You remember that famous character? Forest Gump with his ‘stupid is as stupid does’. This is the setting that I saw happening when the BBC (at https://www.bbc.co.uk/news/technology-68025683) alerted us to ‘US regulator admits cyber-security lapse before rogue Bitcoin post’, this is not a lapse, this is a screwup of the umpteenth order. They give us “The Securities and Exchange Commission (SEC) did not have multi-factor authentication (MFA) in place when hackers gained access to the account.” To give a clear view, to give you proportions. MFA was a discussed issue in University when I was at UTS 10 years ago. It was invented in 1996, well over a quarter century ago, although it was called two factor authentication. It is my speculation but I think that they left it aside until the call was needed and that call was clearly needed a decade ago. As such heads at the SEC need to roll (a queen of hearts idea). As such the quote “cyber-security experts say it should be a wake-up call for other agencies” is equally a joke. Those who aren’t ready need to be sanitised on several levels. There is no boo or bah about it. The fact that it took hackers this long to catch on is perhaps a small blessing in disguise. And the quote ““While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in a statement.” The setting here is the question whether this was an SEC staff request or an X staff request (it could be read either way), but to remove security for access reasons implies stupidity of an unacceptable level. It means that systems were not ready, protocols were not ready and systems were deployed and configured in unacceptable ways. Then we get “The SEC has confirmed the account was compromised by a fraudster convincing a mobile operator to transfer an SEC employee’s phone number to a new Sim.” As such is it purely the fraudster, or is the mobile operator equally guilty? I honestly cannot tell on these facts, but multiple systems were unable to perform because the human element was not correctly set in stone. At present (based on SLA, or Service Level Agreements) there is a case that the mobile operator did not have the proper hat on because certain facts might not have been known to the mobile operator. The fact that an SEC phone number got swapped leaves the guilty party in the middle, but in this I admit that it is based on missing information. That missing information might show who went wrong (SEC or Mobile operator). And above all a properly placed MFA is intended to protect against this kind of hack (and several others). And lets be clear, this was not a grocery store, this was the SEC that got compromised in this way.
As such stupid is indeed as stupid does and I reckon the head honchos in charge there will be upturning every process, protocol and service level agreement in place just to keep their jobs somewhat secured. That might be merely my speculative view, but I personally believe that to be the only step left for those yahoo’s.
Enjoy the middle of the week.
Lawrence van Rijn - Law Lord to be 