Bill Mew is interviewed about a report from a security analyst that failure to secure Trello boards as exposed information from government teams in both the UK and Canada
This isn’t the first time that people have made this mistake and it won’t be the last. It demonstrates that whatever the central policy it is user behaviour that is often the weak link.
There are many messaging and collaboration platforms. Trello happens to be one that is often used by development teams. The default setting for Trello boards is private. At some point one of the people managing each board must have changed this to public – a blunder that nobody in devops should do, but it just shows that even the most sophisticated users (who should know better) often make stupid mistakes.
This problem is not unique to the public sector though – Uber and other private sector firms have been warned in the past that their Trello boards were public.
In these incidents it was a white hat (ethical) hacker that found the errors and alerted the appropriate authorities. It could easily have been a black hat (criminal) hacker that found them and this could have resulted in exploitation.
Some passwords were exposed – thankfully none that were of great significance. Further education is required and the owners of these Trello boards will be reprimanded for sure.
‘Carelessness’: @BillMew explains how users are often the weakest link in #security terms, following a report that #devops teams in the UK and Canadian governments left ‘sensitive data’ exposed to the public on @trello boards @RT_com https://t.co/u9Hq2iRIXC pic.twitter.com/oObNOiyXD7
— Bill Mew (@BillMew) August 24, 2018