Skip Links

Stupid security mistakes: Things you missed while doing the hard stuff

By Josh Fruhlinger, ITworld.com
June 07, 2012 05:10 PM ET

ITworld.com - If you're worried about high-tech hackers using advanced and sinister techniques to break through your fancy firewalls -- well, that's not outside the realm of possibility. By all means, spend money on firewalls! But you might also want to keep in mind some distinctly low-tech security problems that are not particularly sophisticated -- in fact, some might call them distinctly dumb -- that nevertheless mean bad things for the companies or people who suffer them.

IN THE NEWS: Retelling a password nightmare in the wake of the LinkedIn password leak

[ Think we're being too mean? See "Microsoft goes back to blaming victims: Your malware problem is your fault" ]

We live in an increasingly virtual world, where our crucial data lives on the cloud and we live in fear of electronic intrusions into our particular fiefdom in cyberspace. But it does pay to remember that all of that data does, ultimately, reside on metal-and-plastic computers that do occupy real space in the physical universe. These computers can be touched, picked up, and carried away, and that's bad news. For instance, NASA has suffered a number of recent cybersecurity scandals, among them the fact that 48 of the agency's laptops and phones were just straight-up stolen.

The one thing that makes stealing stuff tricky is that it requires real physical access to that stuff. But getting physical access to things is easier than you'd think. One security researcher demonstrated fairly easily that it's pretty easy to get access to restricted areas via attitude (e.g., imperiously waving a badge at security guards, even if it's not a badge that allows you access to wherever it is you're going) and a moderate amount of stealth (e.g., slipping in through exit doors). Oh, did we mention that these techniques worked at an RSA Security conference? Probably it's even easier in your building.

But when your tech goes missing, don't forget the old adage that you should never blame on malice what can be attributed to good old-fashioned incompetence. For instance, maybe those computers weren't stolen by dastardly cat burglars bent on sabotage; maybe someone who was in charge of them just lost them. This didn't happen so much when everybody had a large desktop computer that was hard to lug around, but the convenience of laptops and smartphones makes them also convenient to lose. One survey of small businesses found that 35% had an employee who lost a device with business data on it. And if a survey of USB sticks found on Sydney commuter trains is any indication, almost none of those devices were encrypted in any way.

The media world in late 2011 was roiled by the spectacle of the News Corp. phone hacking scandal, in which it came out that multiple newspapers in Rupert Murdoch's British media empire broke into the voicemails of celebrities and crime victims in order to get media scoops and sometimes engage in a little light blackmail. Less well publicized was the method used to achieve this seemingly high-tech coup: investigators who had the target's contact info simply called up the number their mobile phone provider set up to retrieve voicemail remotely, then entered some guesses as to what the victim's PIN might be. Many were fairly obvious -- in fact, many were simply the default that came with the account.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News