Recently I met up with an old friend at cafe in San Francisco's Mission District, the kind where hipsters pay six bucks for an individually brewed cup of ultracaffeinated coffee. We didn't belong there -- we were too old. But for some reason it seemed like a good moment to inquire about my friend's experiences as a professional computer security sleuth, a subject he seldom visits. The powerful brew had put him in a talkative mood, and because it was midday, only a few hipsters lingered, all three of them wearing earbuds.
"I have a good idea of what you do," I said, taking a glance around the room. "But I generally don't hear the details. You must have some pretty outrageous stories."
[ Take another look at security -- two former CIOs who show how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
He grinned. "Sure I do. I'll tell you a few. But I know what you do also -- so no names."
With that he was off and running, as was my voice recorder. I got the feeling he was dying to get these stories off his chest. The thread running through these tales: Security practices in the real world are much, much worse than you think they are, even at Fortune 50 companies you'd expect to have the expertise and resources to know better.
My friend's first anecdote was pure irony -- what he discovered at a security software company. If you don't know the lingo, "pen test" is short for "penetration test":
I once worked for a great security company that was acquired by a very large, very well-known antivirus vendor. One of the first things we did was to pen test the antivirus vendor's software that was running on tens of millions of computers. What did we find? Hundreds of buffer overflow bugs and other exploits. The software people were running to protect themselves probably had more bugs than the software they were trying to protect.
Who could have guessed the guardians needed such serious help? In this next case, help came too late -- the bad guys had already walked off with a priceless map of the world:
I was hired at another company to help with minimizing the damage from an APT (advanced persistent threat) break-in. I quickly learned that the company I was working for made tens of millions of dollars penetration testing other companies. Their customer list was a who's who of the Fortune 500. Their penetration-testing database, which had been accessed by the APT, contained a list of every vulnerability that the client's pen-testing teams had found, including whether the vulnerability had been resolved or was still a problem. With one download, the APT had a road map of how to break into some of the world's largest companies.
Here's another one that boggles the mind, following on the theme of vulnerabilities where you least expect to find them:
A very well-known financial company liked to brag about its very high-end security. Not only did they not use Windows, but they didn't use TCP/IP or any popular protocol. They had written their own communication protocols and required three-factor authentication to access their network. They monitored their network like no other company I've ever encountered, and frequently fired employees and contractors for doing things beyond the scope of their job.
One day I was sitting in their cafeteria eating lunch when I noticed they had a company kiosk sitting in an area accessible by the general public. I went to it and found that it was logged in as root and had access to every system and database the company had to offer. And everyone knew this. The company that prided itself on its heightened security also accepted that they needed public kiosks that could access any of the company's data. No one in the company seemed to think this was an unnecessarily high risk.