To commence with this article, I would like to make it clear that I am not grumpy by intention, and that my current mood is attributed to what is at times, a failing of the Security Profession, and more the case, some of those who are associated with it in their various capacities, and guises – please allow me to elaborate.
To set the scene, I wish to take you back to a Gartner event I attended in Paris some years ago. On day one I was approached by their staff, who asked me the question ‘was I interested in the [then] hot topic of WiFi Security?’ – to which I responded yes, and was booked in with one of their subject matter experts for day two of the conference. Now like all good productive professionals, when I arrived back at my room, I decided to get the usual email catch up out of the way, and so paid up my Euros for the required lease cost for WiFi access, and started to go through my pile of mails. However, my spurt of productivity was cut-short when my WiFi dropped. Not a problem I thought, and simply logged back in. However, the system was telling me in a ‘computer-says-no’ mood that this was not possible, as my credentials were already logged in! After a few more attempts, reboots, cursing, nothing, so the next step was to call for Hotel Support – but that resulted in next to zero help. So I turned to the dark art of engineering. Firing up what was then Ethereal [now Wireshark] I set about sniffing, poking, prodding, and mapping [Footprinting] to find my way back to productivity, and soon found a way in, to use the ‘paid’ for WiFi time, but I do admit by illegitimate and somewhat nefarious means. Having accomplished this, I was now raring to go – but then I noticed I could see much more than I had previously been able to view, and I noticed a longer list of systems and assets were displaying their interesting names. It was at this stage that I noticed something which was very much of interest, and which I anticipated to be secure – it was a vendor server which was associated with the event – and to my astonishment, it was insecure, and giving up the names of the registered delegates attending the Gartner event. It was at this stage where my inbuilt ethics kicked in, and I took a logical step backwards, logged off, and left all as was. The next day I did however pass my find on to the concerned party, but needless to say, I never bothered attending the meeting with the subject matter experts, as by this time I saw very little point.
But then, with the backdrop of the past Gartner event, I was astounded in this last week to read about the RSA application that was again supporting unacceptable levels of insecurity, and all in the name of yet another security event. On this occasion the guilty party was the RSA conference in San Francisco. Here, as with the Gartner event, we see a modicum of history repeating itself when a smartphone app dedicated solely to the RSA security conference left many people in a position of potential exposure after researcher’s uncovered two vulnerabilities in the app. One of the discoveries was reported to disclose the name, surname, title, employer, and nationality of people who have installed the app [credit to Gunter Ollmann, a researcher at security firm IOActive] which for reasons only known to the developers, the information was stored in an SQLite database file which was bundled with the app!
But surely, things can’t get much worse – can they? Enter the EC | Council – who, if you recall, are the people who provide ‘Certifications’ to the Security Professional underpinning Ethical Hacking, and those Certified CISO’s who service the Cyber/Digital Securi
ty Industry. The problem here was/is related to their site suffering from another hack over a weekend period. On this occasion the Hackers also claimed to have found “thousands of passports belonging to LE [Law Enforcement] (and .mil) officials” in the process of breaking into the site. So, a very worrying concern for any Security Professional who is associated, registered, or Certified by this body. I can only presume that the Hackers in this case had not applied for, or been certified under the EC | Council skill set, as surely they could have applied their learning to secure the EC | Council themselves! And as if to give this mission some qualification, Eugene Belford wrote on the EC-Council homepage, “Defaced again? Yep, good job reusing your passwords morons jack67834#”. With respect to the claim that passport and other information was stolen, the hacker also posted a photo of Edward Snowden’s passport, along with an e-mail from him to the council from 2010 – worrying to say the least!
And then if not bad enough, we see the striking news that Lloyds of London are refusing to insure some big name players in the world of Oil & Gas against Cyber Threats as they are considered insecure. And when one considers their critical position serving the economy, and the part they play in within a critical industry, does tend to leave one cold [please forgive that pun].
Add to all of the above all the other stuff we know about hacking, incursions, and insecurity, and it does beg the question as we approach yet another Infosecurity event, where we will listen to the visions of security, have we missed the point, got something wrong, or is it that we just aren’t listening? But it is a certain fact that something MUST change, and it MUST change quick, before we ‘all’ pay the consequential price for an security industry which is starting to look just a tad tarnished.