Security is an interesting thing. Some people get it. Others just have no idea. A few days ago Myrcurial found that a DHS document had been erroneously posted on the Water ISAC site. Mistakes happen lets be fair. But, rather than say “Yup, we goofed. It won’t happen again and here’s why” the rather apt description of the Keystone fellas reared its head, again.
An email was sent out on the SCADA security mailing list instructing folks to cease talking about this issue (thx to anonymous for the copy).
So, being a curious sort I went to the publicly accessible archive to view the message thread so I could catch up on the story.
Only to discover that any message relating to the document posting was now deleted. Guess they might have forgotten that every subscriber on the list also has a copy.
How can one ever hope to have a frank and open discussion about security in the critical infrastructure space when the default action is to close your eyes and bury your head in the sand?
Anyway. So, I decided to go have a look at the archived document on Google. Nope, not there anymore. Guess someone had Google take the link down. Well, that showed me.
Or did it?
Oh right, there are other search engines besides Google. You might of heard of some of them like say a small little site called Yahoo?
Yup, they have an archived copy as well. As will the rest of the search engines out there.
What’s the moral of the story? Once the genie is out of the bottle on the internet there really is no way to get that sucker back in. As our readership from the various three lettered agencies can attest.
WaterISAC and other organizations that have critical infrastructure roles really need to review their document classifications and how things get published to the web. Seriously, this isn’t rocket science. Be a little more careful next time folks.
Oh, and WaterISAC, please turn off directory browsing on your web server.
[tags]WaterISAC, FOUO, DHS, security advisory, boreas[/tags]