A while ago I was working on a project to upgrade a system responsible for updating event information for a satellite television company. This stuff is usually referred to as SI (Service Information) and these days it can be of considerable quantity, containing all manner of data necessary for viewers to know what channels are available, what's on, event blurbs etc. you get the idea.
If you had to send this stuff across international borders at regular intervals, how would you do it?
We used an XML payload over a HTTP/1.1 pipe. We specified that it be over a VPN or (at least) HTTPS. This particular client decided that a VPN was too expensive (it boggles the mind I know) and said they would be happy to have the data being sent of public lines but the job of securing the link & the web-server would go to their IT department. Afterwards, I decided to check up on their implementation of this ideal...
They had simply enabled "HTTP authentication" on the server.
At this point, I should mention that the data was going to be seen by around 40 million people - assuming it could be seen at all. Many parts of the payload are essentially metadata instructions for the backend encoders and could potentially prevent the receiving hardware from being able to figure out what the hell it meant. If hacked, the channels would still be there but (depending on what was changed) the hardware might not be able to find them.
Obviously, I hoped the IT department's work was just for test purposes and asked the IT guys about it. To my amazement they thought it was perfectly secure. Afterall, when they typed in the public address in a web-browser the browser dutifully popped-up an authentication dialog. I began to explain that any username/password they typed in was being sent in clear-text because there was no encryption but the conversation rapidly devolved as I realised that these guys had absolutely no idea what I was talking about. They actually became actively hostile towards me as they slowly figured out I did not share their confidence in their solution.
I talked to my manager and we got the story out to some degree to the managers on the other side of the fence . As I understand it their IT department continued to assert that the link was somehow secure and to this day I believe that system is still running in clear-text.
No, I will not divulge where or who the company is (I have changed all the minor details to cover the tracks somewhat too).
This incident is one of many security-related WTFs I've experienced but this was the only case where ignorance won and it really highlighted to me a clear security lesson that everyone should know...
Data security consists of 2 primary parts;
1. Encryption
2. Authentication
If either one is broken or not persent; the system is compromised.