PEBCAK and the 2014 FIFA World Cup

Jonathan Trull, Chief Information Security Officer


If you enjoy soccer (or futbol for those living outside of the United States), or even if you don’t, the World Cup is an exciting event to watch. Thirty-two international teams composed of their country’s best players compete to be named world champion. This is no small matter in a sport played by an estimated 265 million people worldwide.

This year’s World Cup is being held in Brazil. As one would imagine, security is extremely tight! International events of this size are prime targets for extremist groups, and soccer has had its fair share of riots and looting depending on which side wins or loses the match. Although the security for the event has been top notch, there was one minor hiccup.

Several days ago, the Brazilian newspaper Correio Brazilliense published a photo of the FIFA World Cup security center. The security center is the state-of-the-art, multi-million dollar center from which security officials monitor and maintain hundreds of CCTV security cameras placed throughout the 41,000-seat Arena Pantanal Stadium in Cuiaba, Brazil. Unfortunately, as seen in the image below, the photo contained the network name and password for the security center’s Wi-Fi network. The newspaper’s story and accompanying photo were subsequently picked up on social media and quickly re-tweeted over 3,000 times. With one simple human error, the security center’s network was exposed to all who cared to exploit it.

View the photo here.

If you have worked in or around IT for any length of time, you’ve likely heard the term PEBCAK. PEBCAK is an acronym that stands for the “Problem Exists Between the Computer and the Keyboard,” or basically the problem is with the end user not the technology. Although many IT support staff use the term condescendingly, I do not – especially since I’ve made my fair share of mistakes. Instead, I believe the PEBCAK principle and associated World Cup example provide several key points that all information security professionals and cyber security policymakers should take to heart:

  • People continue to be the weakest and most exploitable component of our IT systems. In fact, some of the most notorious and infamous hackers of the last decade primarily targeted the users of computer systems and not the systems themselves.
  • Systems, networks, and applications must be designed, built, and operated to allow users to fail safely. Accidentally clicking on a malicious link or visiting an infected website should never result in the loss of 40 million credit card records, as it did at Target, or a company’s intellectual property.
  • Attackers will continue to use client-side attacks because the cost of executing such attacks is low compared to the risk and rewards.

Find out more about becoming an information security professional with a Master's of Science in Information Assurance: request more information, or call us at 877-820-0581.