Data Breach Study Spanning 500 Break-Ins Released

← Back to Stories (view on slashdot.org)

Data Breach Study Spanning 500 Break-Ins Released

Posted by samzenpus on Wednesday June 11, 2008 @11:57PM from the did-you-update-the-windows dept.

Dr. Jim Anderson writes "The good folks over at Verizon Business have released a report that summarizes what they've found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and (3) attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East."

71 comments

Aarrgghhh!!! by DoofusOfDeath · 2008-06-12 00:00 · Score: 4, Funny

(2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and

How the hell are we supposed to defend ourselves against the 75% of attacks that are immune to the laws of logic???
1. Re:Aarrgghhh!!! by ledow · 2008-06-12 00:05 · Score: 4, Informative
  
  Yeah, it's really not clearly worded, is it?
  
  I assume they mean "software/hardware vulnerability", and that the other 75% are people doing stupid things - "human vulnerabilities" or even "policy vulnerabilities". It's interesting in itself though that 75% of the attacks are due to, presumably, direct human error and nothing to do with the data being on computer.
  
  So when you're bank next releases your details, don't accept an explanation. Most probably, someone who works there did something incredibly stupid and deliberate, rather than they got hacked or outwitted.
2. Re:Aarrgghhh!!! by Anonymous Coward · 2008-06-12 00:09 · Score: 2, Funny
  
  No, no! What they are trying to say is that 75% took advantage of both a known and unknown vulnerability! You have to remember, the 'or' in this sentence was probably not written by a programmer.
3. Re:Aarrgghhh!!! by mlush · 2008-06-12 01:08 · Score: 1
  
  (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and
  
  How the hell are we supposed to defend ourselves against the 75% of attacks that are immune to the laws of logic???
  
  I took that to mean they did nothing clever and tried a directory attack on passwords.
4. Re:Aarrgghhh!!! by Lodragandraoidh · 2008-06-12 01:10 · Score: 1
  
  Known or unknown by the attackee (or computer security experts for that matter) -- not the attacker who certainly knows about it.
  
  So it is logical, if taken in context.
  
  --
  
  Lodragan Draoidh
  The more you explain it, the more I don't understand it. - Mark Twain
5. Re:Aarrgghhh!!! by sBox · 2008-06-12 01:38 · Score: 1
  
  Someone's been reading too much Rumsfeld:
  
  There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.
6. Re:Aarrgghhh!!! by Anonymous Coward · 2008-06-12 02:32 · Score: 2, Informative
  
  Actually what they are getting at is some one left the door open (an attack of a vulnerability wasn't needed). like putting the data on a share that they didn't realize was public.
7. Re:Aarrgghhh!!! by Tanktalus · 2008-06-12 02:47 · Score: 4, Insightful
  
  Apparently, someone is trying to make Rumsfeld out to be an idiot. Though that he may be, IMO this quote is actually fairly insightful, if somewhat poorly worded. I've had a similar saying (is it a saying if I'm the only one saying it?): "There are three types of people in the world. Those who don't know what they're doing and know they don't; those who know what they're doing and know they do; and those who don't know what they're doing but think they do. It's the last group that screws everything up for the other two groups." The thing to realise is that everyone falls into all three categories for different aspects of our lives, and the challenge is to tell the difference for each situation to try to avoid being in the last group.
  
  In Rumsfeld's quote, "known knowns" are the areas where we are in the middle group: knowing what we're doing, and knowing that. "Known unknowns" are the areas where we don't know what we're doing and know we don't. And "unknown unknowns" are the last group: things we think we know, but don't. (Ok, that's not quite precisely what he's talking about, but it's analogous.) And that last group is the most dangerous one.
8. Re:Aarrgghhh!!! by Anonymous Coward · 2008-06-12 04:42 · Score: 0
  
  The other 75% are most likely misconfiguration. Things that would be secure if people would have set things up properly.
9. Re:Aarrgghhh!!! by element-o.p. · 2008-06-12 05:09 · Score: 1
  
  You aren't the only one saying it, but I've always seen it drawn as a graph:
  
  | Has a clue | Has no clue
  
  Is not arrogant | ideal | acceptable
  
  Is arrogant | acceptable | unacceptable
  
  (Sorry the graph isn't turning out very clear; /. stupid comment filter is mangling it....)
  
  The best person to hire or work with is the "not arrogant/has a clue person". You can work with a person who has a clue and is arrogant since they know enough not to break things, but it may not always be pleasant. You can work with a person who has no clue but is aware of the fact, because they can be taught. But the person who doesn't know jack **** but thinks they are God's gift to mankind doesn't know enough not to break things and can't be taught because they *think* they know everything.
  
  If you sed "s/not arrogant/knows what he doesn't know/" and sed "s/arrogant/does not know what he doesn't know" you get the gist of Rumsfeld's quote and your saying -- which despite Rumsfeld's poor wording is actually a pretty insightful comment, IMHO.
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
10. Re:Aarrgghhh!!! by Anonymous Coward · 2008-06-12 05:35 · Score: 0
  
  What about the people who don't think they know what they're doing but really do, what one of the 3 groups is this?
11. Re:Aarrgghhh!!! by DoofusOfDeath · 2008-06-12 05:55 · Score: 1
  
  I've had a similar saying (is it a saying if I'm the only one saying it?): "There are three types of people in the world. Those who don't know what they're doing and know they don't; those who know what they're doing and know they do; and those who don't know what they're doing but think they do. It's the last group that screws everything up for the other two groups."
  
  Yeah, it's weird that a 55-word saying never caught on.
Fewer than 25 percent... by Anonymous Coward · 2008-06-12 00:03 · Score: 0

... took advantage of a known or unknown vulnerability? What the hell did the other 75% do??
1. Re:Fewer than 25 percent... by morgan_greywolf · 2008-06-12 00:07 · Score: 5, Interesting
  
  ... took advantage of a known or unknown vulnerability? What the hell did the other 75% do??
  Try RTFS.
  Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place,
  The rest didn't need to take advantage of vulnerabilities because good security was simply not in place.
  
  --
  My blog
2. Re:Fewer than 25 percent... by nocaster · 2008-06-12 01:13 · Score: 5, Funny
  
  ... took advantage of a known or unknown vulnerability? What the hell did the other 75% do?? username: admin
  password: password
3. Re:Fewer than 25 percent... by Anonymous Coward · 2008-06-12 01:52 · Score: 0
  
  joshua
4. Re:Fewer than 25 percent... by QuantumRiff · 2008-06-12 02:29 · Score: 3, Funny
  
  TAKE down your damn post. I'm reporting you to the FBI for cracking my password!
  
  --
  
  What are we going to do tonight Brain?
5. Re:Fewer than 25 percent... by Anonymous Coward · 2008-06-12 04:31 · Score: 0
  
  Dr. Falken is that you?
6. Re:Fewer than 25 percent... by element-o.p. · 2008-06-12 05:15 · Score: 1
  
  *Only* 75%? I'd have guessed it would be a much higher percentage. You would not believe how many times I have encountered such things, even from people who really should have known better. (Of course, this is /. -- most everyone here has probably experienced this, too).
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
7. Re:Fewer than 25 percent... by inKubus · 2008-06-12 16:19 · Score: 1
  
  TAKE down your damn post. I'm reporting you to the FBI for cracking my password!
  
  That's the combination for my luggage!
  
  --
  Cool! Amazing Toys.
um... by fredklein · 2008-06-12 00:03 · Score: 1

Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability

So, 75% of attacks didn't take advantage of a vulnerability at all?
1. Re:um... by Ynot_82 · 2008-06-12 00:07 · Score: 1
  
  probably not, no
  
  lack of security (open systems / trivial, or written down passwords) doesn't immediately mean a problem with the software.
  Equally possible (if not more likely) for the problem to be with the user(s) use of the software
2. Re:um... by bencoder · 2008-06-12 00:12 · Score: 2, Insightful
  
  Stupid users and administrators would still be considered a vulnerability, which is the problem with the wording. If a system has no vulnerabilities it is impossible to break into.
3. Re:um... by Datamonstar · 2008-06-12 00:19 · Score: 2, Informative
  
  No, that means that there were patches available but they were never applied, or the attacker might have used social engineering or some other means to trick the person into installing malware.
  
  --
  The eternal struggle of good vs. evil begins within one's self.
4. Re:um... by fredklein · 2008-06-12 00:26 · Score: 2, Insightful
  
  the attacker might have used social engineering ...which is a vulnerability. Lack of proper security measures and security training.
5. Re:um... by BVis · 2008-06-12 00:58 · Score: 3, Insightful
  
  In addition to the training, you need to make breaches of security a terminable offense, for everything from a deliberate theft of information, to writing down a password on a sticky note and putting it on your monitor. Without teeth, you cannot enforce a security policy, and a policy that isn't enforced isn't a policy.
  
  --
  Never underestimate the power of stupid people in large groups.
6. Re:um... by element-o.p. · 2008-06-12 05:21 · Score: 1
  
  No, that means that there were patches available but they were never applied...
  
  To me, that sounds like a known vulnerability. I think one of the posts above is probably a better answer to the question "what makes up the other 75%, if not a known or unknown vulnerability":
  
  Username: admin
  Password: password
  
  Leaving the system in a default state isn't a flaw in the software so it isn't a software vulnerability. It's a lazy/sloppy sys admin. Unfortunately, this leads to playing semantic games -- "what exactly is a vulnerability?"
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Business Partners?? by Finallyjoined!!! · 2008-06-12 00:06 · Score: 4, Funny

Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.

Some Partners!!

Watch your backs guys.

PS. How can 39% rise 5 fold?

--
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
1. Re:Business Partners?? by Anonymous Coward · 2008-06-12 00:09 · Score: 0
  
  I believe it rose TO 39%, which means from 7.8%.
2. Re:Business Partners?? by Red+Flayer · 2008-06-12 01:07 · Score: 2, Informative
  
  PS. How can 39% rise 5 fold?
  It didn't.
  
  Here's an example to make some sense of it:
  
  Say there were 200 cases, 100 each over two years. During year 1, there were 13 cases due to business partners. During year two, there were 65 cases due to business partners.
  
  The percentage went up five-fold between year 1 and year 2, but the total percentage over the study is 39%.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
3. Re:Business Partners?? by zdickinson · 2008-06-12 02:47 · Score: 0
  
  "PS. How can 39% rise 5 fold?" They were 7.8% before.
  
  --
  I hate ethics, I avoid them on principle.
Actual report by martyb · 2008-06-12 00:11 · Score: 5, Informative

Here is a link to the actual report (PDF): http://www.verizonbusiness.com/resources/security/databreachreport.pdf
I quickly scanned the report and it appears to be quite detailed. Definitely required reading for any CxO!
1. Re:Actual report by morgan_greywolf · 2008-06-12 00:15 · Score: 5, Insightful
  
  Definitely required reading for any CxO!
  CxOs don't read things like this. Instead, they usually read advertisements that say BS things like "buy our product and you'll never have any security problems again!"
  
  That's why 9/10 attacks involved totally preventable breaches -- if reasonable security had been in place.
  
  --
  My blog
2. Re:Actual report by BVis · 2008-06-12 01:04 · Score: 3, Insightful
  
  Not to mention the fact that CxOs are frequently the biggest offenders when it comes to poor security practices. I've seen more than one CEO of a Fortune 500 company use the name of the company as their domain/email password, and refuse to change it on a regular basis like the rest of the users at the company. Trying to enforce a security policy with someone who can have you escorted off the premises on a moment's notice is pretty much impossible.
  
  The only way it works is to get the CEO/Chairman/Lord High Muckety-Muck to sign off on a policy that applies to EVERYONE, and then firing an executive for breach of policy as a demonstration of how serious the company takes security. (This assumes that a CxO breaches policy at some point, which is pretty much inevitable.) The attitude of "security policy is for little people" reminds me of Leona Helmsley's 'taxes are for little people' attitude.
  
  --
  Never underestimate the power of stupid people in large groups.
3. Re:Actual report by Anonymous Coward · 2008-06-12 02:21 · Score: 0
  
  CxO: "But I'm special! I'm too important to be held to the same rules as the rest of you peons! Now get the hell out of my office so I can sneak out for golf and have the company pay for it."
4. Re:Actual report by Anonymous Coward · 2008-06-12 03:08 · Score: 0
  
  >Here is a link to the actual report (PDF):
  Do they have a virtual report too?
Data transaction zones by Pysslingen · 2008-06-12 00:12 · Score: 5, Interesting

But often I wonder how many companies connect everybody in the company to the internet when there is no real need? One place I worked maintained three separate networks; one for internet, one for work, one for very confidential work. The work network had access to e-mail (internet-based e-mail through a firewall through which only the mail-server could talk) while the confidential network had only internal e-mail. This may have been overkill, but breaches were more or less impossible. Running NT4 also made sure USB sticks weren't an issue, though I believe they managed to upgrade to XP a few years ago, but testing was extensive.
1. Re:Data transaction zones by watookal · 2008-06-12 01:16 · Score: 2, Funny
  
  "Running NT4 also made sure USB sticks weren't an issue, though I believe they managed to upgrade to XP a few years ago, but testing was extensive."
  
  The security dudes at my previous place of employment managed to devise a more portable solution to the USB stick problem: they simply glued shut the USB ports on all computers. No kidding.
2. Re:Data transaction zones by sbenson · 2008-06-12 01:22 · Score: 1, Informative
  
  Set permissions on usbstor.sys
  
  save the glue.
3. Re:Data transaction zones by RAMMS+EIN · 2008-06-12 01:33 · Score: 1
  
  Now, that's reasonable security measures you're talking about. The study found that most places that got breached didn't do any of that.
  
  Also, working without Internet access can be a real pain. It obviously depends on what you are doing, but many things grind to a halt when there is no web access.
  
  Fortunately, there is WWW over SMTP. And seakernet. And ad-hoc networks.
  
  I guess if you try to lock down the place too much, you'll have a plethora of access vectors beyond your control in no time.
  
  Sometimes, better security is achieved through less intrusive measures.
  
  --
  Please correct me if I got my facts wrong.
4. Re:Data transaction zones by ledow · 2008-06-12 01:34 · Score: 1
  
  It's not hard, but lots of place do it. I agree it's stupid not to.
  
  Schools, for instance, generally run a "curriculum" and an "admin" network - one for the kids, one for the staff. Joining both is seen as an extremely bad thing. But there's usually absolutely nothing stopping people from connecting to random websites from the admin (even in the finance offices etc.).
  
  Bring back the old days of text menus:
  
  1. Pay in
  2. Pay out
  3. Print
  
  Reduce the interface, reduce the capabilities, reduce the vulnerabilities.
5. Re:Data transaction zones by deroby · 2008-06-12 04:09 · Score: 2, Informative
  
  Somehow doesn't always work. I can't explain it, but I do KNOW that it can be circumvented :
  
  Some time back I was a consultant at a (largish) bank. They too had 'locked out' USB devices that way. And hold & behold, it worked on any randomly available USB-stick, no external drives were mounted.
  
  Some days later I was 'confused' and tried to copy something using my (very) old 64Mb stick. Worked like a charm. Realizing that this was 'impossible', we tried with other USB sticks, but mine was the only one that worked.
  The stick was a gift at some conference and has the word "Microsoft" stamped on it.
  Ever since I call it 'my precious' =)
  
  Anyway, once you have physical access to a machine, there's very little to stop you getting any data you want imho...
  => simply hook up an Ethernet cable between your portable computer and given machine, a bit of fiddling with tcp-ip settings on the laptop, starting an ftp server or something and off you go...
  
  ps: gluing both usb & the internet connector might work =)
  
  --
  If there is one thing to be learned on slashdot, it has to be sarcasm.
6. Re:Data transaction zones by sbenson · 2008-06-12 08:13 · Score: 1
  
  usbstor.sys is and must be called to initiate the loading of the filesystem, a important step in the process.
  
  Proper permissions should stop this and has always in my networks.
  
  But, as I am a Linux guy, and we are talking windows.... Maybe it really only works sometimes.
  After all, who has read the windows code?
  
  "I believe everyone should create their own standards."
7. Re:Data transaction zones by wev162 · 2008-06-12 17:21 · Score: 1
  
  Until someone pops open the case and attaches the drive to a USB header on the motherboard. Physical access means it's only a matter of time until a creative user finds a way to own a machine.
Those aren't vulnerabilities... by gardyloo · 2008-06-12 00:17 · Score: 4, Funny

... those are features.
1. Re:Those aren't vulnerabilities... by Anonymous Coward · 2008-06-12 00:27 · Score: 1, Funny
  
  That was for the other 75%
Corporate security breach cause (4) by RevWaldo · 2008-06-12 01:06 · Score: 1

Someone claiming authority approaches the corporation, ask for all of their data; the corporation responds "Sure! Would you like a bag for that? Paper or plastic?"
http://yro.slashdot.org/article.pl?sid=07/05/08/1222239

--
Prisencolinensinainciusol. Ol Rait!
Re:Middle East by billcopc · 2008-06-12 01:32 · Score: 1

Well yes, but there's also an important reason for the -1 mod: the GP has no factual basis for laying the blame on Israel.

In fact, I've seen far more attacks coming from Pakistan, Egypt and Yemen (?!) than Israel. But yes, people are racially biased... whether it's pro-racism or anti-racism, very few people have the discipline to be right down the middle.

I think what a lot of people neglect to do is to filter access by country. If you're operating a U.S. bank, why in the world would you want Vietnamese and Chinese IPs visiting your site or hammering your firewall ? Do you have an admin over there, SSHing in ? No ? Then block it!

It's usually quite simple to come up with a geographically aware security strategy. Figure out which areas need access to each resource, and shut out the rest. Web access isn't spared, either. If you don't offer services outside your country, I strongly suggest serving up a different, nerfed site to those people - something with no sign-up forms or dynamic content of any kind. That way, they can still read up about who you are and what you do (again, goddamned travelers surfing abroad), but since you don't do business with that nation, you don't expose your site's soft underbelly to people who have no business being there in the first place. There's always the phone or postal mail for those folks.

--
-Billco, Fnarg.com
Indeed by inviolet · 2008-06-12 01:45 · Score: 0, Troll

"The good folks over at Verizon Business...

Shall I tag this 'badsummary', or do we have an 'oxymoron' tag we can use?
"...have released a report that summarizes what they've found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place,

As well, nearly nine in 10 corporate assholes could have been prevented had reasonable security measures been in place at the time of conception.
[...] while defacements frequently originate from the Middle East."

Also dehandments and deheadments.

--
FATMOUSE + YOU = FATMOUSE
1. Re:Indeed by Kabuthunk · 2008-06-12 02:59 · Score: 1
  
  This is slashdot... the tag 'badsummary' should almost be defaulted to every summary.
  
  --
  Planet Zebeth - Metroid with a twist
Re:Middle East by aproposofwhat · 2008-06-12 01:58 · Score: 0, Offtopic

Actually (and I'm no fan of Israel - got mercilessly modded down a few days ago for making anti-Zionist points), a lot of the defacements are from pro-Palestinian groups.
Unfortunately Zone-H is down at present, but when it's up I invite you to check for yourself.

--
One swallow does not a fellatrix make
Re:Middle East by quanticle · 2008-06-12 02:00 · Score: 1

If you're operating a U.S. bank, why in the world would you want Vietnamese and Chinese IPs visiting your site or hammering your firewall ?
As a U.S. bank are you really going to tell your customers, "By the way, if you ever need to access your account while on vacation outside the country, you're out of luck?"

Web access isn't spared, either. If you don't offer services outside your country, I strongly suggest serving up a different, nerfed site to those people - something with no sign-up forms or dynamic content of any kind.
Most of your customers assume that World Wide Web means just that: world wide. If I were a business owner, I'd certainly think twice before potentially driving away customers by telling them, in essence, "I can't trust you because you're not from the same country I am."

--
We all know what to do, but we don't know how to get re-elected once we have done it
Schroedinger's Vulnerability by Hoi+Polloi · 2008-06-12 02:14 · Score: 3, Funny

Clearly what they are referring to are quantum vulnerabilities. The exact nature of the vulnerability doesn't become clear until someone observes it.

--
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
1. Re:Schroedinger's Vulnerability by ubrgeek · 2008-06-12 03:23 · Score: 1
  
  Schrödinger's vulnerability?
  
  --
  Bark less. Wag more.
Names of the Breached? by TheSeventh · 2008-06-12 02:39 · Score: 1

Why doesn't it go over the names of the companies that were breached? I've had my identity stolen but I don't know where they got my information, as I'm kind of A-R about my SSN, and such. (Thank God the ID Thieves were incredibly stupid, and only opened a home telephone account - which means they could be found because of the address for the service . . .)

But I've also had other account information stolen, and I knew where it came from. I use a different email address for EVERY website I give any information to, specifically to determine if my information was given away, or stolen. (Catch-All Email on a private domain.)

I had signed up to eHarmony, but never gave them my CC#, or anything besides an email, and now this email address gets TONS of spam for V!@GRA and pr0n sites. So, I know their system was hacked. However, I never heard a word from them about the data breach or my account info being stolen.

Companies need to be made criminally liable for data breaches that could have been prevented, as well as be forced to reveal any and all breaches as soon as they know about them. But that's just not in the companies best interests, and their lobbyists let the Republicans know this. Real security might cost them a little more money, and hiding data breaches doesn't cost them much at all. So, there are no incentives to do any different.

--
Just because you're paranoid, it doesn't mean that they're not out to get you.
1. Re:Names of the Breached? by flajann · 2008-06-12 03:42 · Score: 1
  
  I typically put the name of the company in as a part of the email address when I use my email address on the web. This way, I always know who the sellouts are -- as well as those with poor security. And it's always surprising who turns out to either be a sellout or barn door. You can never be sure which. I signed up for the Netscape Developer program a long time ago (remember Netscape?) and today I still get SPAM sent to "fred_netscape@..."
  I'm not really into passing laws against this sort of thing, because government never seems to know the balance and always tend to get it wrong. What I'd rather see is a "blacklist" of corporations that failed to protect our privacy either due to selling us out or allowing themselves to be breached.
  Yes, I know, there are big potential points of litigation doing that. But then with a cadre of participating lawyers, you could always do a class-action counter-suit!
  
  --
  Ruby Neural Evolution of Augmenting Topologies
what is reasonable security in law? by Benjamin_Wright · 2008-06-12 02:48 · Score: 1

Legally speaking, what is "reasonable security?" FTC fined TJX for not having it, but I disagree. Verizon says 9 of 10 data breaches could have been avoided if reasonable security were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates whether reasonable security could have prevented a break-in, it does so with the benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the shere problem of keeping up with the location of data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

--
Benjamin Wright, Dallas, Texas, benjaminwright.us
That sounds like JPMChase by Anonymous Coward · 2008-06-12 02:56 · Score: 0

Except for one thing: They used a very insecure Novell server for the NT workstations to log into. Needless to say, it was insanely easy to log in as "Unknown" due to Novell's ridiculous security holes.
What a surprise. by flajann · 2008-06-12 03:27 · Score: 1

From the people who can't distinguish the difference between 0.002 dollars and 0.002 cents, why am I not surprised?

--
Ruby Neural Evolution of Augmenting Topologies
are we missing someone? by Anonymous Coward · 2008-06-12 05:04 · Score: 0

did verizon count themselves? http://www.consumeraffairs.com/news04/2006/03/verizon_laptops.html
Re:Middle East by element-o.p. · 2008-06-12 05:31 · Score: 1

As a U.S. bank are you really going to tell your customers, "By the way, if you ever need to access your account while on vacation outside the country, you're out of luck?"

The full text from the grandparent post:
If you're operating a U.S. bank, why in the world would you want Vietnamese and Chinese IPs visiting your site or hammering your firewall ? Do you have an admin over there, SSHing in ?

If you are a bank, do you have your users signing in via SSH???

No, you probably don't want to block access to HTTPS (you ARE using HTTPS, right?) or SMTP from Vietnam or China (I would add Korea to this list based on the SSH and spam mails I've seen from Korean networks), and yes, I am aware that this implies that it would be possible to brute force your customers' passwords if you don't do something sensible like lock out their accounts after x invalid password attempts.

--
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Stating the Obvious by Hordeking · 2008-06-12 05:31 · Score: 1

Another recent study also found that water is wet and another study found that most studies are a waste of money.

--
Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
Re:Middle East by quanticle · 2008-06-12 05:44 · Score: 1

I was speaking to the following quote (perhaps I should have been more clear in my original post):

Web access isn't spared, either. If you don't offer services outside your country, I strongly suggest serving up a different, nerfed site to those people - something with no sign-up forms or dynamic content of any kind.
If your customers are overseas and they get the nerfed version of your site that doesn't allow for logins on any sort of interaction they'll certainly take their business to someone who does allow that sort of thing.

--
We all know what to do, but we don't know how to get re-elected once we have done it
Re:Middle East by element-o.p. · 2008-06-12 07:39 · Score: 1

Ah...sorry. My mistake.

--
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Some clarification on 'vulnerabilities' by whbaker · 2008-06-12 15:38 · Score: 2, Informative

Though it wasn't our intention, it seems the reference to the % of attacks exploiting vulnerabilities has caused some confusion. It's true that 'vulnerability' can have a very broad definition (synonym for 'weakness') but we are referring specifically here to specific named/numbered (has a CVE or MS #) software vulnerabilities. The bulk of attacks across our caseload did not exploit such vulnerabilities - they exploited misconfigurations, omissions, poor security, etc. Hope that helps clear things up a bit.
Re:Middle East by billcopc · 2008-06-14 08:52 · Score: 1

There's still phone banking... it's not like you'd be entirely locked out of your account.

--
-Billco, Fnarg.com