Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
IRS Attack Demonstrates How Breaches Beget More Breaches
Threaded  |  Newest First  |  Oldest First
macker490
macker490,
 User Rank: Ninja
5/29/2015 | 8:49:57 AM
Secure Computing in a Compromised Environment
the means to provide reliable identification in a digital computer network environment has been available for years: PGP.

over the yars PGP has been depreciated by its detractors as "too complex"

Complex systems such as PGP can be made usable by everyone -- just like a "smart phone" -- by means of packaged technology: wrapping the technology in an easy to use human interface -- often called a "GUI" -- or GUI Dialog

Roots

On paper we sign our name with pen&ink.   and that signature is characterized by the individual signer,-- pretty hard to duplicate except by a highly skilled forger.   even so, with Notaries or witnesses -- the pen& ink signature has been reliable for years.

but in our online digital networks -- whe have -- nothing

except that PGP has been available since the '90s -- and not adopted for general use due to opposition from interests opposed to privacy and security and such

we may now have reached a tipping point where we will have to admit our error and mend our ways

the key factor needed to implement PGP authentications is explanded authentications.    Your PGP Public Key needs to be authenticated by a reliable party in order for your signatures to be recognized as valid.   Keep these words in mind:   In order for your signature to be recognized as valid.    This also requires an assurance that YOU made the signature -- not a some scamster.  This is possible with PGP because PGP provides both a Public and Private key for each user.   The private key is required to make a signature while the public key is required to recognize(authenticate) a signature.

Exactly what we need!

The only issue is in getting the Public Keys authenticated.   This should become a service offered by local Credit Unions and Banks.    After you generate your key you take it to the Credit Union.  They check your ID and then counter-sign it and upload it to the keyserver.

Now you will be able to authenticate your 1040, online banking, shopping &c

SSL/TLS is not acceptable: it is a half-baked system: The server is able to identify itself -- but not the client.  Even the server's ID is questionable as the client has only marginal trust for x.509 certificates: he or she has NOT verified and countersigned the x.509 certificates he/she needs to use.   This is what enables MITM attacks.
Sara Peters
Sara Peters,
 User Rank: Author
5/29/2015 | 9:47:53 AM
Re: Secure Computing in a Compromised Environment
@macker940 Well I certainly agree with you on this point: "SSL/TLS is not acceptable." Do you think we'll EVER get to the point that public key infrastructure or digital signatures or anything similar/equal will become a norm?
macker490
macker490,
 User Rank: Ninja
5/30/2015 | 8:21:15 AM
Re: Secure Computing in a Compromised Environment
"Will Secure Communications become the norm?"   That it seems is the fifty-billion dollar question!

we have powerful interests vehimently opposed to security software.  Their concern is that it cripples their data gathering projects.   on the other hand we have a *serious* problem with hacking

which brings us to the interesting question: where's the "Tipping Point" ?  The opposition holds the "bully pulpit" but their argumnents are a bit less than forthright.    which leads me to suspect there will be a sea change in the near fiuture

interestingly version 2.1 of the Gnu Privacy Guard is now supporting Eliptic Curve Technology -- which helps to solve the questions about the use of large prime numbers used in traditional PGP .

interesting topic
Paladium
Paladium,
 User Rank: Moderator
5/29/2015 | 9:02:07 AM
I died a little inside...
All I can say is WOW.  Not really unexpected from an organization that wants to control our lives through the tax code, but who can't even patch their computers in a timely manner.

"The information that was used to bypass the security screen, including Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches."

...

"Well, the IRS decided that if you know a person's SSN, birthday, and street address, then you must be that person."

That's when I died a little more inside.  It's hard enough to secure and protect our IT systems as it is, doing all the right things and still getting compromised.  But when you do little or nothing, like the IRS is doing, just WOW.

Someone stop the madness please...

 
Sara Peters
Sara Peters,
 User Rank: Author
5/29/2015 | 9:39:14 AM
Re: I died a little inside...
@Paladium  Totally agree! We've got to move beyond the idea that a successful login = a legitimate login. The question is, what has to come after that? Is it just asking for more, more, more, more, more kinds of credentials? Is it behavior-based biometrics? Is it confirmations via SMS or email?

Thoughts?

 

 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
5/29/2015 | 1:12:02 PM
Re: I died a little inside...
Yes, indeed, Sara. What comes after? There's lots of possibilities. But the challenges seem to increase exponentially.
RyanSepe
RyanSepe,
 User Rank: Ninja
5/29/2015 | 1:37:36 PM
Re: I died a little inside...
I always believe that what you have and are(biometrics) are more secure than what you know. Biometrics and owned hardware are more difficult to provide as fraudelent. What you know such as passwords and security questions are highly researchable through methods such as social engineering and analytics. "Your favorite food?" How many people like pizza? Questions can only be so complex. For the other options you would have to lose your device or have much more elaborate steps taken for biometrics. But this will definitely come at a cost, for both parties.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/30/2015 | 11:36:03 PM
Re: I died a little inside...
I love how the federal government is pushing biometrics on the private sector with a universal ID (which will help it track citizens' private affairs), but they can't get their own security house in order to protect private citizen data from hackers.

