This is a major issue. Had Cubrilovic been black hat rather than white hat he could have produced a malicious extension that Chrome would have accepted as genuine Yahoo code. “There is no suggestion that the private key was stolen – it seems to have just been pure human error,” comments Richard Moulds, VP product strategy at Thales e-Security. Moulds advocates the use of a hardware security module (HSM) to prevent such problems – which, he adds, could be multiplied by auto-updates. “One of the downsides of auto update processes,” he points out, “is that if a new plug-in is published and it contains an error, it could be propagated to a large number of computers very quickly since they all run out and get the new software as soon as it is published.”
The TalkTalk incident was reported in the Register. It involves Greystone Telecom, a subsidiary of TalkTalk, which is “unwittingly sharing customer and contract details with the world.” Once again there is no suggestion of any malevolent act – merely a mistake. “The mistake is a classic,” writes the Register. “Microsoft’s IIS - the server that comes with Windows - is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers.”
The combination of leaving the default configuration together with Google hacking techniques meant that confidential files were left exposed to whoever came looking for them. “Open FTP servers are nothing new,” reports the Register, “but Google's omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them.”
These two events demonstrate one of security’s great truths that is not easily solved: the user remains the weakest link.