Wednesday, October 13, 2004

"Open Office" at the Public Prosecutor

These days, here in the Netherlands, we have our own little security scandal. Let me introduce you to the story: a public prosecutor by the name of Joost Tonino in Amsterdam saw his PC affected by a virus. He couldn't get it to boot anymore, and thought he might just as well throw it away . An effective means of getting rid of a machine is, of course, to put it bluntly on the street as sewage to be taken away. And that's exactly what he did. You can read more on the story e.g. elsewhere, but there's lot's of English language stories on the subject, so you don't need to master the Dutch language in order to understand the story. It all started with a cabdriver who took the machine home, was able to get access to the unprotected hard drive, and read all of Tonino's personal and confidential stuff. There was an abundance of info related to recent criminal lawsuits in our country. Couple days later, the story continues as some cracker hacked the personal mailbox of the man, which email address was already shown in a Dutch crime fighters' TV show. The password was supposedly communicated (I haven't seen the program myself) but was subsequently already changed. I can imagine how much of a trigger this can be to some, to give it a try... Why at least something so trivial as this personal email account, free to acquire, was not immediately taken out of use is beyond me. This morning the latest news is that the Tonino has resigned from his function.

Well, my point is not to discuss how stupid it is to put your machine on the street just like that. Nor do I want to talk about or the to put highly sensitive information on an exposed free mailbox by one person. I think the background is much more interesting. Supposedly people in these positions, who handle information about matters of life and death, are able to do things like this. This was an accident, but it would be quite naive to think that it doesn't happen on a larger scale. Also the Public Prosecutor's Office (Openbaar Ministerie) won't be the only government organization affected. Maybe this happens on a much larger scale than I can even think of. It gives me the shivers imagining all the information flowing around the unprotected. Now, it is said that the Justice Department should take preventive measure, but of course that's nothing more than an automatic reaction. This is 2004, we have the opportunities to prevent these things already for years. Let me enlighten you:

The first they thing should have done - not now, but in the not so recent past- is to have a security audit team investigate information flows in the complete organization. It will show quite soon that there's a lot of information that maybe shouldn't cross the internet at all. This is something that should be discussed with all employees involved. They should be communicated clearly the dangers of letting sensitive information flow outside the organization. In my point of view, it all starts with having everybody involved understand thoroughly what's going on. Once it's common knowledge that information os an important asset worthy of protection, you can talk about the specific course of action. In this case an obvious point would be to have no work related information go to personal external mailboxes. There are ways to enforce this, such as monitoring the internet usage, or scanning where documents are sent to. Furthermore a more rigid way of working should in no way inconvenience the employee's way of access to vital information. Think VPN's or other ways to log in to the network securely (man, it is even imaginable to have dedicated lines from the employee's private home to the court. It probably is not feasible for everyone, but for people in positions like the prosecutor is in, it should be given at least some thought. Btw, I heard on the radio the Dutch Parliament connects this way to their network, on machines which are not used on the internet; you have a closed circuit this way, which is of course much more safe. As an aside: even in the NSA there have been computers intended only for internal use been compromised by viruses because they were connected to the internet. So how much of this info is true, I wouldn't know).

But, we were talking VPN's: one should be careful about client-side trouble, so a remote machine must be protected adequately. There are ways to enforce this. It's more or less trivial these days to have secure access to the work environment. If we, with our very small company can handle this, why can't the government? They have some of the smartest hackers around at the Forensic Service, they have a Secret Service who knows how to break in to mailboxes if they want to; so they also know how to be secure, one would think. The correct way to handle this is not to require the Justice Dept to take appropriate steps to prevent this in the future. No, one should on a much higher entry point think about all places in the government where sensitive information is handled. How are we going to secure all these information streams in appropriate ways? How are we going to learn employees how to work securely. Not in all cases it can be prevented I think, that information will cross the internet. In that case, use SSL, VPN's, personal email certificates or other measures. These encryption tactics are certainly not the whole picture, but can be a good enhancement. Awareness and appropriate employee tools are just as important. You can tell everybody on a monthly basis how dangerous it is to zip your stuff and mail them home, but if there's no suitable solution to access information from home, this *will* happen in the end.

Of course, no meaure can create a 100% secure organisation, where never, ever any sensitive information will get in the open. In the end there's always people involved. Someone somewhere can be bribed, someone bears a grudge, or whatever. No hardware, electronic tripwire, encryption software or what have you will prevent someone to put something on a diskette, print information out and take it home, etc.etc. You get the point. Information is always a trade-off, as Security Guru Bruce Schneier uses to say. These days, budgets are tight, and never can we be completely save, but surely we can do something valuable with our money. Just as in medicine it is just not possible to always treat everybody with the most expensive / most effective drugs, we also have to take care where to put our money.