New Zealand’s biggest kept secret wasn’t kept that secret recently. Budget 2019, supposedly the Wellbeing Budget, but more likely the Coalition Carrot Budget, managed to fall into the hands of the enemy two days before it was due to be announced. Despite everyone ducking for cover or washing their hands of the responsibility for it being leaked, the fact is that it ended up in the National Party’s clutches because of sloppy security. It will forevermore be known as the Budget Smuggling Incident!
How it was done is not rocket science. National Party aides simply entered 2019/2020 into the search engine, giving them access to secret and potentially market-sensitive information. Apparently, a test version of Treasury's website with the new Budget documents was accidentally indexed and some of these documents were found using the public search bar.
I’d bet my next week’s wages on the scurry that’s going on in most government departments to rapidly improve security on every file, not just sensitive, or potentially sensitive, documents in their possession right now. Just to be on the safe side. Public servants everywhere must be working long hours to stay ahead of the opportunists out there. Just in case.
But it’s not just file names and URLs that get targeted. We occasionally receive emails from clients telling us that some random person or bot has tried to infiltrate their system by adding “…/admin” onto their URL, admin as the user name, and then ticking the “Forgot Password” button. This triggers an email to go to the legitimate email address of the client’s organisation. Fortunately, this in no way breaches the client’s site security. Phew. “Admin” as a user name is the most commonly used login, however Expert no longer uses “admin” as a user name for new clients’ sites and we are changing the user name to something else (chosen by the client) for many of our existing clients. Contact us if you’d like yours changed.
Interestingly, when a potential access breach occurs, the immediate reaction by the affected client is to change their password. Commendable, but not necessary, though it’s always good to change passwords from time to time. Even more interesting though, is the replacement password chosen – it is frequently such an obvious choice that anyone could second-guess it, given a few attempts, just like what happened with the 2019 budget.
Despite all the horror stories about password breaches circulating in the media, most people still don’t seem to get it. Make your password secure – include a mix of cases, letters, numbers and symbols and don’t use your organisation’s name in any part of it. Or a year, i.e. 2019. And if you can’t cope with having to remember lots of complicated passwords, consider using a password manager.
To learn more about on-line security, here are a couple of blogs we’ve written about password protection which you might find helpful.
Password Managers
Collection #1