Look what the feds left behind…

So what conference was on in this auditorium before NSConference? Well, why don’t we just read the documents they left behind?

folder.jpg

Ooops. While there’s nothing at higher clearance than Unrestricted inside, all of the content is marked internal eyes only (don’t worry, feds, I didn’t actually pay too much attention to the content. You don’t need to put me on the no-fly list). There’s an obvious problem though: if your government agency has the word “security” in its name, you should take care of security. Leaving private documentation in a public conference venue does not give anyone confidence in your ability to manage security issues.

Oops. (updated twice)

Q: What caused this?

A: this. A Vodafone employee used the corporate Twitter account to post the message:

[@VodafoneUK] is fed up of dirty homo’s and is going after beaver

And as the Vodafone apology attests, this was no hacking attack, instead a case of TGI Friday on the part of an employee. This goes to show that you don’t need an external attacker to ruin your corporate image if you hire the right staff.

Update: according to an article in the Register, the problem tweet was caused by an employee on a different team in the same office misusing an unlocked terminal with access to Vodafone’s Twitter account. They have fired the employee, but no word on whether they’re reviewing their security practices. I’m reminded of the solution taken to combat safe-cracking at LANL when Richard Feynman showed how easy it was to open the safes with their confidential contents: don’t let Richard Feynman near the safes.

Update again: Vodafone’s official reply:

On Friday afternoon an employee posted an obscene message from the
official Vodafone UK Twitter profile. The employee was suspended
immediately and we have started an internal investigation. This was not
a hack and we apologise for any offence the tweet may have caused.

This sounds like there’s the potential for their practices to be altered as a result of their “internal investigation”, hopefully they’ll make more information available. It would definitely make an interesting case study on responding to real-world security issues.