A CD-RW with Lady Gaga written on it became the vehicle for over 250,000 leaked US state department cables sent from, or to, US embassies all around the world. This news story has made headlines the world over and put egg on the faces of the US diplomatic service, which is part of the US state department — the equivalent of the UK’s foreign office.
The results were passed to WikiLeaks”, a “not-for-profit media organisation” whose aim “is to bring important news and information to the public” based on principles of “the defence of freedom of speech and media publishing”. They were passed to the Guardian on a USB stick and it, along with three other newspapers — the New York Times in the US, Der Spiegel in Germany, Le Monde in France and El País in Spain, has started to publish the thousands of snippets of information these documents contain.
The culprit is said to be soldier Bradley Manning, an intelligence specialist who smuggled the CD-RW out of the intelligence service, and who has been behind bars for seven months as a result and faces a court martial. After the data heist, he said in a chatlog that he “had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months” and sang along to Lady Gaga “while exfiltrating possibly the largest data spillage in American history”.
The reaction from official forces has been predictably furious, although the editor of the Guardian described the leaks as embarrassing for the US rather than damaging.
But all that aside, what does it say for the security of the US’ diplomatic intelligence service? The fact that it took only a simple mistake of not configuring official computers so that were unable to burn CDs or copy data onto USB memory sticks is ludicrous. But it highlights one key aspect of security that applies whether you are the US state department or anyone who has a computer at home.
Security is a state of mind. What seems to have happened is that, once the individual who leaked the information had passed muster, probably by typing in a username and password, he was allowed to access everything on the department’s servers. It suggests that the security hierarchy is pretty flat, with little granularity of access. Additionally, it shows that physical access to a device attached to servers is not seen as something to be controlled, a least to the extent that you are able take data away with you on a physical medium.
So the state of mind of those who set up the machines seems to have been that the possession of a username and password (or maybe some form of biometric identification — there’s no suggestion that Manning falsified his identity) meant he was trustworthy enough to give access to a huge range of secrets.
While your PC might not contain information quite so portentous — though of course it might, I don’t know — it might make you wonder whether your security setup is as secure as you need it to be, especially if you share your machine. And do you trust yourself…?
Posted on Monday, November 29th, 2010 at 17:53 in privacy, security | RSS feed
|
Respond |
Trackback URL
Similar Posts:
- How a US department overhauled untenable security – iT News
- Information security in Russian companies
- Government Eyeing Security Technology To Prevent Another Wikileaks
- I am marketing, why am I on the security committee?
- Astounding: Rogue VA Employeees, Critical Data Leakage and You
Article source: http://feedproxy.google.com/~r/SecurityBloggersNetwork/~3/-_k1WUGJ_JY/
