Yammer security sub-standard says US Veterans' Affairs Dept
Microsoft's Twitter clone spammed staff, gave trolls a home and amplified risk leak
America's Veterans Affairs inspector general has sideswiped the department for what it says is “improper” use of Yammer, Microsoft's inside-the-firewall Twitter clone.
In what looks like a mistaken enthusiasm for cool-tools, the US Department of Veterans' Affairs decided to start using Yammer, an "enterprise social network," back in 2008. Over time, everybody from the CIO down took its presence in the organisation as a sign that it was allowed.
The department says it will implement proper Yammer policies by October 1.
Released last week, the inspector general's report [PDF] says the staff began logging into the Yammer social network after it was showcased by former CIO of VA, Stephen Warren.
Users got the impression that Yammer was sanctioned by the department, the report says, because in June 2013 Warren used it to host a chat forum.
As well as criticising both users and Warren (who left VA in July 2015) for his advocacy of the site, the report also has some less-than-flattering things to say about Yammer.
Apart from the social network being insecure practically by design, the inspector general is unhappy about other behaviours:
“Yammer regularly spammed and excessively emailed users, as well as VA employees who had no interest in joining the site, and users were unable to remove the Online Now instant messaging feature, resulting in every user violating VA policy simply by logging onto the site,” the report states.
The report says as many as 50,000 VA staff used the site, with neither a policy in place to approve Yammer's use, nor any formal oversight to make sure sensitive information isn't shared.
As an example of its potential for data leaks, the report cites this incident:
“Further exemplifying the potential to share VA sensitive information, we found a user replied to another user’s post, “Please DELETE the .pdf with the IP address IMMEDIATELY! IP addresses are VA protected information and may NEVER be posted in a public place – even if only VA public.”
As happens in social networks, the Yammer service also turned into a place for time-wasting and personal abuse: “You’re a bitter bitter person and it just makes me sad for you. I’m done reading anything with your name on it” one user posted, drawing the predictable response: “Is free speech banned on Yammer? And talk about mean spirited and name calling… Just Wow!”
In addition, Yammer's vulnerability potentially exposed VA networks to malware and outside attackers, the report found. ®