Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
S.C. Security Blunders Show Why States Get Hacked
Threaded  |  Newest First  |  Oldest First
me29928
50%
50%
me29928,
User Rank: Apprentice
12/14/2012 | 3:14:02 PM
re: S.C. Security Blunders Show Why States Get Hacked
These breaches should never occur in the first place, this kind of data should never be accessible that close to the internet. Human nature says you can't count on best practices which few choose to implement anyway. The tech to prevent this has existed for a long time. These states and companies should have such online systems setup to only pass thru man in the middle servers that prevent such direct access and limit the info passed back and forth with encryption, as for internet access from inside the network of the agency the systems with this data should not have such access, You keep accounting systems separate from the ones that have internet access.Its easy to fix, it just takes for good engineering, and managers who have enough common sense in the first place to make sure its done right, instead of the usual casual approach we see so often.

You know if there was a big penalty for these breaches instead of a PR mess the people in charge would care about these things. But there is not. This problem will never go away no matter how many times and how much a deal is made about these breaches.

Every time I hear of a breach it just sickens me, Its pure stupidity to allow these to happen in the first place. Even academics get hit, you would think they would have the most secure systems and the newest innovations on protecting systems. But they don't.

The best protect for the consumer is don't give out the info. And when you do. Make the other party aware they are responsible for the data collected in writing. I do this anytime I give financial data, with an attachment that says the info is not to be shared without permission and that the receiving party is held responsible for any breaches of trust when such data is given them. It sometimes make a difference,. People think twice when giving out data or even approving stuff to make sure the party they are dealing with is the right party.
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/14/2012 | 5:29:24 PM
re: S.C. Security Blunders Show Why States Get Hacked
In the business world, we have long observed that tech-savvy CEOs give their companies a competitive advantage. There's a parallel in government -- mayors, governors, congressmen, and presidents who grasp the value and importance of IT and cybersecurity give their constituents an advantage. In New York, for example, Bloomberg is supporting public Wi-Fi and mobile app competitions, while trying to raise the city's profile as a global center of tech innovation. Going forward, successful political leaders and candidates will be those who promote well-conceived tech initiatives and policies.
John Foley, InformationWeek Government
p_b_r
50%
50%
p_b_r,
User Rank: Apprentice
12/14/2012 | 6:36:42 PM
re: S.C. Security Blunders Show Why States Get Hacked
Had the state of SC been conducting proper monthly SAR reviews, with random spot-audits to ensure the process was being done correctly, this would have never happened.

A bit over a decade ago, I helped Sun Microsystems to put a SAR program in place, rolling out a website and business process for the entire corporation to use to better ensure ongoing improvement to corporate security.

A "Security Adequacy Review" is a monthly assessment done by all departments. It reports on the current state of, and the improvements made to, every single computing resource in each department. At the time, it was state-of-the-art. However, it wasn't rocket science - it was relatively straightforward. It was also mandatory.

The exec at Sun who I implemented this for was the VP of Corporate Security. His job depended on doing this right.

I know it's harder in Government to affect change than it is in a company... but, if you want this fixed properly, find the appropriate person within the state government, and make their job depend on doing it right, and it'll start being done right.

-Paul Reiber, Helpful Linux Guy, http://reiber.org
macker490
50%
50%
macker490,
User Rank: Ninja
12/15/2012 | 12:56:46 PM
re: S.C. Security Blunders Show Why States Get Hacked
i don't see that the general computing population will ever be 'tech savy' enough to deal with hacking . what this means is that 'type approved' hardware and software will have to be used for commercial computing . liability for defects can then be shifted from the user to where it belongs: to those who have the ability to deal with the problem.
jmirick554
50%
50%
jmirick554,
User Rank: Apprentice
12/17/2012 | 4:01:41 PM
re: S.C. Security Blunders Show Why States Get Hacked
The real problem is there is no tangible penalty for allowing these breaches to occur. The state's CIO should spend a few years in prison; this would encourage other states' CIOs to actually focus on absolutely preventing such things, not just looking to see if they are "in compliance with regs." I don't know if the state's tech people were too stupid to know they were exposed, if they just didn't care, or if they figured "well, it's not in the budget so I'm off the hook." Facing criminal prison time might just get their attention.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/31/2012 | 8:22:35 AM
re: S.C. Security Blunders Show Why States Get Hacked
What kind of recourse is there for those who had their identities stolen due to lack of foresight and planning by the government? It's unacceptable that there are guidelines in place that private industry must abide by that government agencies ignore.

Jay Simmons
Information Week Contributor
Mike Angel
50%
50%
Mike Angel,
User Rank: Apprentice
1/21/2013 | 6:08:21 AM
re: S.C. Security Blunders Show Why States Get Hacked
With today's sophisticated exploits, the only information required by a Hacker to breach a system is the consumerGs Login credentials. Apparently what happened within the IRS in SC is the Hacker sent out emails to employees with an attachment that if opened would allow malware carrying a Trojan to automatically enter that consumerGs client. Note: Most of todayGs malware is not detected by anti-virus software. Once the malware is in the consumerGs client it waits for a specific login page to be called up and when it is the Trojan will put the consumer on a fake Login page and then using a real-time Keylogger it will steal everything entered by the consumer. It will immediately re-log in the stolen credentials on the real log page and gain access.
So consumers do not have to give out any information, all they need to do is click on the attachment to the email they received and it is GǣGame OverGǥ. What the IT folks must put in place is an authentication accessing solution that requires a credential that the consumer has but does not enter it. An obvious example we are all familiar with is a smartcard. Smartcards and USB Tokens are expensive and very cumbersome to use and manage. Software solutions designed after a smart card, such as SoundPass, also provide a dynamic virtual token that automatically sends a required credential, which the consumer does not know or enter and is very affordable plus user friendly.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...