by Dave Kennedy

We humans introduce risk regardless of our good intentions.  We security types tend to be a paranoid lot, thinking every unfortunate event is evidence someone is out to get us.  Yet we are regularly reminded of Hanlon’s Razor, quoted above.  Recently, we have two high-profile “oopsies” which demonstrate the premise of Hanlon’s Razor, namely that not all bad outcomes have an evil-doer involved.

Last week, a colleague at Verizon Business wanted to inform his customers and colleagues that we had published a supplement to our Data Breach Investigations Report. He crafted an e-mail message and used a list of addresses from a public (non-Verizon) website for the “To:” line in Outlook.  Oops.  He had intended to use the blind carbon copy (BCC) address line to ensure privacy of the recipients, but this did not happen. Certainly, in this case, his actions counted more than intentions.  Of course, he knows this is an easy-to-make error and thus one to guard against.  The earliest instance I’ve found of this bcc mishap dates back to 2001, but we can be pretty sure this mistake is older than that.

This issue really spun out of control internally when partially complete reports began circulating.  A quick Google for “Verizon Business” and “e-mail” led to a blog entry titled “Clickjacking attack info revealed;Verizon plays fast and loose with the wrong 1,200 e-mail addresses.”  Oops.  Without taking the time to read the actual blog article, some folks turned this into “we’ve been the victim of a clickjacking.” This belief then began to circulate among some of the security teams here.  At this point, the logic is along the lines of:
•    Something bad has happened.
•    Clickjacking is all over the news as the latest, greatest threat in Internet security.
•    Therefore, something bad was caused by clickjacking.

Still others applied Occam’s Razor, which plays out this way:
•    We’re sending out a mail storm.
•    Mail goes out through Exchange.
•    Occam’s Razor stipulates that the most simple explanation is probably the best one.
•    Therefore, we must be having problems with our Exchange server.  Oops.

The RISK Team here at Verizon Business routinely sees reports of the latest, greatest risk to Internet security, and reports of it being in the wild.  More often than not, the latest risk is not the greatest, nor is it in the wild in any meaningful way.  So reports of Verizon Business, indeed a security professional @ Verizon Business, being the first known victim of a clickjacking attack was met with a measure of skepticism.  Fortunately, we had a global RISK review conference call scheduled the same day.  Doubly fortunate in that a close co-worker of the e-mail’s sender attended the call, and we were able to quickly sort through to the facts.  Oops.

Don’t you just hate it when facts get in the way of a perfectly juicy rumor?

But why, you may ask, was the e-mail repeatedly re-sent, a reported 17 times?  There are over 32,000 of us here.  You might, therefore, imagine e-mail storage is one of the challenges faced and conquered by our IT department.  You might imagine we learn to save our e-mails locally in an archive or Outlook PST folder so as to avoid bumping into “your mailbox is full” warnings.  You also might imagine sometimes well-intentioned individuals create Outlook rules to help with this and one of those rules resulted in this particular e-mail generating a storm. Again, oops.

Humans introduce risk, and not all mail storms are the work of the Unimailer.

Cisco has also had a reminder of a well intentioned “oops” when someone’s music CD was used as the master for mass duplication of a support CD for some VPN hardware.  Neither industrial espionage nor a deliberate reputation attack was behind this error, just someone who listens to music at work.  Oops.

“It’s not paranoia when someone really is out to get you” is the aphorism based on a remark from former Secretary of State Henry Kissinger. But we need to bring our critical thinking skills to work every day.  Unfortunately, digital communications do not prevent a game of telephone, indeed they make it go at the speed of light.  Both Hanlon and Occam’s Razors are indispensable tools security professionals cannot risk being without.

Tags: Information Security, risk, security

This entry was posted on Wednesday, October 15th, 2008 at 8:34 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.