Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

S.C. Security Blunders Show Why States Get Hacked
Newest First  |  Oldest First  |  Threaded View
Mike Angel
Mike Angel,
User Rank: Apprentice
1/21/2013 | 6:08:21 AM
re: S.C. Security Blunders Show Why States Get Hacked
With today's sophisticated exploits, the only information required by a Hacker to breach a system is the consumerGs Login credentials. Apparently what happened within the IRS in SC is the Hacker sent out emails to employees with an attachment that if opened would allow malware carrying a Trojan to automatically enter that consumerGs client. Note: Most of todayGs malware is not detected by anti-virus software. Once the malware is in the consumerGs client it waits for a specific login page to be called up and when it is the Trojan will put the consumer on a fake Login page and then using a real-time Keylogger it will steal everything entered by the consumer. It will immediately re-log in the stolen credentials on the real log page and gain access.
So consumers do not have to give out any information, all they need to do is click on the attachment to the email they received and it is GǣGame OverGǥ. What the IT folks must put in place is an authentication accessing solution that requires a credential that the consumer has but does not enter it. An obvious example we are all familiar with is a smartcard. Smartcards and USB Tokens are expensive and very cumbersome to use and manage. Software solutions designed after a smart card, such as SoundPass, also provide a dynamic virtual token that automatically sends a required credential, which the consumer does not know or enter and is very affordable plus user friendly.
User Rank: Apprentice
12/31/2012 | 8:22:35 AM
re: S.C. Security Blunders Show Why States Get Hacked
What kind of recourse is there for those who had their identities stolen due to lack of foresight and planning by the government? It's unacceptable that there are guidelines in place that private industry must abide by that government agencies ignore.

Jay Simmons
Information Week Contributor
User Rank: Apprentice
12/17/2012 | 4:01:41 PM
re: S.C. Security Blunders Show Why States Get Hacked
The real problem is there is no tangible penalty for allowing these breaches to occur. The state's CIO should spend a few years in prison; this would encourage other states' CIOs to actually focus on absolutely preventing such things, not just looking to see if they are "in compliance with regs." I don't know if the state's tech people were too stupid to know they were exposed, if they just didn't care, or if they figured "well, it's not in the budget so I'm off the hook." Facing criminal prison time might just get their attention.
User Rank: Ninja
12/15/2012 | 12:56:46 PM
re: S.C. Security Blunders Show Why States Get Hacked
i don't see that the general computing population will ever be 'tech savy' enough to deal with hacking . what this means is that 'type approved' hardware and software will have to be used for commercial computing . liability for defects can then be shifted from the user to where it belongs: to those who have the ability to deal with the problem.
User Rank: Apprentice
12/14/2012 | 6:36:42 PM
re: S.C. Security Blunders Show Why States Get Hacked
Had the state of SC been conducting proper monthly SAR reviews, with random spot-audits to ensure the process was being done correctly, this would have never happened.

A bit over a decade ago, I helped Sun Microsystems to put a SAR program in place, rolling out a website and business process for the entire corporation to use to better ensure ongoing improvement to corporate security.

A "Security Adequacy Review" is a monthly assessment done by all departments. It reports on the current state of, and the improvements made to, every single computing resource in each department. At the time, it was state-of-the-art. However, it wasn't rocket science - it was relatively straightforward. It was also mandatory.

The exec at Sun who I implemented this for was the VP of Corporate Security. His job depended on doing this right.

I know it's harder in Government to affect change than it is in a company... but, if you want this fixed properly, find the appropriate person within the state government, and make their job depend on doing it right, and it'll start being done right.

-Paul Reiber, Helpful Linux Guy, http://reiber.org
John Foley
John Foley,
User Rank: Apprentice
12/14/2012 | 5:29:24 PM
re: S.C. Security Blunders Show Why States Get Hacked
In the business world, we have long observed that tech-savvy CEOs give their companies a competitive advantage. There's a parallel in government -- mayors, governors, congressmen, and presidents who grasp the value and importance of IT and cybersecurity give their constituents an advantage. In New York, for example, Bloomberg is supporting public Wi-Fi and mobile app competitions, while trying to raise the city's profile as a global center of tech innovation. Going forward, successful political leaders and candidates will be those who promote well-conceived tech initiatives and policies.
John Foley, InformationWeek Government
User Rank: Apprentice
12/14/2012 | 3:14:02 PM
re: S.C. Security Blunders Show Why States Get Hacked
These breaches should never occur in the first place, this kind of data should never be accessible that close to the internet. Human nature says you can't count on best practices which few choose to implement anyway. The tech to prevent this has existed for a long time. These states and companies should have such online systems setup to only pass thru man in the middle servers that prevent such direct access and limit the info passed back and forth with encryption, as for internet access from inside the network of the agency the systems with this data should not have such access, You keep accounting systems separate from the ones that have internet access.Its easy to fix, it just takes for good engineering, and managers who have enough common sense in the first place to make sure its done right, instead of the usual casual approach we see so often.

You know if there was a big penalty for these breaches instead of a PR mess the people in charge would care about these things. But there is not. This problem will never go away no matter how many times and how much a deal is made about these breaches.

Every time I hear of a breach it just sickens me, Its pure stupidity to allow these to happen in the first place. Even academics get hit, you would think they would have the most secure systems and the newest innovations on protecting systems. But they don't.

The best protect for the consumer is don't give out the info. And when you do. Make the other party aware they are responsible for the data collected in writing. I do this anytime I give financial data, with an attachment that says the info is not to be shared without permission and that the receiving party is held responsible for any breaches of trust when such data is given them. It sometimes make a difference,. People think twice when giving out data or even approving stuff to make sure the party they are dealing with is the right party.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.