Thursday, July 10, 2008

Supreme Court Justice's Identity on P2P

Identity theft is prevalent, no one will argue that.
There are many different ways to get your identity stolen.
Whether it's from a SQLi (SQL Injection) hack of a web application, phishing scam, or some other digital or non-digital method identities are stolen every day, all day 24 x 7 x 365.

What you wouldn't expect is to fire up LimeWire (for searching through non-copyrighted material, of course) and finding the personal information (including birthdate and SSN) for a US Supreme Court Justice. Justice Breyer had his information shared via LimeWire to anyone on the Internet who wished to download it for a very, very long time (~6-7 months, according to an article up on Fox News). Making this situation worse there were approximately 2,000 high-profile clients of Wagner Resource Group, a McLean, VA investment firm exposed via LimeWire.

I'm not sure what's more shocking: the fact that this information was available on the Internet, or that an investment firm didn't have controls to prevent some moron from using LimeWire on their desktop.

Maybe I'm just old-school or whatever... but if you're an investment firm catering to the country's elite... you should have some basic security controls in place. One of those controls should have been to disallow people from installing P2P software on work computers... hello? McFly?

In this analyst's humble opinion, there are some very basic, non-spend-type, of things that could have been done to make this incicent a non-starter:
  1. Put out a basic HR policy that states that you can be terminated for installing P2P software on company hardware. There is never a good reason to install file-sharing software on work computers.
  2. Lock down business-owner hardware to prevent users from installing software without perimission (this omits licensing violations, software/DRM infringement, and legal problems of all kinds)
  3. Put up a basic network filter that blocks P2P traffic (LimeWire is pretty easy to block at the gateway)
There you have it - simple measures that would have avoided a potentially catstrophic self-inflicted wound.

Shame on you Wagner Resource Group - my hope is that you get sued, and lose the majority of your clients and learn the hard knocks lesson of data security.

No comments: