Im annoyed to report that it appears that, thanks to a security breach at a Fox News Web server, one of Ziff Davis servers was compromised. I dont know the details, but from where I sit, you had two pretty simple security mistakes here.
The first was that the Fox News site had left its directory and file structure open for Web browsers. If you think of the Fox News Web site as being like a house with a locked door, but with wide open windows, youll be pretty close to Foxs level of security. This means that you could, and social community site reddit members did, snoop at the Fox news sites to your hearts content.
Adding insult to injury, Fox had left in its now public directory a login script that had the login and a password to a Ziff Davis ftp site hard-coded into it. So Foxs two fundamental security mistakes led to one of my companys systems being compromised.
Now all this is bad news. But, from what I can tell, its also fairly trivial. As far as I can tell, even if the claims of “names, phone numbers and e-mail addresses of at least 1.5 million people” being revealed are true, well, any Web white paper directory can give you that.
So, once more weve found out that major companies can be moronically stupid when it comes to security. Fox didnt require any group of expert hackers to break its site open. All it took was someone to mistype a Fox News URL and realize that they were looking at a “private” page, and say, “Hey, look at what I found!” and then tell their friends.
Thats not the real problem though. Companies and people always make stupid security mistakes. It doesnt matter how often you try to teach some people about security 101, theyll always flunk the final exam of the real world.
No, the real problem is that when a companys Web site is broken into, whether it really required an expert attack or by simple stupidity, its not just the companys problem, its also trouble for other businesses that have a trusted relationship with that company. Whether we like it or not, were all in the security business together now.
Say your local doctors offices Web site is broken into and someone gets access to the patients data. Thats bad news. But, lets say that the bookkeepers have made their lives easier by sticking the login and passwords to the insurance companys claims office into scripts for making claims. Suddenly, its not just you and your fellow patients who are at risk. Now, everyone who uses that insurance company is possibly at risk. Thats really bad news.
Its not just simple security problems like hard-coded passwords and lousy Web site security. Thanks to the rise of extranets—private networks that connect companies with trusted relationships—a break-in at AppleJack Drinks Companys accounting department can simultaneously crack open information on Zebra Brand Credit Cards cardholders.
We assume that when we give our bank, our employer, our favorite local store, some of our personal information its up to them to protect our privacy. It is their primary job, but today far too much of our private information depends on the security strength of chains of companies and the government sharing our data.
And we all know how strong a chain isnt, dont we? Its only as strong as its weakest link. If businesses take any lesson from this episode—besides just really practicing basic security—its that protecting your company from your trusted partners is at least as important as protecting yourself from the outside world.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.