Steel doors and jelly locks

Security, of any type, requires more than just sophisticated equipment. It requires a thought process commensurate with the potential loss. If your financial system is important to your organization, then it must be secure. Sounds like motherhood and apple pie. I’d like to introduce you to Mr. Finn.

James Finn has an interesting way of making a living. He’s a cyber thief. He’s broken into more than 200 companies around the world. Everything, ranging from banks and factories, to airlines and insurance companies. What’s worse, he’s never failed in an attempt to electronically infiltrate an organization. Chances are almost certain he could break into your system. How do your stockholders feel about that?

Luckily for us, he’s not behind bars… (well that’s not entirely true, some of his best work is done in bars – more on that later.) Mr. Finn, is a principal of the Unisys Enterprise Security Practice and is available for hire. He performs two simple services. First, he demonstrates the ease with which a cyber crook can crack payroll, financial or research databases. He then describes what we can do about it. The bad news is, there isn’t much we can do about it. Our systems are inherently insecure.

Mr. Finn is overworked. Cyber crime is on the rise. In February of this year, the FBI reported 17,672 hacking attacks in 2000, a 79 per cent increase from 1999. On top of this news, is the growing belief that at least 80 per cent of computer crime goes unreported or undetected. Putting a dollar figure on all of this suspicious activity is a hopeless cause. No one wants to admit to having lost money due to cyber theft, especially financial institutions who depend on their “trustworthy” image to survive.

The first inclination is to throw the latest and greatest technology at the problem, and hope it goes away. It doesn’t, because the technology is seldom the problem, or if it is, those problems are comparatively easy to solve. If the backdoors haven’t been closed? Close them. If the data isn’t encrypted? Encrypt it. If you find a problem? Fix it.

Sounds easy, simplistic, even condescending, but what happens in real life? Mr. Finn reports that an exposure of client account passwords was identified on the E*Trade system. The friendly hackers reported this security breach to E*Trade. A month later the data was still readily available. In retaliation (frustration?), the hackers published the information on the Internet. Who’s at fault here? The friendly hackers? Or E*Trade? Is this a fault of the technology or of the management of technology?

Our friend Finn has found that technology does, sometimes, present an impenetrable steel barrier between himself and the databases. When this happens, he heads for the bar, not to drown his sorrows, but to find the jelly locks that’ll lead him into our systems.

In casual conversations at bars close to his current target, for the price of a beer or two, he collects a wealth of information. Business cards provide user IDs in the form of e-mail addresses. The names of spouses, children, pets and hobbies, all provide possible passwords. Despite all the Hollywood movies showing how easy it is to guess what a password might be, we haven’t changed our behaviour to make guessing more difficult.

If all else fails, then Mr. Finn gets dressed up in his work clothes and rummages through garbage bins for things that should have been shredded but weren’t.

Based on his experience, Mr. Finn doesn’t believe we can achieve a perfect level of security. He does believe that if we practice, what we know are good practices, we can significantly increase existing levels of security.

It should be obvious from all of this that security is seldom a top-of-mind concern, we’re all too ready to give information to those we trust. At conferences I’ll often point out that many of use the same password for multiple login IDs. To demonstrate my point, I’ll ask for a show of hands, and half the room will raise their hands in agreement.

I’ll also ask for a show of hands of how many people use their spouses names as a password, and again get a large show of hands. I point out, with an evil grin, that they’ve just given away their passwords for several of their systems, not only to me, but to the whole conference. Lesson? Never trust a speaker.

de Jager is a sneaky speaker, on management issues relating to technology. Contact him at