February 16, 2007

Trust is *not* security

February 12, 2007 (Computerworld) -- In Lancaster, Pa., last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

And who did the coroner allegedly give his password to? Newspaper reporters. Now there’s a trusting user.”
The entire article can be found here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=282376&source=NLT_SEC&nlid=38

- Clearly this guy should not have been giving out his login credentials to anyone (much less a member of the media, jeez).

- Where were the auditing procedures and detection? "...an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office". OK, logging was working, but if no one reviews the logs regularly, or notifications are not sent out for suspicious activity, the logs provide less value (they provided good forensic value once people realized there was a problem though).

- Thankfully "a reporter from a competing newspaper called the county to find out why he didn’t have access". Just think if this reporter didn't call; the security breach would still be going on....

This article again proves that the human element is typically the weakest when it comes to computer security. I’m betting they are going to make an example of this guy…


No comments: