HomeBlog

Lessons in Information Security

16 September 2007 - 4:31pm — Kenneth Pike

So, TorrentFreak is reporting a massive security lapse on the part of MediaDefender, a company that makes its money running interference on internet-based copyright infringement. In addition to exposing what probably qualify as trade secrets, quite a lot of sensitive personal data was also exposed (social security numbers and the like).

Executives, take note: this is why you cannot ignore the security policies written by your IT guys.

The helpful commenters over on Slashdot suggest that the story unfolds something like this:

One: Executive forwards all of his email from MediaDefender's secure email system to his gmail account. If this was not against company policy, it should have been. Furthermore, some of these emails included usernames and passwords as well as social security numbers. Passwords should be emailed under very limited circumstances and always changed immediately thereafter; social security numbers should never be emailed.

Two: Said executive decides for some reason to create an account on a torrent tracker dealing in copyrighted works. He registers with his gmail account and uses the same password for both his gmail and torrent accounts. This is why you do not use the same password for every account! Because...

Three: Administrators at this torrent tracker recognize the MediaDefender IP address. They use the password said executive so graciously handed to them and leak some 700MB of sensitive information to the web. Thus, all the security that their IT department built into their technology--likely at some expense--was handily circumvented by one person's failure to comply.

Now, there are some pretty malicious people out there who have unfettered access to the phone numbers, addresses, social security numbers, and salary information of the MediaDefender crew. The leak is all over the internet; this is not something you can fix with a cease-and-desist letter or two. If they figure out who misappropriated the data, MediaDefender might be able to haul him to trial, but the chances of finding that person are slender, and the chances of that person being American, slim-to-none.

Once upon a time, sending in the lawyers might have been effective damage control. But these days, while lawyers might get you some compensation, they'll never fix your data leak; information moves too quickly. Some say that information wants to be free; maybe that's true, but at the very least, the more you threaten people with legal action, the more publicity you will garner and the more widespread your once-secret information will become. This is the grand paradox of the Information Age.

Which is why an ounce of prevention is worth well over a pound of cure. Sending lawyers to negotiate settlements with rivals in the industry might actually save a company damaged in this way, but in this case, the damage was probably done by insolvent 20-year-olds, or 15-year-olds for that matter. Because it exposes as true a lot of stuff they and their clients have been denying for some time (including Wikipedia abuse), this leak will almost certainly hurt MediaDefender's business model; at worst, it could put them out of business. Which for some (like the proprietors of such fixtures as PirateBay, the famed Swedish filesharing site) would be a welcome change in the landscape, but the families of MediaDefender's employees would probably not agree.

(Cue Randal and Dante.)

At any rate, business professionals take note. In the 21st Century, your IT guys may be low-paid grunts compared to the MBAs and JDs raking in six- and seven-figure salaries at the top of your organization. But when it comes to technology, they know what they are doing, and (odds are) you don't. Recognize your limitations and let them help you! That's what you pay them for. You don't want to be responsible for this kind of breach because you overestimated your understanding. This is the kind of thing that costs people their livelihoods--including people who might not have a yacht to sell if they come up short next month.

So please, take information security seriously.

Comments

20 September 2007 - 9:09pm — Cory (not verified)

I feel a sizable part of the

I feel a sizable part of the blame probably lies within the IT department. If you're going to take your role as an advisor seriously, you need to work to convince your corporate masters that you're worth listening to. If you just draft up a policy and occasionally burn a peon for playing solitare on his lunch break, you should fully expect a breach of this magnitude to occur. It's their job on the line - the senior management of a given firm are probably financially sound, and while there will be a level of structural unemployment if the company goes under, most of the "worker bees" will be able to find new jobs. Try getting a job in IT after working for a company that went under because of a massive data leak.

21 September 2007 - 1:05am — Kenneth Pike

You're Right, To A Point

I think your reasoning is sound, but practical experience with some big executive names in IT has given me a slightly different perspective. "Working to convince your corporate masters" can be an exercise not only in futility but in placing your job on the line. In my only IT management job, I controlled four, and later five positions. In the one year I worked that job, those slots were filled by eight different people. Two were promoted to the data center. One was fired while I was on vacation; when I got back and heard the whole story, it boiled down to: he had irritated the Big Boss.

Now, the guy who got fired was one of my best workers--and the day after saying "get out of here," the Big Boss asked two of my three bosses if he'd "made a mistake." Not wanting to suffer the same fate as their grunt, both assured the Big Boss that he was right. The truth is, very few people ever told the Big Boss that he was wrong, because that was a good way to lose your job.

I did have one occasion to politely inform the Big Boss that, no matter what he thought he knew about the situation, if he could not be patient for another ten minutes, the problem I was in his office to fix would simply return the next day. He did not fire me, but I assure you that I hesitated to try to convince him of my worth, because I might well pay with my job.

So I guess what I'm saying is that you're working from the premise that one's "corporate masters" are in any way reasonable. I don't think it would be a stretch to say that some such executives are indeed quite reasonable, but while I haven't got any hard data for you, my personal experience has been that nine out of ten executive-level businessmen will reflexively treat their subordinates with condescension and contempt.

...okay, as I stop and count the executives I've worked for, maybe it's only eight out of ten, but the point remains. d^_^b Which is not to suggest that none of their subordinates have acted to merit such treatment, but I've yet to meet the IT peon who could convince an executive who did not want to be convinced.

21 September 2007 - 6:48pm — Cory (not verified)

In the Interest of Fairness

I will admit I have a skill set at my disposal not typically found in IT professionals. I'm *very* good at getting people to do what I want, and I put that to good use when I was press-ganged into being the IT manager at the intel school. If you don't have any sort of social engineering skill, you're going to be less than effective in *any* position with an advisory component.

22 September 2007 - 3:21pm — Kenneth Pike

Well Said

I will admit, however, to having a chuckle over someone of your former profession typing the words, "I'm *very* good at getting people to do what I want." As I recall, that's precisely the skill Uncle Sam employed you to hone. d^_^b

10 November 2007 - 7:58pm — uh what (not verified)

The torrent tracker didn't

The torrent tracker didn't use the logins password. The executive leaked it, they made a torrent, do you know how bittorrent works? the tracker or the admins running the tracker have nothing to do with "the files that users transmit over their servers"

12 November 2007 - 8:21pm — Kenneth Pike

Some Question of Evidence

The question being asked at the time I posted this blog was how the leak occurred. It was stated in the .NFO that came with the torrent that the executive only "leaked" things to his gmail account (violating his company's IT policies). The release group still had to gain access to that gmail account to complete the leak. Speculation was that a private tracker had obtained the password to the gmail account when the executive used the same password to create an account on that tracker's website.

None of this has anything to do with "how bittorrent works," except that private trackers are often password protected. Bittorrent was just the way this information ultimately got disseminated.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
Not Really a Turing Test
2 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.