Invariably when I start talking about the insider threat I am bombarded with e-mails telling me that I have it all wrong and that the wily hacker on the Internet is the real danger.
On cue the news that in Italy the Post Office was ready to be defrauded of 20 million euro thanks to an employee in the Naples area. The article is sadly in italian but I've put together a quick translation for the benefit of curious english-speakers.
The interesting paragraph is the following (my emphasis):
Secondo la polizia postale di Pescara che ha svolto le indagini la banda, con il concorso di un impiegato postale del napoletano, era riuscita a entrare nel sistema informatico che gestisce il deposito e i movimenti di denaro delle Poste attraverso l'intercettazione abusiva di codici e password riuscendo a simulare operazioni di cassa in favore di conti correnti postali appositamente aperti da diversi complici negoziatori in altrettante zone d'Italia.
which translates roughly to (again my emphasis):
According to the postal police in Pescara, which was responsible for investigating the crime, the band gained access to the IT system which manages the deposits and transfers of the Post Office with the help of an employee in the Naples area. Access was gained via unauthorised sniffing of user ids and passwords thereby managing to simulate cashier operations in favour of other postal accounts which were opened by accomplices in a number of italian regions.
Besides the relief for the fine work of the postal police we should focus on the fact that user ids and passwords were allegedly sniffed off the wire. This is not your "Joe Average" shoulder surfing the passwords of colleagues but someone with a certain amount of skill.
The obvious question which should be asked is: why exactly where the user ids and passwords being trasmitted in the clear? This is 2004, SSL has been around for a few years now (not to mention many other encryption protocols).
Posted by arrigo at October 19, 2004 11:49 AM