More likely he'll be sued
IT staff at the world's largest securities transaction clearing house are facing a rough few days after a Reg reader was inadvertently deluged with emails leaking session IDs, transfers, and account details for executives at big-name customers. The Depository Trust & Clearing Corporation (DTCC) handles the vast bulk of stock …
I once started getting account opening emails from a UK bank.
I phoned them up to let them know something dodgey was going on.
Later that day they contacted me and told me that someone had entered a made up email address to perform some tests on the system, had forgotten to remove it, and hadn't realised the email address might actually belong to someone. Oh dear.
"FFS use [email protected]'
I have a domain which I mainly use for online stuff, like shopping. I got fed up with spam so I wanted to be able to find out who 'leaked' my address (eg. shop in john lewis, give them email [email protected]) All emails get through to my administration address. I figured I'd chosen a sufficiently random, but still memorable, domain name, but turns out someone might have had the same idea for testing.
Sure, EVERY mistake is a human error if you trace back far enough.
Thing is, these organizations are trying to use "human error" as shorthand for "our systems are actually secure", which is what has just been proven to be untrue.
Even discounting the "human error" which occurred, the fact that such an error would be magnified to such an effect indicates just how poorly designed and implemented these systems are.
But I guess those are just two more "human errors."
"indicates just how poorly designed and implemented these systems are"
I love these type of comments....It's the IT equivalent of watching a professional footballer cock up a penalty and then screaming about what they've done wrong, how you would have done it better and how much less you would ask for in wages to do it....
Yes, yes...I am sure that one of the largest financial institutions in the world has poorly written and implemented systems and you and your "degree" from some old poly can do a much better job single handed whilst moonwalking and gargling the alphabet backwards.
1. I don't have a '"degree" from some old poly' -- I have 32 years' experience in IT.
2. One of the projects I worked on at the financial institution I work for was setting up and testing an e-mail filter to prevent "human error" from sending out e-mails containing sensitive customer information.
3. I don't believe that system will catch everything (though it would most likely have caught this crap), and I continue to work to improve security and security awareness at my institution, because
4. I don't believe that the false illusion of security benefits anyone. That was my point, not some misguided armchair quarterbacking. Pretty much all IT systems in use today have security flaws, and we don't make progress by dismissing evidence of those flaws as "human error".
That'll be a SysAdmin getting sacked today then.
No, not for the "human error" misconfiguration. For not noticing more quickly that the flood of emails about his systems had suddenly stopped.
"Wow, everything must be working brilliantly today, I'm not getting sent ANY errors" - you are the weakest link, goodbye.
the whole problem was when a sysadmin decided he wanted to receive alerts at his personal email (gmail) account, and had a finger-fumble moment.
The real question is why on earth such a mission critical system was happy to accept an UNVERIFIED email address as the endpoint for diagnostic emails. Almost every system + dog nowadays insists on clicking on an emailed link to verify the address before using it.
Once those emails went to a Google account, all that information was automatically slurpped up by Google and is now there property.
Think about that for a sec....
But one has to ask... using a gmail account for internal secure information would have to violate a number of security and policy rules.
I'll wager a couple of people lose their jobs over this...
At what point does 1.7 quadrillion (about $243,000), per year, have any relationship to the real world?
I guess these are not always different quadrillions sloshing around in there, indeed they are quite like the same going around like fat cows in circles, though I would wager that Bernanke's 65 billion dollar per month of QEn are in there SOMEWHERE.
This is just another example of what happens when no one pays attention.
Some other examples from personal experience, not entirely IT related, of the results of no one paying attention:
1. A weekly e-flyer for a pharmacy chain, in PDF format, but really just a string of jpegs with such low resolution you couldn't read the text. No way to tell just what this week's specials were! No one bothered to actually look at the end result to be sure it was legible. Strangely enough, an email to the president's email address actually got to him, and they cleaned up their act promptly. I imagine somebody got their fingers slapped over such stupidity.
2. A big illuminated sign by the highway saying "For latest road condition information, check http://....." With all the hoopla about the adverse effects on driving of using cell phones, you'd think that a sign that was an open invitation to fire up your browser would be dismissed off hand as counterproductive.
3. An emergency response program that has designated routes for emergency vehicle use only. Problem: all the routes between different parts of the metroplex are so designated: you simply cannot get from part A where people work to part B where they live without using one of these highways. If we have a big earthquake (certain to happen sooner or later), everybody's going to want to rush home to make sure things are okay, that their kids in school are okay, etc. There aren't enough cops to block the resultant flood of traffic; and besides, the cops will have other things to do after a big shake. [The city I live in has very few road links between some sections.] This particular stupidity also involves failure to take into account human nature which, as the old adage teaches us, never changes. Plus the common bureaucratic position that making a rule against something actually stops people from doing it.
In the present case, somebody didn't bother to look at the email address they'd keyed to be sure it was correct, to say nothing of the other criticisms of this fiasco.
"Misdirected"? Not so. Some inattentive berk typed in a valid email address in whatever box asked for it. The fact that it was not the address he/she intended is not important. Let's assign blame where it belongs: some techno-tw*t who probably broke umpteen company regulations (not to mention conditions of employment) to steer information to his or her private email account instead of a safe (and probably audited) company one. That this person then didn't double check the address is just par for the course.
If company rules-of-conduct don't make that a fingerbreaking offense, they should.
And where was the firewall nannyware when it was needed? Why aren't all outbound e-mail addresses whitelisted?
The more I think on it the more there seems to be a cultural/systemic problem at the root of this.
Biting the hand that feeds IT © 1998–2020