Really, when I've heard about it first, I was like "ah, come on, I am sure the journalists are just mis-reporting it; nobody is that dumb in their approach to system security."

Well, they really were that dumb.

Honestly, from the "blatant disregard of common sense", this is very, very high on the list (many in security agree, some in IT disagree). This is where the words "a huge data security risk" really sound like a mild understatement. 

But you know what is the most scary about this case? The fact that there are MANY organizations who manage their networks the same way: one admin with ALL the access and NONE of the monitoring.

One person + ALL access + NO accountability = you are screwed!

Also, in light of this, do you still think that "insider attacks" is some kinda security vendor propaganda? Well, go tell Terry Childs that :-) Even though some people still think that he is a good guy (more on that on Slashdot)

What also caught my attention is that some retard called his bail ($5m) "ridiculously high." Well, if he was an outside hacker, say a Romanian script kiddie, jailed for hacking SF network, would they release him for $5m? Maybe not!  Now, do you get that this case is actually MUCH WORSE! Hacker might have gained access to many assets; this guy did have access.

So, think, think, think: CAN YOUR SYSADMINS "0WN" YOUR BUSINESS? (BTW, some people think that IT "owns" you already!)

Are you OK with it?

If not, do something - start logging and monitoring (and then controlling) their actions! If you think you cannot control them, then just monitor; if you think you can neither control nor monitor, then at least log them so they will know that there will be enough good evidence to let them rot in jail for many years ... Or, if you prefer an easier alternative, stop calling your business YOUR business.

Possibly related posts:

• "Protecting logs from admins"

Well, imagine that. I received this email at 9:31 am yesterday from the marketing folks at Infosecurity Canada.

Sorry Dave…I will make arrangements for a badge to be ready for pick up at pre-registration.

Um, yeah see I was on the other side of the city. At least Myrcurial is on the ground. Maybe he’ll grace us with an update.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Banks slip through virus loophole | The Guardian UK
2. Danish filter catches Romanian child-porn sites | Computer World
3. City officials confident information is secure (This is funny. They’re claiming 15 char password is secure. Sigh)| Belleville Intelligencer
4. Sophos assists Computer Crime Unit in bringing botnet master to justice | Sophos Press
5. U.S. warns on Olympics computer security | UPI
6. Lawmakers accuse China of hacking computers | Reuters
7. China denies hacking into US computers | Associated Press
8. Customer fears grow after mass hacking of retail website | Customer Strategy
9. Online medical records offer convenience, may limit privacy | USA Today

Tags: News, Daily Links, Security Blog, Information Security, Security News