So here’s a funny story: Detroit Tigers General Manager Dave Dombrowski goes on TV from the press room at Comerica Park to discuss the suspension of Tigers outfielder Delmon Young — in full view of a sign declaring the SSIDs and passwords of some local Wi-Fi networks. This clip ran on ESPN’s Baseball Tonight, presumably in front of millions of viewers. That’s probably how this screengrab ended up on Reddit, which in turn ended up on Bruce Schneier’s blog.
Check the picture: You can clearly see the two SSIDs — MLB-Press and MLB-Photos — along with their respective passwords, BWAA#2012 and Photo#2012. (BWAA isn’t a random alphanumeric string, by the way, it’s an incorrect abbreviation of Baseball Writers Association of America, lest you think the Tigers IT staff were trying to make the password less obvious.)
Now, I’m certain Dombrowski gave not two seconds thought to network security when he posed for his television stand-up; he had bigger things to worry about. But I’m also equally certain that the Tigers IT staff doesn’t have a contingency plan in place for “local Wi-Fi credentials get broadcast on national television.”
The Wi-Fi networks are non-sensitive, to be sure, as most sports venues offer dedicated and separate wireless access for the press, often with a standalone high-bandwidth connection for photographers to upload large images and video files during the game. Signs like the one captured in the background of the above photo are found in almost every major sport team’s press room, not just Detroit’s. It’s extremely unlikely the publication of these credentials put the Tigers organization at any risk of a serious security breach.
That said, everyone within a hundred feet or so of the Comerica Park press room can now snag a chunk of free Wi-Fi bandwidth, which means if somebody wanted to prevent the local press from getting online during the next Tigers game by playing bandwidth hog — or simply wanted a nice fat pipe to anonymize their own nefarious outbound traffic — Mr. Dombrowski just gave them exactly what they need. And he didn’t know it. There are hackers out there that would want to spike the Tigers Wi-Fi network just because the team was dumb enough to throw login credentials out on TV, either for the attention or because the hackers bizarrely consider making an example of dumb enterprise security is a public service. In either case, the Tigers computer staff just got sucker-punched through no real fault of their own.
That’s the point.
User error can’t be predicted. Neither can all your risk vectors. Eventually, something will get exposed, corrupted or deleted in a way you never expected, and you’ll have to clean up the mess. That’s the nature of IT security and data integrity.
Hope you’ve got a good backup plan.