On the latest “Smashing Security” podcast, special guest Anna Brading told us the story of Rebekah Jones – the architect of Florida’s COVID-19 dashboard, who was fired after refusing to follow requests to manipulate the data for political purposes.
Jones’s home was raided and searched by armed police earlier this week, after authorities claimed she was the person responsible for using a state emergency-responder system to send a message to some 1700 personnel.
The message urged recipients to stand up to pressure from their bosses to hide the full picture of how the pandemic has impacted Florida residents:
“speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be a part of this. Be a hero. Speak out before it’s too late.”
Jones has denied having anything to do with the message or the unauthorised access to the emergency system, and has shared a video of the raid on her home:
1/
There will be no update today.At 8:30 am this morning, state police came into my house and took all my hardware and tech.
They were serving a warrant on my computer after DOH filed a complaint.
They pointed a gun in my face. They pointed guns at my kids.. pic.twitter.com/DE2QfOmtPU
— Rebekah Jones (@GeoRebekah) December 7, 2020
Now it has been revealed that not only were the same username and password shared by all state employees with access to the emergency alert messaging system, but also that those login credentials were actually posted on the website of Florida’s Department of Health.
Umm.. regardless of who might or might not have sent the message that started this whole furore, it doesn’t sound like the state of Florida was taking password security seriously.
Passwords should not be shared. Passwords should not be posted publicly on websites. Passwords should be changed when people leave your organisation. Passwords should be unique, impossible to guess, and difficult to crack.
You can hear more about the background on this case on the latest “Smashing Security” podcast:
Smashing Security #208: 'Hidden treasure, COVID tracker trauma, and happy holidays with IoT'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
I note that the webmail portal is using HTTP ?
http://webmail.myflorida.com