Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
S.C. Security Blunders Show Why States Get Hacked
Newest First  |  Oldest First  |  Threaded View
Mike Angel
50%
50%
Mike Angel,
User Rank: Apprentice
1/21/2013 | 6:08:21 AM
re: S.C. Security Blunders Show Why States Get Hacked
With today's sophisticated exploits, the only information required by a Hacker to breach a system is the consumerGs Login credentials. Apparently what happened within the IRS in SC is the Hacker sent out emails to employees with an attachment that if opened would allow malware carrying a Trojan to automatically enter that consumerGs client. Note: Most of todayGs malware is not detected by anti-virus software. Once the malware is in the consumerGs client it waits for a specific login page to be called up and when it is the Trojan will put the consumer on a fake Login page and then using a real-time Keylogger it will steal everything entered by the consumer. It will immediately re-log in the stolen credentials on the real log page and gain access.
So consumers do not have to give out any information, all they need to do is click on the attachment to the email they received and it is GǣGame OverGǥ. What the IT folks must put in place is an authentication accessing solution that requires a credential that the consumer has but does not enter it. An obvious example we are all familiar with is a smartcard. Smartcards and USB Tokens are expensive and very cumbersome to use and manage. Software solutions designed after a smart card, such as SoundPass, also provide a dynamic virtual token that automatically sends a required credential, which the consumer does not know or enter and is very affordable plus user friendly.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/31/2012 | 8:22:35 AM
re: S.C. Security Blunders Show Why States Get Hacked
What kind of recourse is there for those who had their identities stolen due to lack of foresight and planning by the government? It's unacceptable that there are guidelines in place that private industry must abide by that government agencies ignore.

Jay Simmons
Information Week Contributor
jmirick554
50%
50%
jmirick554,
User Rank: Apprentice
12/17/2012 | 4:01:41 PM
re: S.C. Security Blunders Show Why States Get Hacked
The real problem is there is no tangible penalty for allowing these breaches to occur. The state's CIO should spend a few years in prison; this would encourage other states' CIOs to actually focus on absolutely preventing such things, not just looking to see if they are "in compliance with regs." I don't know if the state's tech people were too stupid to know they were exposed, if they just didn't care, or if they figured "well, it's not in the budget so I'm off the hook." Facing criminal prison time might just get their attention.
macker490
50%
50%
macker490,
User Rank: Ninja
12/15/2012 | 12:56:46 PM
re: S.C. Security Blunders Show Why States Get Hacked
i don't see that the general computing population will ever be 'tech savy' enough to deal with hacking . what this means is that 'type approved' hardware and software will have to be used for commercial computing . liability for defects can then be shifted from the user to where it belongs: to those who have the ability to deal with the problem.
p_b_r
50%
50%
p_b_r,
User Rank: Apprentice
12/14/2012 | 6:36:42 PM
re: S.C. Security Blunders Show Why States Get Hacked
Had the state of SC been conducting proper monthly SAR reviews, with random spot-audits to ensure the process was being done correctly, this would have never happened.

A bit over a decade ago, I helped Sun Microsystems to put a SAR program in place, rolling out a website and business process for the entire corporation to use to better ensure ongoing improvement to corporate security.

A "Security Adequacy Review" is a monthly assessment done by all departments. It reports on the current state of, and the improvements made to, every single computing resource in each department. At the time, it was state-of-the-art. However, it wasn't rocket science - it was relatively straightforward. It was also mandatory.

The exec at Sun who I implemented this for was the VP of Corporate Security. His job depended on doing this right.

I know it's harder in Government to affect change than it is in a company... but, if you want this fixed properly, find the appropriate person within the state government, and make their job depend on doing it right, and it'll start being done right.

-Paul Reiber, Helpful Linux Guy, http://reiber.org
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/14/2012 | 5:29:24 PM
re: S.C. Security Blunders Show Why States Get Hacked
In the business world, we have long observed that tech-savvy CEOs give their companies a competitive advantage. There's a parallel in government -- mayors, governors, congressmen, and presidents who grasp the value and importance of IT and cybersecurity give their constituents an advantage. In New York, for example, Bloomberg is supporting public Wi-Fi and mobile app competitions, while trying to raise the city's profile as a global center of tech innovation. Going forward, successful political leaders and candidates will be those who promote well-conceived tech initiatives and policies.
John Foley, InformationWeek Government
me29928
50%
50%
me29928,
User Rank: Apprentice
12/14/2012 | 3:14:02 PM
re: S.C. Security Blunders Show Why States Get Hacked
These breaches should never occur in the first place, this kind of data should never be accessible that close to the internet. Human nature says you can't count on best practices which few choose to implement anyway. The tech to prevent this has existed for a long time. These states and companies should have such online systems setup to only pass thru man in the middle servers that prevent such direct access and limit the info passed back and forth with encryption, as for internet access from inside the network of the agency the systems with this data should not have such access, You keep accounting systems separate from the ones that have internet access.Its easy to fix, it just takes for good engineering, and managers who have enough common sense in the first place to make sure its done right, instead of the usual casual approach we see so often.

You know if there was a big penalty for these breaches instead of a PR mess the people in charge would care about these things. But there is not. This problem will never go away no matter how many times and how much a deal is made about these breaches.

Every time I hear of a breach it just sickens me, Its pure stupidity to allow these to happen in the first place. Even academics get hit, you would think they would have the most secure systems and the newest innovations on protecting systems. But they don't.

The best protect for the consumer is don't give out the info. And when you do. Make the other party aware they are responsible for the data collected in writing. I do this anytime I give financial data, with an attachment that says the info is not to be shared without permission and that the receiving party is held responsible for any breaches of trust when such data is given them. It sometimes make a difference,. People think twice when giving out data or even approving stuff to make sure the party they are dealing with is the right party.


Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.