Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
IRS Attack Demonstrates How Breaches Beget More Breaches
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
macker490
100%
0%
macker490,
 User Rank: Ninja
5/29/2015 | 8:49:57 AM
Secure Computing in a Compromised Environment
the means to provide reliable identification in a digital computer network environment has been available for years: PGP.

over the yars PGP has been depreciated by its detractors as "too complex"

Complex systems such as PGP can be made usable by everyone -- just like a "smart phone" -- by means of packaged technology: wrapping the technology in an easy to use human interface -- often called a "GUI" -- or GUI Dialog

Roots

On paper we sign our name with pen&ink.   and that signature is characterized by the individual signer,-- pretty hard to duplicate except by a highly skilled forger.   even so, with Notaries or witnesses -- the pen& ink signature has been reliable for years.

but in our online digital networks -- whe have -- nothing

except that PGP has been available since the '90s -- and not adopted for general use due to opposition from interests opposed to privacy and security and such

we may now have reached a tipping point where we will have to admit our error and mend our ways

the key factor needed to implement PGP authentications is explanded authentications.    Your PGP Public Key needs to be authenticated by a reliable party in order for your signatures to be recognized as valid.   Keep these words in mind:   In order for your signature to be recognized as valid.    This also requires an assurance that YOU made the signature -- not a some scamster.  This is possible with PGP because PGP provides both a Public and Private key for each user.   The private key is required to make a signature while the public key is required to recognize(authenticate) a signature.

Exactly what we need!

The only issue is in getting the Public Keys authenticated.   This should become a service offered by local Credit Unions and Banks.    After you generate your key you take it to the Credit Union.  They check your ID and then counter-sign it and upload it to the keyserver.

Now you will be able to authenticate your 1040, online banking, shopping &c

SSL/TLS is not acceptable: it is a half-baked system: The server is able to identify itself -- but not the client.  Even the server's ID is questionable as the client has only marginal trust for x.509 certificates: he or she has NOT verified and countersigned the x.509 certificates he/she needs to use.   This is what enables MITM attacks.
Paladium
0%
100%
Paladium,
 User Rank: Moderator
5/29/2015 | 9:02:07 AM
I died a little inside...
All I can say is WOW.  Not really unexpected from an organization that wants to control our lives through the tax code, but who can't even patch their computers in a timely manner.

"The information that was used to bypass the security screen, including Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches."

...

"Well, the IRS decided that if you know a person's SSN, birthday, and street address, then you must be that person."

That's when I died a little more inside.  It's hard enough to secure and protect our IT systems as it is, doing all the right things and still getting compromised.  But when you do little or nothing, like the IRS is doing, just WOW.

Someone stop the madness please...

 
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
5/29/2015 | 9:39:14 AM
Re: I died a little inside...
@Paladium  Totally agree! We've got to move beyond the idea that a successful login = a legitimate login. The question is, what has to come after that? Is it just asking for more, more, more, more, more kinds of credentials? Is it behavior-based biometrics? Is it confirmations via SMS or email?

Thoughts?

 

 
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
5/29/2015 | 9:47:53 AM
Re: Secure Computing in a Compromised Environment
@macker940 Well I certainly agree with you on this point: "SSL/TLS is not acceptable." Do you think we'll EVER get to the point that public key infrastructure or digital signatures or anything similar/equal will become a norm?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
5/29/2015 | 1:12:02 PM
Re: I died a little inside...
Yes, indeed, Sara. What comes after? There's lots of possibilities. But the challenges seem to increase exponentially.
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
5/29/2015 | 1:37:36 PM
Re: I died a little inside...
I always believe that what you have and are(biometrics) are more secure than what you know. Biometrics and owned hardware are more difficult to provide as fraudelent. What you know such as passwords and security questions are highly researchable through methods such as social engineering and analytics. "Your favorite food?" How many people like pizza? Questions can only be so complex. For the other options you would have to lose your device or have much more elaborate steps taken for biometrics. But this will definitely come at a cost, for both parties.
macker490
50%
50%
macker490,
 User Rank: Ninja
5/30/2015 | 8:21:15 AM
Re: Secure Computing in a Compromised Environment
"Will Secure Communications become the norm?"   That it seems is the fifty-billion dollar question!

we have powerful interests vehimently opposed to security software.  Their concern is that it cripples their data gathering projects.   on the other hand we have a *serious* problem with hacking

which brings us to the interesting question: where's the "Tipping Point" ?  The opposition holds the "bully pulpit" but their argumnents are a bit less than forthright.    which leads me to suspect there will be a sea change in the near fiuture

interestingly version 2.1 of the Gnu Privacy Guard is now supporting Eliptic Curve Technology -- which helps to solve the questions about the use of large prime numbers used in traditional PGP .

interesting topic
Joe Stanganelli
100%
0%
Joe Stanganelli,
 User Rank: Ninja
5/30/2015 | 11:36:03 PM
Re: I died a little inside...
I love how the federal government is pushing biometrics on the private sector with a universal ID (which will help it track citizens' private affairs), but they can't get their own security house in order to protect private citizen data from hackers.

Ridiculousness.
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:24:24 PM
Re: I died a little inside...
@Ryan: More the point, how many people's passwords are, simply, "pizza" -- or some variation thereon (for instance, "[email protected]")?
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:25:13 PM
Re: I died a little inside...
@Paladium: Of course, I fully expect Koskinen et al. to hold this up as reason why the IRS needs a higher budget.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3454
PUBLISHED: 2021-10-19
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-...
CVE-2021-3455
PUBLISHED: 2021-10-19
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
CVE-2021-41150
PUBLISHED: 2021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is c...
CVE-2021-31378
PUBLISHED: 2021-10-19
In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be fo...
CVE-2021-31379
PUBLISHED: 2021-10-19
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these pac...