If You Don't Want Your Data on Wikileaks Try Better Security

November 29, 2010

In all the hubbub about thousands of secret US "cable" traffic being available on Wikileaks, almost no one commented on what I find amusing: how did one guy manage to collect the entire secure embassy email database?

Supposedly each email is encrypted by hardware keys during transit but obviously at some point they were collected into a single system with relatively crappy security. That anyone had unaudited access to the entire database and was able to download everything at once was a pretty astonishing lack of understanding.

The healthcare claims processing company I worked for kept its production database and server usernames/passwords in a text file available to half the company, and had no auditing process (which of course wouldn't be very useful without individual usernames). When I asked the CTO he said "we trust our employees". The data in those systems where considered PHI, covered by HIPAA rules which clearly state how the data is to be protected, something not remotely covered by open usernames/passwords that everyone knew. Not exactly government secrets, but still covered by Federal law.

The whole point of securing access to something you don't want everyone to see has to be a continuous process. You can't just worry about in-transit data and then leave it wide open inside your organization. The old slogan "the chain is only as strong as its weakest link" applies. I've seen in way too many places that I've worked claims of security only to discover what a joke it was.

The TSA concept of security (only protect the front door from passengers) is of course equally laughable, since the likelihood of anyone going through their security is terribly low. It's the equivalent of being anal about web security and ignoring the database.

One place I worked wouldn't allow an automated process to copy updated web files to the public server and instead required one of the operations staff to copy the files one by one by hand every morning (but without viewing them). Their fear was the someone would put porn in the updated files and embarrass the company. Meanwhile an application went out that revealed customer financial information to other customers simply because the company wouldn't pay for a proper testing environment that would have revealed the problem instantly.

Hackers and terrorists and thieves may be clever and find ways around great security but that is simply not as common as ordinary people taking advantage of stupid or missing security. Even worse is companies "saving money" by not having a comprehensive security plan developed by people who have experience, then testing the plans as much as possible. Security isn't cheap but in the long run it's far cheaper than having your dirty linen flapping in the breeze for all to see.