The recent IT cockup at ACS:law, a law firm specialising in intellectual property theft has now made public what senders and recipients clearly assumed would be private for ever. ACS:Law's website was left mis-configured allowing anyone visiting their home page to right-click download an entire tar.gz archive file of their emails. individuals have taken the database of emails and made websites (e.g. http://ueof.co.uk/acslaw/ [now offline]) allowing various groups to mine the data.
A sample of the data included
- national insurance numbers
- bank account details
- data that would be classified as personal information
- and a lot of internal emails that may well prove inflammatory for various regulators and opposition groups to this firm.
Clearly, for security researchers, communicating the level of risk inherent in system configurations should be part of the work that they do but all too often I see penetration testers chasing the sexy exploits rather than inform the business of actual risk. It takes skill for a security consultant to communicate the risk in terms that the business will understand without scaremongering.
One client of mine has just implemented a "Secure Email" system using Cisco Ironport. The Cisco product is market leading and has been implemented in a robust way. However, the pen tester (not us!!) brought in to look at the system focussed primarily on the Cisco product, and to their credit found some sexy-yet-minor Information and data leakage vulnerabilities HOWEVER, they totally failed to advise their client about the wider picture and thus missed client-built bespoke addons that were full of holes.
