Establishing Digital Trust: Don't Sacrifice Security for Convenience
When the Brazilian newspaper Correio Braziliense recently published a photo of the FIFA World Cup security center, they also published the network name and password for the center's Wi-Fi network (h/t The Hacker News).
The photo shows Luiz Cravo Dorea, head of international cooperation for the Brazilian Federal Police, standing in front of a bank of computer screens, one of which clearly states, "wifi network: WORLDCUP," followed by the 10-digit password, which appears to be "brazil2014" in leetspeak.
Security consultant Augusto Barros tweeted a copy of the image, which has since been retweeted more than 3,000 times.
Although security researchers have been warning of several cyber security issues to watch out for at this year's World Cup, publishing your Wi-Fi password in a newspaper was not one of them.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
It's an embarrassing mistake, and it's unfortunately one with several precedents.
Back in 2012, an ESPN broadcast showed two Major League Baseball SSIDs and passwords taped to the wall directly behind the man being interviewed. Later the same year, a series of official photos of Prince William at work with the UK's Royal Air Force exposed several RAF user names and passwords.
And in February 2014, CBS This Morning broadcast the Wi-Fi network name and password for the security center at Super Bowl 2014 security center during a piece spotlighting the security surrounding the event.
As Sophos' Chester Wiskniewski notes, there's a very straightforward lesson to be learned from mistakes like this. "Don't write down passwords in public places. ... No sticky notes, white boards, smoke signals, billboards, televisions or even cave walls," he writes. "Oh, and while you are at it, choose a better password than the name of the event you are protecting."
While there are several tools and techniques worth using to ensure that strong passwords are being used throughout your company, none of those will matter if you post those passwords on a whiteboard or computer screen for visiting news photographers to capture.
This all comes down to making your employees aware of simple security issues -- as Lastline co-founder and CTO Giovanni Vigna told eSecurity Planet in a recent interview, "I think there’s an incredibly important and incredibly underestimated value in educating people on security. If you go to a company, you’ll get trained on pretty much everything -- sales, strategies -- but how much training in security will you get?"