As I continue to watch the WikiLeaks saga, I can' t help thinking, no matter what you think of WikiLeaks, it never would have gotten so big if it wasn't for some dumb security mistakes. It's not, as Jason Perlow pointed out, that the system design itself was defective, it was how it was managed in the field that lead to a flood of secret documents being revealed.
No, Secret Internet Protocol Router Network (SIPRNet) is about as secure as any network can be. But, US Army intelligence analyst, Private First Class Bradley Manning showed how even the best laid security plans are useless if they're not followed. While SIPRNet materials seemed to have been shared over a secured network, the laptops that Manning used to vacuum down the gigabytes of data, now in WikiLeak's hands, had a CD/DVD burner on it. According to a Wired report, Manning said, "I would come in with music on a CD-RW labeled with something like 'Lady Gaga,' erase the music then write a compressed split file."
There was no need for any sophisticated network tapping or Mission Impossible heroics here; all he needed was a PC and a blank optical disc and he was in business. Argh!
Before you shake your head at how foolish the government can be, have you considered your own network's protection? Even if your Wi-Fi is locked down with WPA2/CCMP (Wi-Fi Protected Access/Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) and your wired network is secured with 802.1X Port-Based Authentication what makes you think your typical office PC is really secure?
I'm sitting at my office looking at one of my old workhouse PCs, a Dell Inspiron 530S. It has a DVD+/-RW drive, six USB 2.0 ports, and four memory card readers. By my count that eleven different ways that I can, with no thought at all, pull data from my network.
In my laptop bag, sitting by my side, I have two-blank DVD RW discs; half-a-dozen USB drives that can hold from 512MBs to 4GBs of data; a first-generation iPod Touch with 16GBs of storage; and a Droid II Android phone with 8 GB of internal memory plus an 8 GB microSD memory card. Were I in your office, with a similar PC in front of me, I could walk out in a few hours with 40 gigabytes of your data.
I'm sure I could do that because I almost never run into a business that realizes that any PC, once logged into the system, is a de facto security hole All those electronics that we carry with us every day-USB sticks, MP3 music players, smartphones, cameras-can be used to grab data.
The U.S. Government does realize that. As a friend who's in the intelligence community recently told me, "I don't own an iPod, because I can't take it, or my phone, in to work. Or a writable CD, or a USB stick, or ... well you catch the drift."
Exactly. If you really want your data to be secure, you need to make sure that no one walks in or out of the office with any memory storage device. In the 21st century that means pretty much any modern electronic device. You can also try to lock down all but essential ports on your PCs. Either 'solution' has its own set of problems
So, the next time, you think "How could they be such idiots!" just keep in mind that, with today's technology, how hard it is to keep data from being stolen. Sure, in the WikiLeaks case, there were lots of mistakes and that was dumb--I mean, come on, why didn't anyone notice just how much sensitive network traffic was going to one location outside of Baghdad?--but it only takes one mole in your company for gigabytes of data to walk out the door. Consider yourself warned.