Thursday, July 3, 2008

Lovely

One of the big stories out of West Virginia today concerns a Charleston-area attorney named Michael Markins.  Mr. Markins was suspended from the practice of law for two years for hacking into the business e-mail accounts of his wife, an attorney at mid-size (for West Virginia) firm Offutt Fisher and Nord, and many of her colleagues.  According to this story from The Charleston Gazette, this occurred from November 2003 to March 2006 and gave Mr. Markins access to confidential information about the firm and (more importantly) a number of its clients.

So what master hacker technique did Markins use to gain access to the accounts?  Exploit a zero-day flaw in OFN’s e-mail server software?  Put password-stealing malware on the laptops of firm attorneys? Use social engineering techniques to convince OFN’s IT staff to give up the passwords?

Not quite:

Markins had discovered that the password to the e-mail account of any OFN lawyer was the lawyer's last name . . . .

I suppose it’s possible that some lawyer or staffer who worked at OFN from November 2003 to March 2006 realized that using your last name as your password for an e-mail account that contains confidential info is an insanely insecure practice and mentioned that fact to someone with decision-making authority, only to be ignored.  Therefore, I’m not going to straightaway brand everyone who worked at OFN during the period with the label “shockingly incompetent dumbass” (“SID”).  Instead, I’m just going to adopt a rebuttable presumption that anyone who worked at OFN during the period was and continues to be a SID and leave it at that.

No comments: