Forgot your password?
typodupeerror
Security Politics IT

South Carolina Shows How Not To Do Security 123

Posted by timothy
from the at-least-the-failure-was-spectacular dept.
CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"
This discussion has been archived. No new comments can be posted.

South Carolina Shows How Not To Do Security

Comments Filter:
  • by Anonymous Coward on Saturday December 15, 2012 @11:20AM (#42301247)

    So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

      I agree. Letting the victims freeze their credit for free would do it - actually EVERYONE should be able to do that for free!

      But here's something else to consider: this wouldn't be a problem if businesses and Government were more responsible with personal information. If business and Government weren't so ignorant as to use the social security numbers as identifiers. If we had unlimited free credit reports from AnnualCreditReport.com - that's the FTC's website.

      And it's not only folks who want to open up a

      • by Anonymous Coward
        Except, nowhere does it state credit cards. Most states allow/require you to use a checking or saving account (direct deposit) to pay or receive refunds. Imagine freezing your checking account (no more debit card, ATM, checks or online bill pay through your bank, until you have a new account). Switching banks or bank account numbers is time consuming and tedious. Think of all the direct deposit or online bill pays that have to be updated.
        • Most states allow/require you to use a checking or saving account (direct deposit) to pay or receive refunds. Imagine freezing your checking account (no more debit card, ATM, checks or online bill pay through your bank, until you have a new account). Switching banks or bank account numbers is time consuming and tedious. Think of all the direct deposit or online bill pays that have to be updated.

          Yeah, it will be painful. But there's really no alternative. "Identity theft monitoring" is going to be only marginally effective at preventing problems, at best. The only real option is to make the information that the attackers gained useless, by getting rid of those accounts.

      • by crazyjj (2598719) *

        Letting the victims freeze their credit for free would do it - actually EVERYONE should be able to do that for free!

        South Carolina already has that. By law, anyone can freeze their credit for free with the three major credit reporting services at any time for free (and unfreeze, freeze again, etc. for free too).

  • amateurs (Score:3, Insightful)

    by ruir (2709173) on Saturday December 15, 2012 @11:21AM (#42301259) Homepage
    The point is exactly this, many organizations just keep their data in any convenient format, even it is excel spreadsheets. This are one of the things it is hard to understand, if you want work well done, you call a plumber, and electrician, and they have to be certified, and many years of experience, references, whatever more. And then when it comes to sensitive data that can mean to put people in peril of theft identity, people do it by themselves, or just hire a nobody to do it. ...
    • by Joe_Dragon (2206452) on Saturday December 15, 2012 @11:39AM (#42301353)

      well IT needs a union / engineer like signoffs so the IT works can't be pushed around by NON tech PHB's that may buy stuff on the golf course with no IT input or rank IT people my number of tickets and or call times. Even to the point saying we can't buy new software / hardware so find a work around to make X app work in the new OS / workflow even if it does have good security.

      • by hsmith (818216)
        Yes, that will fix things - unions. lol

        Management needs to see that proper information security is necessary, nothing more. Hitting them with fines is where it really is.
        • "Fining" taxpayer funded efforts is rather pointless.
          • Maybe, or maybe the guy that caused the project's costs to get overrun will answer to someone why he let it happen.

        • by slick7 (1703596)

          Yes, that will fix things - unions. lol.

          And Star Wars shows how not to be a repressive government. 1984 is not just a book, it's a blueprint.

      • by Ambassador Kosh (18352) on Saturday December 15, 2012 @12:49PM (#42301709)

        I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.

        However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.

        At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.

        • well then IT will need tech schools / trades school as part of the required education and certification. As CS in college does not cover that or only does so on a very top level.

          But you may need a Union so the boss can't say if you don't do the signoff we can find some one who will.

          • by lgw (121541)

            This works fine for Professional Engineers (PEs) in civil engineering with no union. PEs are hard to come by, and if you sign off on something you shouldn't you lose your PE cert (and may face harsher penalties). Your boss can't push you around when you're hard to replace, and you face worse penalties for letting him than merely being fired.

            Unions remove worker accountability, never the other way.

        • by Jawnn (445279) on Saturday December 15, 2012 @02:41PM (#42302533)
          I'd love to spend my mod points on you, brother, but your sage words deserve more....

          I am not sure about the union part but it absolutely should have engineer type signoffs.

          Most engineers in charge of building things that can hurt people of those things fail are required to prove their expertise and conform to both a professional code of conduct and civil codes that define a framework within which the engineer's must be done. Information technology has no such thing, and as others have already observed, this allows bean-counters, PHB's, and frankly, IT "engineers" who lack the requisite expertise, to put systems in place that have nowhere near the proper level of security measures around those systems. We've seen a few attempts from various sectors (HIPAA, PCI, SOX) to force some standards and accountability on entities in those sectors, but it's a patchwork of bureaucratic noise that, most often, doesn't result in the desired level of security. The one partial exception is PCI. If you are a vendor large enough to fall into the "Level 1" category, your stuff must be reviewed regularly by a third party. That rule is enforced by the banks, whose money is at risk. They really don't give a rat's ass about card-holders.
          And that is the problem. The SC Dept. of Revenue didn't have enough skin in the game to give a shit about, so they didn't. That needs to change. If you're going to build things that can hurt people when they fail, be those things skyscrapers, bridges, airplanes, or information security systems, you should have to prove that you know what you are doing and have your work reviewed by someone else who knows what they're doing.

        • by lucm (889690)

          I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.

          However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.

          At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.

          I once had to deal with a client whose IT manager refused to encrypt the SAN, refused to encrypt the databases and saw no point in filtering the traffic between Development and Production servers. Apparently this was all overkill. And guess what, that IT manager was an engineer.

          An engineer ring does not make one any wiser.

  • I find it kind of amazing that there isn't a law in place defining how personal data is stored in North Carolina. Now, having said that, I have no idea what kind of laws are in place for other jurisdictions. Are there any lawyers out there that can comment?

    Hopefully, the people responsible for the design and sign off of the server data architecture were in the 2M plus people who's information was compromised.

    myke

  • by Joe_Dragon (2206452) on Saturday December 15, 2012 @11:31AM (#42301303)

    Outside / 3rd party contractors to blame?

    Do they have of staff IT workers or has parts / all of the IT be push to contractors? some times even ones that sub out work / hiring to other contractors?

    They add alot of overhead and at times make it hard for a worker who works for a sub to get some things done / add a long paper work / red tape process to get stuff fixed.

  • A General Rule (Score:5, Insightful)

    by mbone (558574) on Saturday December 15, 2012 @11:32AM (#42301311)

    I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.

  • $800,000 (Score:5, Interesting)

    by Patch86 (1465427) on Saturday December 15, 2012 @11:33AM (#42301317)

    By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

    Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

      Of course not. Punishment is reserved for the serfs, not for disciplining the Lords who make up the rules on the fly.

      FTFY

    • by timeOday (582209)
      If they were to find out a state employee actually perpetrated the hack then you would have some kind of point.
    • likely the same price to get new hardware / software and in case of stuff like I-35 bridge collapse we have to wait for something bad to happen be for a issues that are push offed (like do to cost) get's fixed

    • Re:$800,000 (Score:5, Insightful)

      by wonkey_monkey (2592601) on Saturday December 15, 2012 @01:03PM (#42301759) Homepage

      Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

      No, because gaining unauthorised access to a system and failing to do your job properly are two entirely different things.

      • by Patch86 (1465427)

        True. But most countries have laws defining "criminal negligence" for people who cause harm by failing to do their job to an expected basic minimum standard.
        http://en.wikipedia.org/wiki/Criminal_negligence [wikipedia.org]

        So you take intent out of the equation, you're still left with the same "harm done", the same damages. Maybe the sentence would be 5 years instead of 60 then; should we expect the head of Information Security to get a visit from the Feds on THAT basis?

        I'm still going to assume no.

  • by Waffle Iron (339739) on Saturday December 15, 2012 @11:33AM (#42301319)

    Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.

    It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.

    Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.

    • What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?
      • by sribe (304414) on Saturday December 15, 2012 @11:51AM (#42301411)

        What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

        At least in the U.S., there is none. But pretending that the SSN is one does not make it so.

        • To further compound the problem, SSNs are increasingly being used as both an identifier AND an authenticater!
          • by sribe (304414)

            To further compound the problem, SSNs are increasingly being used as both an identifier AND an authenticater!

            Don't you get it? The new standard, instead of two-factor authentication, we're moving to half-factor authentication. Or, for the cynical, half-ass-factor authentication.

      • by Minupla (62455)

        Lack of a single identifying number is not an insolible problem.

        Take Canada for example. We have a social insurance number (SIN - way better acronym :)). It is ILLEGAL to require it for anything other then tax purposes (in effect that means your employer and your bank if you have a savings account for most people).

        If you go to buy a car, and they want to pull a CB on you, you can say no. If you refuse to provide a SIN, they will match you based on a compound key. (Name, address, telephone, previous addr

        • by AJWM (19027)

          The Canadian SIN also has a checksum digit, like credit card numbers, bar codes and ISBNs, but notably unlike US SSNs, which do not. Not necessarily a huge anti-fraud advantage (if you know the algorithm you can create a number with a valid check digit) but certainly proof against random data entry errors.

          Although in some cases not having the latter may be seen as an advantage. (Somebody wants to use your SSN as a db key with no legal reason for it being your real SSN, you could just transpose a couple

      • So everyone as a (mostly) unique ID handed out by the government. That can be used to try to uniquely identify individuals. Great.

        But that in no way implies that the ID can be or should be sensitive information. In fact, any such use should be outlawed, IMHO. SSNs should NEVER be part of an algorithm used to validate one's identity for registration or sign-in (unless and until the government starts issuing tamper-resistant smart cards to enable two-factor authentication).

        The whole problem is that right now

      • by ShanghaiBill (739463) * on Saturday December 15, 2012 @12:44PM (#42301691)

        What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

        Easy answer: SSNs. There is nothing wrong with using SSNs for identification . The problem is that we pretend like they are some sort of secret, and use them as authentication . That is stupid and it should be illegal for an financial institution to use them that way. People should be free to hand out their SSN, or even paint it on their mailbox, without fear of any consequences. We should just assume they are public knowledge.

        • by bogjobber (880402)
          Using SSNs for identification is foolish as well. They are not guaranteed to be unique identifiers (multiple people are sometimes issued the same SSN by the government and a whole lot more use someone else's SSN illegally), and not everybody is guaranteed to have one.

          The system as designed was perfectly fine, because they never planned on using it for ID. But it's still operating largely as it did when it was first implemented even though it's now an ID card, so there are some half-assed hacks being ma
    • by OzPeter (195038)

      >It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with.

      No you don't. You only have to hand it over to people when you deal with *gasp* social security and taxation related functions, anyone else has no right to ask for it. Its just that in the US people are so used to handing it over that they do so no matter who asks.

      As someone now living in the US, when asked for my SSN I easily get by with saying "Sorry .. I can't remember it" (which is actually the truth, as I have only a vague idea what it is, and when actually I do need it I have to look it up.) and I s

      • by markdavis (642305)

        I personally have been REFUSED SERVICE by healthcare organizations when I refuse to provide my SSN, and treated like CRAP by said organizations, too. I have also been refused service by several other

        If you read the laws, only the GOVERNMENT is required to provide you service if you refuse to provide your SSN, unless there are laws specifically requiring it (and there are quite a few). There are absolutely no laws that restrict non-government from using SSN as a required ID number.

        Don't believe me? Go ahe

        • Identity and Authentication are government problems that need to be addressed.
          Regulations regarding the use of ID and authentication need to also exist. A company should have to fight to get approval for demanding Identification from a consumer. The SSN system needs upgrading; including the ENFORCEMENT of the laws passed a century ago banning the use of SSN as a unique identifier outside of SS. The replacement ID needs to include a name, photo, fingerprint... and like I said already, strict rules on where

    • by Shoten (260439)

      This was the department of revenue. At some point, the SSN is important to use for *something,* you know. It wasn't like there was a pizza delivery company using SSNs as customer numbers. It was the Department of Revenue. SSNs are, in effect, meant to be the individual account numbers for state and federal revenue tracking.

      If this was any other kind of situation, I would absolutely agree with you. But the way that taxes are handled, using SSNs as an identifier is valid, because of all the background sy

      • Read my post again. I said the problem is that other organizations, not the state of South Carolina, are using SSNs as *secrets*, like a PIN. That means that when this state DB gets hacked, people are agitated because these supposed "secrets" are exposed.

        There's not much problem with having a unique ID. It should just always be considered to be public knowledge, and handled accordingly.

  • Even if the SSNs had been encrypted, the application running on the server still needs access to the SSNs, which means it needs the keys with which the SSNs are encrypted. So anybody who compromises the server on which the application is run, or any machine authorized to connect to that server and view SSNs, compromises the SSNs.
    • by maeglin (23145)

      Even if the SSNs had been encrypted, the application running on the server still needs access to the SSNs, which means it needs the keys with which the SSNs are encrypted. So anybody who compromises the server on which the application is run, or any machine authorized to connect to that server and view SSNs, compromises the SSNs.

      That is not an excuse not to encrypt. Encrypting data and putting the key in a file called encryption.key would be sufficient to stop casual perusal of the data. Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data. Most people are out for a quick win and are not interested in reverse engineering your architecture.

      Conversely, if someone knows what they want, where it is and what is necessary to get it then you've got a problem that

      • by blueg3 (192743)

        Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data.

        So... what you're advocating is literally security through obscurity?

        • by maeglin (23145)

          Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data.

          So... what you're advocating is literally security through obscurity?

          Here's a question for you: Name one security technique that doesn't rely on obscurity in some form. Everything I can think that has actually implemented depends on large numeric search spaces, large physical search spaces (brass keys for example), a one time pad (needs to be hidden), steganography, etc. Security and obscurity go hand-in-hand. It is simply unfortunate that obscurity got a bad name along the way for some reason.

          But, ultimately, I'm advocating not throwing away security just because it isn'

          • by blueg3 (192743)

            You're playing at equivocation. Obscurity is an enemy not knowing how your system works. Secrets are the pieces of information that are not part of the process of how your system works but are critical to security. While it seems like they're similar, they're not. So most strong digital security systems rely not at all on obscurity, only on secrets.

            But, ultimately, I'm advocating not throwing away security just because it isn't perfect. You may not need the baby, but the bathwater might still be useful.

            I don't think that's what you're arguing. I don't disagree with that. If you can get some obscurity cheaply, go for it. Some obscurity is better than none. You j

    • There are ways around this. For example the SSNs could be stored as a hash and referred to as a hash.

      Also the server this application runs on is connected to the internet why?

       

      • by KPU (118762)

        There are less than 10^9 SSNs. That's a very easy brute force attack.

      • by tepples (727027)

        Also the server this application runs on is connected to the internet why?

        So that users at home can log in and do business with the government from home.

        • That doesn't require the application run on a server that allows connections from the internet.

          Usually such things are done on a server that is at least two firewalls away.

          • by tepples (727027)
            Firewalls can be compromised, and machines behind firewalls can be social-engineered.
      • by blueg3 (192743)

        That's only worthwhile if you're using the SSNs to compare them against external inputs. In essence, if you're using them as a form of authentication. That's a stupid idea to begin with. As this is the Department of Revenue, they're probably using the SSNs for their actual, tax-related purpose and need them in their original form.

        Despite what people seem to think, throwing encryption at a data security problem generally doesn't make it go away.

  • Taking a step even further back to look at things beyond the state's control, why do we take for granted that "clicking on a malicious email link" is enough to transfer control of your computer to an attacker?

    Zooming back in on SC, would encryption have even helped? The compromised credentials allowed for viewing the databases(*). That means they were also able to decrypt them

    (*) Which invites the question of whether those permissions were too widely issued.

  • by iggymanz (596061) on Saturday December 15, 2012 @11:48AM (#42301401)

    there is no reason most govenment employees need a pc connected to the internet. they should be using the equivalent of a dumb terminal that can only access relevant apps running on a server. instead, government employees use their pc as entertainment device. past time to take away their toys and give them a one-use tool

    • by Bearhouse (1034238) on Saturday December 15, 2012 @12:11PM (#42301527)

      This is modded insightful? There are plenty of reasons why a Gov.employee should be able to access the internet from their work device(s). Would be better to say that 1. Such access should be better protected and, 2. internal systems should be isolated from anything that (inevitably) slipped through

      • by Skapare (16644)

        Encapsulate and isolate. The work devices should be used for work function, only. No PERSONAL surfing. In addition to that, all devices with access to sensitive data shall be completely separate from devices that can access the internet. The database itself must be fully secured. It does not need to store data encrypted, since it would just need to have keys to function. The data is going to be decrypted under process control. What needs to happen is to identify where process control can be bypassed.

    • by Guppy06 (410832)

      there is no reason most govenment employees need a pc connected to the internet.

      What makes "government employees" fundamentally different from "private sector employees?"

      • by iggymanz (596061)

        we taxpayers are paying their salaries, so I care about the government employee doing the work I am paying them to do. that is the only difference. sure, most private sector employees also do not need a pc connected to the internet

  • I am old enough to remember when social security numbers were of no value to anyone except the Social Security Administration. The back of large a large stack of wide green bar paper from a discarded mainframe printout was often used for drawing charts and diagrams for other business use. I used it often to draw state diagrams and flow charts for systems (this was LONG before Power Point and Visio). People also took stacks home for kids to draw and color on. Many times the front side of this paper was fu
    • by CodeBuster (516420) on Saturday December 15, 2012 @12:38PM (#42301653)

      it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit.

      The laws must be changed to say that a Social Security number, by itself, proves nothing. It should not prove that a debt exists or that any other legally binding agreement was entered into by anyone. As long as businesses can get away with using the SSN as both an identifier and an authentication, which is how this whole "identity theft" nonsense got started in the first place, they will continue to do so. Therefore, the only viable solution is to render the Social Security Number legally worthless as proof of anything. They ought to be just numbers, nothing more.

      • by Skapare (16644)

        It should say that SSN is nothing more than identity (as if pointing at a person). It should specifically say that anyone (individual, business, or corporation) who assumes than an SSN is AUTHORIZATION shall be CRIMINALLY (as well as civilly) liable for having committed a crime of fraud upon the identified person.

        • In addition, the entire database of SSNs should be published as public information. A reasonable time (say, ten years) until that date should be allowed to let businesses update their systems and people to understand that the SSN is an identifier only.
  • The non-encrypted file isn't the main problem here. Yes, the file should have been encrypted. But the main problem is that the attackers could get access to it by simply having the employee click on that email link. Clicking a link in an email should never ever enable an attacker, no matter how malicious, to access local files.

    • by Skapare (16644)

      I would agree. And it starts with taking over the users machine. Once that happens, all bets are off if that user had access rights to the data by some machine. Whether the data (elsewhere) was stored encrypted or not doesn't even matter. If this person had such access it would have to include decrypting it by some means and by that he would give the new owner of his machine full access to the data, too ... even if it wasn't on the same day he clicked the email. Both email reading and web browsing shou

    • by Skapare (16644)

      The central database itself does not need to encrypted (doing so just means the decryption key has to be there, making the encryption pointless). It needs to be secured against any means of access that does not go through the process (locked building, restricted physical access to data center, armed guards, no internet access to that whole room, etc). Thieves should not be able to get in there at all.

      But any data being stored outside needs to be encrypted, and have data compartmentalization on that. Ther

      • by AJWM (19027)

        The central database itself does not need to encrypted

        Yeah it does.

        (doing so just means the decryption key has to be there, making the encryption pointless)

        No it doesn't. The decryption key has to be somewhere, sure, but it can (and should) be provided along with the query extracting the information. Put the keys in the middleware layer (which should reside on a whole different set of servers), not in the DB.

    • by lgw (121541)

      Clicking a link in an email should never ever enable an attacker, no matter how malicious, to access local files.

      When you find a way to make that true, make sure to let the entire security industry know. Drive-by malware is pretty bad these days - between Java and Adobe products, almost any end-user is going to be running some sort of scripting engine in his browser, and none of the sandboxing is ever perfect. "Local files" are a particularly easy target, because you generally don't even need root, just some flash/pdf/java/whatever exploit to do some file reads as the logged-on user.

      • Just having the browser and email program running under a separate user account from the internal stuff would go a long way at protecting local files.

  • by onyxruby (118189) <onyxruby@NOspam.comcast.net> on Saturday December 15, 2012 @12:23PM (#42301597)

    I have seen this kind of thing justified by upper management more times than I can count. The problem is that upper management literally does a Fight Club style calculation that says the costs of data breaches will be less than the costs of security. They /expect/ to have computers routinely hacked and owned by people with malicious intent.

    Until the values assigned to the cost of data breaches go up or unless you have some kind of law (HIPAA, SOX etc) this kind of thing will only continue. Public notification laws are one the best things that can be done to prevent this. It's not that the IT pros don't know better, are unwilling to follow best practices or don't care. The problem is that the IT pros that secure these environments aren't allowed to do their job.

    When upper management thinks that computer management and security have no value and that security breaches cost less than security this kind of thing is inevitable.

  • All those businesses and government agencies that allow merely having data, like that which was taken in this case, The fact that I can walk into any bank and open an account in YOUR NAME just because I have YOUR SSN does not mean that I AM YOU. But the vast majority of banks make that assumption. Lots of other businesses types make this kind of assumption, too. Many have expressly even said so. "This account has your SSN, so it must be your account".

    The first law we need to have is one that allows peo

  • $800,000 - improve information security systems, new IT jobs in SC?
    $500,000 - SC police department job security?
    $740,000 - USPS? - sure could need some juice there
    $250,000 - ah - lawyers again
    $12,000,000 - who would get that?


    $14,290,000

    Actually good if money moves rather than staying static in some folk's accounts waiting for it to increase bu other people's efforts.
  • I work for a state agency doing IT. Our state is just as bad because a) IT people aren't trained properly in security and b) "security" regulations prohibit actual security. It often happens that a secure design can't be used because it wouldn't be in compliance with laws and regulations, so an insecure system must be used. For example, last week we needed a secure hash token to secure a transaction. SHA-128 or 256 was the right way to do it, but the law says all hashes must be MD5 (which has been broke

Sentient plasmoids are a gas.

Working...