The weakest link
Everybody talks about "computer security" from the beginning of time, but very few know what it is and how it works and even less do care about it. Is not long time ago that a big swab of fortune-500 companies ended up with millions of customers' "personal data" published and under threat of ransomware, and that make me think that the situation hasn't changed much since the time I wrote this document, that is still good.
What did changed since that time is that the situation has gotten worse. Before, we had to take care about computers. Now we have to care about computers, phones (that are computers), tablets (that are computers), the doorbell, the garage's lock, the house thermostat, the toaster, the fridge, the window's curtains, the car and the toilet's flush, all of which are, for no good reason at all, not just computers, but have to be connected to the internet 24x7 to work.
And in all this it seams that the whole idea of "security" is to just ignore it.
And now that we have the basis, let's talk about $witted&dim, a company that did... many things.
These peoples had several machines that performed business analysis, that is, they were fed data from other companies and then added a bunch of random number and produced nice graphs and such.
Since 99% of their activities consisted in collecting and distributing documents and databases, a huge chunk of their infrastructure was FTP and SFTP access for several "customers".
Now, FTP is a protocol that was invented in a golden age, when in the world there were 4 computers, two of which were in the same university and another one shared the same cable as the phone, so if you wanted to use it you had to get the cable and then put it back when you had done with it. Is not a surprise that the concept of "security" was a bit lacking.
If we also add that FTP works in many cases by having the client to begin a new connection on an random port... and we have a huge problem when you want to run one behind a firewall. Especially if your "standard" mode is "everything is closed unless is specifically required". That is a wonderful mode but it require that somebody takes stock of all that is required and where it's supposed to go and how. And this, for $witted&dim, was a big problem.
For example, one nice morning we got a call from CL that lamented that one of their customer had a consultant that couldn't login anymore.
CL - ...so our customers have this consultant and now he can't login anymore
Me - And did it worked before? Maybe its IP has changed, can we get the new and the old IP ?
CL - I don't have the IP, can't we just open them all?
Me - Open them all is a bit too much, the best practice is to give access to what is needed and when.
CL - I think is just annoying.
Me - You leave your house door permanently wide open or do you open it only when somebody need to get in and you know him?
CL - ...what has this to do with the whole thing ?
Me - It's exactly the same thing.
After several discussion, we manage to get the new IP, that is from China.
Me - Your consultat is in China now?
CL - Ain't "our" consultant, he works for one of our customers.
Me - And he is in China?
CL - I don't know if he is in China!
Me - Good, ask them then.
After a bit we got word from CL's Customer (CL2)
CL2 - What does "China" means?
Me - That the IP we got from CL is from China.
CL2 - ...our consultan ain't in China, he is in Germany, you're talking nonsenses..
Me - The Ip I got is X.Y.Z.K. it's the right one?
CL2 - Yes... at least it sounds the right one...
Me - That IP belongs to a Chinese ISP.
CL2 - No... that doesn't sound right.
Me - Check it please.
CL2 - I must check it?
Me - Yes. Contact the guy and ask him.
Some more time passes.
CL2 - Well, I've spoken with the guy and he said he is no longer working for us and he is not in china and hasn't tried to connect for a while.
Me - Good.
CL2 - Somebody has idea what is going on?
Me - I think it's time for you to clean up your personnel data, who's working for you, who isn't and where they are and what kind of access they have and they need.
CL2 - We have to do that?
Me - Who else? We certainly don't know who is working for you or not.
This situation repeated itself for a few times, until $witted&dim decided that the "best" thing to do was to add a blanker "pass all" rule for the firewall access to their systems. The discussion went more or less like "they are paying us so that's it". I tried to explain that our "motto" was "security first" and that is basically the opposite of "blanket pass-all rule", but ...
Then, another nice day, it came out that a huge chunk of $witted&dim's database was mailed to several public site, and obviously their customers weren't pleased with the fact. Obviously, we were asked to "explain" how such "incident" had to came.
A quick check revealed that one of $witted&dim's employee (CL3) had logged into the database several times and performed several operation in the previous days, and most of the access were from IPs that WEREN'T correct. Because it doesn't matter how fast you are, you can't login from Peru, China and Germany in the space of 5 minutes. And I also noticed that before that, for days, CL3 had logged in from an IP that belonged to some of $witted&dim's customer. The question was, was CL3 working at their place?
CL3 - Ah no, that's ok.
Me - "That's ok" means?
CL3 - That is one of our customer.
Me - Yes, I know that, their IP was in our list before. But are you working at their office? Why there are login from there?
CL3 - No, they are logging in as me.
Me - ...care to elaborate?
CL3 - They needed to do stuff on a database and we didn't wanted to go through the whole story to get a login, so I simply gave it mine.
...silence...
Me - Your login username is your e-mail address right?
CL3 - Yes.
Me - And your password is the same for your e-mail?
CL3 - Is this related?
Me - Yes, you just gave out your access to the whole corporate e-mail.
CL3 - But they are our customer...
Me - Yes, and they probably gave the same to their customers.
Of course this meant that $witted&dim had to do a lot of work, because they had to replace ALL THE PASSWORD and check EVERYTHING that had gone through CL3 e-mails or any other system he had access to, and any system he knew that required just a click on "I forgot my password" to get a new one mailed to that e-mail. An e-mail that half of the word knew about at this point.
And the major problem, in my opinion, was that the whole concept of "security" had gone out of the window at this point. And the idea that "they are paying us" was more important than pumping some common sense into the head of customers.
Davide
28/09/2018 14:19