Ridiculousness.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:24:24 PM
Re: I died a little inside...
@Ryan: More the point, how many people's passwords are, simply, "pizza" -- or some variation thereon (for instance, "[email protected]")?
RyanSepe
RyanSepe,
 User Rank: Ninja
5/31/2015 | 11:29:32 PM
Re: I died a little inside...
@Joe. Very true. There is so much data behind the top worst passwords for the year being favorite sports teams, foods, or vacation spots. We see the statistics all the time. 

Here's the trick. How do we reach those people? The people who are not yet aware of the dangers these lack luster controls may bring. Much of the population utilize technology because it is a day-to-day mandate, but only a very small portion are tech savvy. How can we make the message more comprehensive.
Paladium
Paladium,
 User Rank: Moderator
6/1/2015 | 7:11:16 AM
Re: I died a little inside...
I am much more of a pessimist here.  I am quite certain these people know full well the need for complex passwords but just don't care... until caught.  It's a matter of convenience.  Like so many other issues seen today from social, politics, sports, etc....  until people start being held accountable they will continue to act out of their own self interests.  Very sad but true.
RyanSepe
RyanSepe,
 User Rank: Ninja
6/1/2015 | 10:22:17 AM
Re: I died a little inside...
That is definitely true for some and I agree. It's the touch the stove principle. Until you get burnt, then its hard to see why not to take the easier method. Or parents that have rules for their children but never enforce them....It may be pessimistic to say but not everyone adopts reason for the sake of reason. Many will sacrifice the right method for the sake of ease and we see this time and time again in this discussion.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
6/1/2015 | 11:59:52 PM
Re: I died a little inside...
One idea: Hack them.

Let your security department be responsible for pen-testing, including social engineering and attacking employee passwords.  Have the employees who fail complete brief remedial training exercises.
RyanSepe
RyanSepe,
 User Rank: Ninja
6/2/2015 | 11:33:55 AM
Re: I died a little inside...
Similar to a phishing exercise this represents user awareness training. This is incorporated at institutions from time to time. However, they are not prevalent enough to reach everybody and certain business sectors will most likely never be reached. I posit that this would not be used on someone who works in retail or a services industry. At least I have not heard of instances where they have been practiced in these sectors.
macker490
macker490,
 User Rank: Ninja
6/1/2015 | 8:00:53 AM
passwords are NOT the principle issue
computers are most often compromised by "phishing" attacks,-- the "click here for cool" sort of thing,-- which of course results in a TROJAN infecting the client computer   example: RSA hack.

the base problem in this is that your operating software should not allow itself to be compromised by the activity of an application program.   this was implemented in IBM System/360 in *1964* and in x86 at 80386 .   if you must use operating software that is vulnerable to trojans the best plan is to isolate such systems from the public facing internet.   generally best practice should limit public facing access to the net to those systems which require that access -- and then make a *thorough review* of protection, *particularly* paying attention to *sanitizing* inputs.    Let me put that down again: Inputs *MUST* be *sanitized* .

Hackers are not going about hunting down individual machines to see if they can crack the password.   they want to swing a wide loop and rake in as many victims as possible *automatically* -- they don't have time to fuss with cracking passwords except for high value targets.   for high value targets they will start with a rainbow table -- but a rainbow table only works *after* the passwords hash table has been stolen -- which of course -- should not be allowed to hapen .   Sanitize those inputs: SQL injection is the most likely means of exfiltrating your passwords table .

high value targets *will* be attacked individually; generally by searching for a means of getting remote administrator access.   but "high value" targets *should* be administered by folks who know to use high security (randomly generated) passwords -- and not to release these over the phone or by some insecure link such as an email that is not using PGP.   example HB Gary


it is *critical* to remember: a password can be changed if it is compromised,-- your biometrics -- fingerprints, irs scans, DNA and such -- cannot.   these are digitized by ID systems and the data serves in the same manner as any other password.   the two critical problems with biometric ID are (1) you cannot change your biometric "password", and (2) you cannot be anonymous

marketing and the NSA prefer that you *NOT* be anonymous

"Best Practice" documents for computers generally recommend changing passwords on a periodic basis.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:25:13 PM
Re: I died a little inside...
@Paladium: Of course, I fully expect Koskinen et al. to hold this up as reason why the IRS needs a higher budget.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file