The sad fact is that they used simple tools like backtrack that anyone can get and learn to us. My question is why publish it? Why not make money with this information. In the new culture of Hacktivist the line of legality become fuzzy. Are the hackers to blame or is the company that put out unencrypted information (of intelligence people). We know every second there are millions of attempts on every website INSA know’s this, so who do we go after. Hacker or the Company.
“When this happens to an organization which is an association made up of your brightest and most competent intelligence and national security professionals and no one is surprised, it tells you we have a cybercrime epidemic,” INSA President Ellen McCarthy told The Daily Beast Friday.
She points out that INSA is an “association made up of your brightest and most competent intelligence and national security professionals”. Does it mean that these professionals are securing INSA’s computing infrastructure or does it mean INSA’s staff had to secure it better because information on the brightest and most competent is stored in their databases just a hop away from the public Internet?
And why should anyone be surprised? Would anyone seriously think that a non-profit organization (does not matter intelligence or global hunger fight) would hire top tech talent to protect PII that they collect from their members? Do they even have a dedicated (not necessarily senior level) security professional on their team? How many non-profits do?
I suspect they outsourced their website and the databases containing PII of their members to NTIVA (http://www.ntiva.com/services/security.html). In this case, we should ask, was the database encrypted?
I admit to being surprised by INSA’s seemingly cavalier response. In addition to emails, phone numbers, and home addresses (in some cases), I suspect the “collection” of its member names would be significant, especially those within the Intel community. Spear phishing to follow?
Spear phishing will assuredly follow as it did following the BAH hack by Anonymous. It’s situation normal now.
I remain continually amazed that organizations of all sorts store PII and other sensitive data one hop from the public internet in unencrypted form. It just isn’t that hard to have a trigger execute on commit that migrates every new record created in a forward facing location to a more secure location. If your forward facing database is always “empty”, there’s nothing for hackers to find. Just another honeypot.
In the similar vein, I recently joined a small non-profit and was surprised to notice a number of “high value” names in the member directory along with their home addresses. When I questioned the Webmaster about adding more security, (especially after the INSA breach), his response was that the site was developed with “minimal security in mind” and, in most cases, member addresses were “available online” via the white pages. His position was that he would invest in better members-only security “if we start having problems.”
I was stunned. It reminded me of Pogo, “We have met the enemy and he is us.”
Duplicate this thousands of times for every Webmaster or sys admin who is taking the quick and east route.
Of course I could have asked to see the security policy when I signed up, right?
You can’t come down on the webmasters. As mentioned their job is creativity. The System admins and the IT department have the responsibility to secure things. I’m guilty I blamed the Oracle guy’s then I blamed Oracle for bad core code but it was my job to develop the firewall, IDS an secure connection to the DB. It’s requires different mindsets to give a company a secure platform to build application to it’s customers. A team has to be in place to oversee all aspect of security. If you think that anti-virus is the end-all solution then your in for trouble. I worked with Lotus Notes/Domino for a long time. It’s an email system with groupware application included that can be ported to the web. So I had the mail and web to secure and it took a solid team to secure everything. There is no one person that can do everything as much as we like to think we can, we can’t. All we can do is hope that upper management will give us the OK to do the job right the first time. But as we fight Worms, trojans and hackers the biggest fight is with getting the money from management to do it right.