for other active Accurint accounts using a Java script. He found an account named Null, which he later learned belonged to a Texas police department... Posing as a LexisNexis tech administrator, he called Seisint under the guise of running diagnostic tests on the Null account and convinced someone at Seisint to reset the account's password to "Null." Then he used the account to create new accounts under the auspices of the police department.
Fact: the new superduper multilinked know-everything-about-everyone complex of databases that the White House wants, will be just as fallible and easy to compromise as LexisNexis' systems were, because they will be staffed by the same people: undertrained, underpaid, unrespected employment agency temps. It doesn't matter how good the database security is, if a gullible fool is answering the phone. Properly trained people, intelligent enough to hear an alarm bell when a stranger offers them candy, will not work for peanuts; and even in these days of homeland security everybody wants things done cheaply.
2 Comments:
1) Don't shoot the messenger.
2) It's not yet too late to stop this project, or at least to ensure that our so-called leaders understand that security is not only a software issue.
3) Cows are hard work. My farming relatives in Saskatchewan have (all but one last romantic) switched to grain.
A chain is only as strong as its weakest link. Currently, it's not the guys answering the phone: it's the guys at the top!
Post a Comment
<< Home