Information security has a lot of flaws and errors. Some of them are caused by persons, some by technology. And most of them are so flagrant, that no one would believe that they are possible. Here is a list of the most bizarre but real situations in information security that I encountered during the years of my work (naturally, everything is anonymized):
- An organization had a secure site where the log off button simply navigates the visitor off the main page, but does not tear down or in any other way disconnect the session. Until the browser is not off, you can use the back button to go back and continue work with valid credentials.
- A security savvy user sent an encrypted file via public e-mail , and then sent the decryption key in another clear text e-mail, with a subject line: "Password".
- A user decided to rip music from an audio CD at work and send the rips to her private e-mail. Instead of converting it to MP3, she simply copied the AVI files into an e-mail as attachment, without checking the file size, and sent it. The corporate mail server got clogged up and did not operate for 30 minutes. The first song in the mail was: "Every little thing she does is magic". The employee was repremanded.
- There is a highly confidential document safe with the combination written on the top corner of the door. When asked about this, the custodian of the safe explained that the lock is "funky" so even with the known combination, only he know how to twist the dial into opening the safe.
- A consultant was hired to analyze database performance. He wasn't given passwords and had to communicate all his requests for reconfiguration to the DBA. The consultant considered this approach to be too slow, and at one point used a sniffer to capture the password, apparently in order to work faster.
Please share in the comments
Labels: information security