We don’t talk politics…

This week there has been some breaking news about Vice Presedential candidate Sarah Palin’s Yahoo e-mail account becoming compromised. We’re not here to discuss the politics, but the security. Part of this story does revolve around the politics; Mrs. Palin has been accused of using free e-mail services to conduct government business – because it is not subject to the same monitoring and archiving as government e-mail.
That’s where the inclusion of politics end.
The point that I want to make, is that no matter how hard you try to keep data (or bending of the rules) inside of your organization, at some point, those protections are bound to fail. Why? Because someone always builds a better mouse trap, and someone always builds a better mouse.


As some examples that we’ve seen in the past, the latest being the e-mail controversy. The government installed the ability to monitor and archive e-mails for accountability, so officials (allegedly) take their e-mail elsewhere. You place epoxy in your USB ports to keep intellectual property internal to the company, and the staff use firewire drives to do the same. You epoxy the firewire, and they e-mail it. You install a (signature based, which is only as good as the signatures) e-mail content scanner, so the staff used places like Amazon S3 to upload that. You block file sharing websites, proxies and so on. The staff set up a server on one of these and use a crossover cable to connect and upload the content. I think you get the drift. The story never ends.
Now, that’s not to say that appropriately managing your risk in these type of situations isn’t appropriate. By all means, practice defense in depth! Sometimes just a little bit of defense is enough to discourage the casual offender, which may be just enough. No matter how much you defend (to the point of making it too secure, i.e. unusable), that person willing to go the extra mile with the mini-pc and crossover cable will always be willing to go that extra mile.
The point? Evaluate and manage your data ex-filtration to an appropriate level of risk; there is a diminishing level of return! Develop an appropriate and comprehensive method of dealing with a breach when it does happen.
…because it will eventually happen.
– L

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.