I was talking to an old friend at the recent Mobility Day held at the Microsoft Office near Boston and he brought up an incident that I have seen happen to others.  I realized though that it isn’t something talked about often so it seemed like perfect blog fodder.

He told me of working with a large bank in Boston (that doesn’t really narrow the list down) where outsourcing was literally a requirement based on the budget.  The code for the bank system was developed by a Russian firm that showed great talent.  Unfortunately they also showed great talent for deciet.  The code delivered had 3 backdoors in it that would have allowed easy access to account data and possibly to money.  After ripping out the offending code after doing a very wise line by line code review the system was deemed safe.  How often has this happened without it being caught?  The X-Files premise, “Trust No One“ is actually correct.  I don’t mean to indicate that only off-shore firms would do this, quite the contrary, but I think the odds go up based on how subject to prosecution the developers would find themselves if discovered.

This also brings up what I think is the biggest fantasy of all.  The one that asserts that open source code is inherently more secure than commercial software.  We have examples from the last 12 months where some of our selfless open source contributors were not so selfless after all.  It should be no secret based on the main subject of my entire blog that I think that security is the place where all the action will be in the next 5 years.  This translates to where all the cost will be as well.

My point is that you must truely Trust No One.  If you decide to use open source because it is cheaper then you are deluding yourself unless you include the cost of doing a complete, line by line code review before implementing it.  The advantage of using commercial / proprietary products is that if you buy it from a company and you make sure it is one that you can sue for enough money to matter if they put in a backdoor, then that is your hedge against the threat.  Always ask yourself the question of what is preventing this developer from putting in a backdoor.

We regularly do network and application reviews for customers to make sure they know where the security problems are hiding.  I kind of expect to find servers unpatched, applications accepting unvalidated user input and the raft of standard security faux pas on both the network administrator and developer sides of the house.  What get me everytime is when I see physical security ignored or given token attention.

I was once teaching a class on SQL Server when a student jumped up and ran from the room, not to be seen again for 2 days.  I asked what I had said wrong and was told that 16 of his servers had been stolen out of their datacenter.  The datacenter in question had been on the 1st floor and had windows that the theives broke and took the machines at their leisure.  This is an extreme case and it happened back when SQL Server 6.5 was still a new product, but you would be surprised how many companies are still largely ignoring physical security.

Over 50% of hacking is done from the inside.  Physical possession is the ultimate vulnerability.  Unless your system is secured far beyond what is customary using technologies like encrypted file systems, anti-tampering devices and the like, then tools like Lophtcrack will give up the goods in a relatively short period of time.

Take another look at your physical security.  You might have a really solid server room with a locked door, but if the hinged can be removed from the outside, how is that going to deter the soon to be ex-employee from liberating a server over the weekend.

In our company we send out emails at intervals to the staff reminding them of how to avoid unleashing a virus on the network.  We do this before we get nailed by the latest in exploits.  I suggest you remind yourself and your staff about physical security in the same way.  Regularly and proactively, the job you save may be your own!

If you have a physical security horror story you would like to share then please share via the comments.