Labour leadership contender Owen Smith fails simplest of security tests
Of all the issues on the candidate’s mind, basic security precautions do not seem to be present (@f1nux via Twitter)
What do Owen Smith, the Labour MP fighting to become party leader, and analytics outfit Hitsniffer, fighting to stay in business, have in common?
The answer, it seems, is insecurity.
Politics aside, you might also take the insecurity tag literally. Over the weekend, his campaign team tweeted a photo of Smith at a meeting. Unfortunately, the photo included a clear view of a whiteboard containing a login URL, username and password for everyone to see.
It turns out that the login was for the campaign phone bank system. Although the image was soon deleted, and the password changed, it highlights some worrying problems for Smith.
This is the man that wants to be our next Prime Minister. Yet not only was a login written on a whiteboard, with a naively simple password, the whole shebang was posted to Twitter and his 16,127 followers.
It could have been worse; Owen Smith could have been as popular as Jeremy Corbyn who has 625,000 followers. Seriously though, what could and should Smith have done differently?
Robert Page, lead penetration tester at Redscan reckons that “Mr Smith posting credentials on Twitter illustrates how security is more than just a technology issue”, adding, “he should check what he's posting online before he does it, and should never write down usernames and passwords.”
Peter Martin, MD at RelianceACSN agrees, telling SCMagazineUK.com that “there would need to be a very good reason to ever write down a password. An incident like this makes you wonder what their level of awareness was; were they planning to shred the white board sheets after each session?”
Nic Scott, MD UK & I at Code42 says that he would “recommend a policy whereby every post is checked by at least two members of the team before posting.” But, as Peter terSteeg, technology evangelist at Varonis, pointed out in conversation with SC it's too late now: “not only did it damage his candidacy it illustrated a lack of knowledge on critical issues like cyber-security.”
Something you'd hope anyone wishing to become Prime Minister might take a little more seriously.
Also wishing it had taken the insider threat more seriously, it would seem, is Hitsniffer. The home page of this analytics outfit currently displays the following statement:
“Hitsniffer was compromised by a programmer who had worked for the company since its inception. This programmer has stolen all databases. The customer database is now in his hands.”
The company goes on to claim that customer might have received an email from a rival company, using those databases in order to contact them. “We have made allegations of theft and fraud regarding this matter and it is now being investigated by the Police” Hitsniffer says.
Although this would seem to be another case of insider insecurity, it's at the opposite end of the scale to the Owen Smith case: one is sheer stupidity that could easily have been prevented, while Hitsniffer appears to illustrate a much more complex problem.
senior technologist with Palo Alto Networks, Aaron Miller, told SC, "this can be a tough nut to crack because traditional network security focuses on detecting outsiders but does little to monitor or limit the actions of legitimate users who make mistakes or deliberately misuse data.”
And, as Tod Beardsley, principal security research manager with Rapid7, told SC, “Hitsniffer is an enterprise of fewer than ten employees, according to LinkedIn, and the person accused of walking out with the Hitsniffer intellectual property was a founding programmer. Given these circumstances, it would appear to be practically impossible for Hitsniffer to defend against this particular threat in a technological way.”
Indeed, larger organisations may be able to implement the kind of structured segregation of duties and impartial code reviews that could have saved the day. Smaller companies are often not in that position. “Being very careful who you trust is key” says Peter Martin, MD at RelianceACSN who continues “proper legal protection in contracts, and some degree of supervision is also essential.”
Chris Pogue, Chief Information Security Officer at Nuix, concludes that organisations of all sizes should “assume that you already have an insider threat problem and implement the procedural and technical controls to limit employee access to high value data, as well as provide the detection mechanisms necessary to identify when that data has been accessed.”Which sounds like a plan, and one that should be implemented given that recent stats from Mimecast suggest some 51 per cent of IT security managers in the UK are ill-equipped to cope with the malicious insider threat…