This past week has yielded a veritable treasure trove of head-shaking security stories, all related to my favorite security soft spot – people. The shimmer from our technological advances blinds us from the damage people can do – and we remain so easily fooled:
- Wired reported that Albert Gonzalez, the record-setting hacker of Heartland Payment Systems, TJX and a range of other companies said the Secret Service (SS) asked him to do it. The government admitted using Gonzalez to gather intelligence and help them seek out international cyber criminals but says they didn’t ask him to commit any crimes. Uh, yeah… ok.
- Storefront Backtalk and others reported on a Gucci engineer who was fired for "abusing his employee discount," but then really got even (and then some) by creating a fictitious employee account (with admin rights!) and then using that account to delete a series of virtual servers, shut down a storage area network (SAN), and delete a bunch of corporate mailboxes… allegedly.
- TechAmerica wrote about HP suing a former executive who took a job at Oracle. Apparently, he downloaded and stole hundreds of files and thousands of emails containing trade secrets before quitting.
You might ask, “How can a company so advanced and large as HP not have protections on their digital trade secrets?” It’s not like DLP (data leak prevention) solutions don’t exist. And how about Gucci? I guess this is a double whammy around policy and people, who are so often intertwined. There isn’t a policy flag or checkpoint in place to verify that this newly-created employee was authorized with such privileges that he could delete entire virtual servers and mailboxes? Nobody bothered to check that this was a legitimate employee? Worst of all, this non-existent employee’s accounts were created by a fired network engineer! And then there’s Mr. Gonzalez (hacking community) and the SS (intel community) – which group do you trust less to be honest with the public? Both communities have for a long time engaged ethnically-questionable people to do their bidding. If it’s true that the SS hired him to hack, shame on him for not getting protection for himself in advance. You have to wonder what else he hacked into to merit an actual arrest.
And here we are in 2011, putting our lives on display with Facebook, Twitter, LinkedIn, Yammer, et al, broadcasting our whereabouts on vacation (or more specifically, that we’re not home for an extended period,) meeting up with strangers who have similar tastes, and making our personal details and history available for anyone to view. It’s not always technology that will get us into security trouble… it’s the people.