SecurityFocus HOME Columnists: High Profile, Low Security

I’ll tell you a secret. If you’re looking for a security consultant during the day and he’s not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It’s nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I find it a great way to take a break.

You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot — their Internet connection must be down. I quickly fired up tcpdump and was surprised to see the screen light up with packets flowing back and forth. That’s odd, I thought, so I opened a browser. But instead of my usual homepage I was greeted with a stern, legal warning. My wireless coffee shop was now all grown up.

Matthew Tanase goes on to compare the new expensive security measures that had been put in place to protect his coffee shop’s Internet access and it’s customers to the recent Choicepoint and Bank of America data loss fiascos. He has some excellent insight into this and makes correllations that I myself made immediately and have been making publicly about security and privacy for quite a while now.

His closing paragraph speaks volumes:

Both companies above have an obligation to protect our information while it is in their possession, but too many seem to be failing. What will it take for them to resolve their security issues? Drops in revenue, class action lawsuits or congressional regulation? Security, both for a company and its customers, is a necessity and a selling point in today’s economy. We see normal people taking this into account everyday. I have neighbors calling me about spyware protection, relatives recognizing what SSL enabled web sites are, clients requesting more security layers, and friends shredding their private mail. Why then is it so hard for the big companies to take security seriously? When will these companies “get it?”

This is a must read article. I have been searching for a way to get my point across and express my concerns about this matter, and lo and behold, Matthew Tanase did it for me!

Excellent article! Thanks Matthew Tanase!

When I see family, friends and clients wanting to do all they can to protect themselves from things like this, I totally agree with Matthew Tanase. When will they finally take some of the huge profits and put them to good use in securing our identification information. As Matthew Tanase mentioned in the article, even if we have simply made a purchase online, we are in Choicepoint’s database. How are we supposed to feel good about that? And knowing that the only reason we found out about it is a California Law is most disturbing! How much of this goes on unreported? How safe is our data?

And now they are talking about using RFID tags with personally identifiable information for identification and certain types of purchases? Where will all this lead? These may be really cool technologies, but this is not looking good. For anyone. And the frequency with which this is happening (at least that we actually know about) is alarming.

I keep going back to a statement I read many times over the last year or two: “Repeat after me: Mission critical systems should be on isolated networks that are not connected to the Internet.” This information is mission critical to individuals! This information is their reputation, their credit, keys to their very identities that are at stake!

And as I mentioned in the February 19th archive here on my blog about the ChoicePoint incident: It boggles the mind. Were they so worried about protecting the actual database file(s) from computer attack that they forgot all about Social Engineering!?!

Privacy and the securing of individual’s information is a wide ranging and extremely important thing. Over the last week alone, I have read multiple articles all over the Internet about the impact to individuals in terms of financial loss, loss of peace of mind, anxiety, loss of 100s of hours of unrecoverable man hours to change credit and bank information, or at the very least feeling an overwhelming need to watch their credit and bank information like a hawk for the rest of their lives. One person stated it felt like a violation.

NOTE: Originally posted: March 2005 (recreated from mangled original

Tag Cloud

%d bloggers like this: