Another object lesson if one is needed that security by obscurity (and fairly transparent obscurity at that) simply doesn’t work.
At the tail end of last week, journalist and historian Bram Talman managed to publish the Dutch National budget for 2012 via Twitter, a document that is not due to go before the Dutch parliament until tomorrow.
While some of the news reports describe the incident as “hacking”, it is nothing complex at all. In Mr. Talman’s own words, he simply made an informed guess at the URL where the document would be hosted, typed it into a browser and there it was in all its glory
“Last year the name of the website was miljoenennota.prinsjesdag2010.nl. I simply replaced 2010 with 2011”
He later tweeted, the following day, that he had uncovered the budget of Utrecht in the same way.
While there are many technologies that can help with securing sensitive data, such as encryption, data leakage prevention, intrusion prevention and web application firewalls just for example; one of the key steps for making sure a confidential document stays that way, would be not_hosting_it_on_a_public_website…
According to the Irish Times, Mr Rutte the Dutch Prime Misister was quoted as saying, “The leak is extremely irritating and unfortunate,” he said. The IT company, Facetbase, said the cause of the embarrassment had been human error, which it very much regretted. Normally, said its head of crisis management, Peter van der Maat, a fake version of the new document would be put online until the real one was ready – but that had not happened.