Friday, May 23, 2014

What I learned last night.

Last night I was doing one of my regular sweeps of the Internet to see if the institutions and companies I frequently deal with have breached and leaked information pertaining to me.  In the past, this has proven to be productive for me, though it does make for a thorny relationship with some organisations.

People often ask why I go to such lengths, and my answer has usually been that I just don’t trust the suppliers who I deal with to do an adequate job.  Naturally, every supplier I deal with, whether it be a bank, retailer or telco, will vehemently fire facts and figures at me then try to throw legalese at me as if instead of me saying “I believe they do a crap job at security”, they act like I’ve stated “they’ve done nothing”.  

Yes, it is true that some of these institutions have security teams, and it’s also true that some have spent millions of dollars on security, but no amount of hardware and firewalls is going to counter the effects of complacency, or blind-sightedness to certain security risks by their own internal teams (or worse the management in charge of these teams). 

That is why I do these sweeps a few times a year.

It was during one of these manual sweeps last night, that I stumbled into something that left many Canadians open to the possibility of fraud and theft, though only a small number of people had so far been affected - under 100 as a rough estimate.  

In this example, no amount of hardware at a bank or ISP would have caught the security issue, because this was a technical blind-spot caused by human activity outside their systems, not within them. Having confirmed a number of national organizations were blind to the problem, I documented it as I found it, and then left it where it was.  

At this point I raised the alarm…  (there's a reason I'm not publicly saying what the issue was, so as to give time for the other organisations to do what they need to to)  

The important lesson I learned from last night’s discovery was that there was only one organisation that I could prove had the foresight to act on the same type of issue I was looking for.  They'd found the problem before I did and had closed themselves off from it. 

That organisation was Scotia Bank.  

If I invert this logic, I think it's safe to assert that I now know which Canadian organisations have a security blind-spot where humans are concerned.

I think I’ll keep doing my sweeps.