Security, as we all (should) know, is a people problem. Throw a little bit of technology into the mix and it can get messy in a hurry. I’ve got two interesting tales of security woe today, both addressing the role of people and, more specifically, the interaction of people and technology leading to security woes.
First, consider the case of a Powerpoint presentation from the Office of the Director of National Intelligence:
Terri Everett of the Office of the Director of National Intelligence gave a Powerpoint presentation which was also hosted online, unfortunately some data behind his pie charts revealed rather more than intended. Writer R.J. Hillhouse found that she could open the chart object and extract the numbers from within. The result is that she, (and all of us, thanks to her blog) now know that the budget of the 16 US intelligence agencies is 25% more than previously thought - $60 billion.
Oops. For some reason, people often fail to comprehend that that data-driven tools (such as graphing controls) are backed by data, and that unless they explicitly sever that relationship (for example, by copying and pasting the values they want to use into a new document), that the underlying data from which they distilled their pretty pictures is still there, either directly or indirectly.
But the problems don’t stop there. A critical eye and a fundamental understanding of the system that the data is modeling can catch all sorts of interesting opportunities.
For example, a couple of years ago I was reviewing the results of our annual employee satisfaction survey. The information included not just my department, but the totals for each department in the entire group up through the CISO.
I noticed that there seemed to be an off-by-one error in one of the results, and realized that it wasn’t an error, but rather that the CISO’s answers had been included in the totals (”x people rated us a 1, y people rated us a 2 on it,” etc.) as an unlisted one-person department! It therefore became trivial to extract out his “confidential” answers to the entire survey.
Fortunately, the survey had not been widely distributed yet (and most people who had a copy hadn’t looked hard enough to notice this), but even so HR was loathe to withdraw and re-issue every report that was vulnerable to this simplistic Data Mining Attack.
Next, carrying forward the theme of the importance of knowing how much you do or don’t know, there’s a tale of social engineering gone horribly wrong. For a little background, Steam is a combination online community and license key management application that Valve Software, a major game developer, built to support their online games and (eventually) roll in some fairly DRM-ish anti-piracy features into their products.
Their technology is good enough that social engineering has become the preferred method of stealing keys. Of course, it works better for some than others, and so our story begins…
Greg_ValveOLS says:
my name is greg a member of the valve online Support teambr0kenrabbit says:
On MSN?Greg_ValveOLS says:
yes :)br0kenrabbit says:
Why?Greg_ValveOLS says:
we logged multiple ips from your account and ned to verifi your informationbr0kenrabbit says:
My information?Greg_ValveOLS says:
we believe someone may have stolen your account mmmm you havent shared youre account infomation with anyone have you?
I won’t endorse the final outcome of the conversation, but needless to say, social engineering can be kind’ve like picking a fight in a bar–you won’t know just who you’re up against until it’s too late.
Posted in
Leave a Reply