Pentagon Credit Union Database Compromised

Quick... by butalearner · 2011-01-12 10:09 · Score: 2

Any banks or credit unions not using Windows?

Re:Quick... by kaptink · 2011-01-12 10:20 · Score: 2

It's sad when your first thoughts on reading this story is 'oh another windows fail' but the sad reality is that I would bet my life that it was. Assuming I am correct, will Microsoft be held accountable?

--
Those who can, do. Those who cannot, sue.
Re:Quick... by forkfail · 2011-01-12 10:21 · Score: 2

Only Ye Ole Under The Mattress Bank.
And even then, it's up to the depositor to ensure that the room is windowless...

--
Check your premises.
Re:Quick... by butalearner · 2011-01-12 10:31 · Score: 1

Oh dear, so many ways to feed the troll. Hmmm, how about a bad car analogy?
That's like a customer wanting a car that has high safety ratings, but calling them a tool because people seldom get in wrecks anyway.
Re:Quick... by Amorymeltzer · 2011-01-12 10:36 · Score: 1

No.

--
I live in constant fear of the Coming of the Red Spiders.
Re:Quick... by butalearner · 2011-01-12 10:38 · Score: 2

It's sad when your first thoughts on reading this story is 'oh another windows fail' but the sad reality is that I would bet my life that it was. Assuming I am correct, will Microsoft be held accountable?
Of course Microsoft is not responsible, but also consider, had the laptop-toting person responsible been using something other than Windows, it would be highly unlikely that we would be having this discussion. It occurred to me after I posted (and after reading the article) that the laptop could have been an personal one, and it doesn't really matter what the bank is using if the guy loaded up the database on it and the malware quietly sent it elsewhere.
Re:Quick... by Thud457 · 2011-01-12 10:49 · Score: 1

Wait, I thought one of the justifications against going FOSS was that if something went disastrously wrong with a Windows system, at least you could sue Microsoft.

?

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:Quick... by TheRaven64 · 2011-01-12 11:17 · Score: 2

Nope. The justification is that you can blame Microsoft. You can say to your boss 'we went with the same thing that everyone else is using' and then you don't get blamed personally.

--
I am TheRaven on Soylent News
Re:Quick... by Anonymous Coward · 2011-01-12 11:48 · Score: 0

Nope. The justification is that you can blame Microsoft. You can say to your boss 'we went with the same thing that everyone else is using' and then you don't get blamed personally.
mod parent up
Re:Quick... by sunderland56 · 2011-01-12 12:04 · Score: 1

Even if the bank had absolutely NO windows machines, and no Microsoft products anywhere - their database can be compromised by malware loaded on an external, non-bank-owned machine. Anywhere a login/password combination is stored is a potential data breach.

It is the fact that they allow database access from an external, insecure site that is the issue - not which operating system is in use.
Re:Quick... by Anonymous Coward · 2011-01-12 13:23 · Score: 0

it doesn't really matter what the bank is using if the guy loaded up the database on it

Yes, that old middle management trick again, performing as it always has againandagainandagainandag
Re:Quick... by TheLink · 2011-01-12 14:08 · Score: 1

What I find strange is if this statement was really true: "data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC."

Most malware programs don't copy every file and send the data over.

So either the malware was suspiciously very targeted (looks for such files and sends contents out) or this was just a precautionary measure - they had to assume the data was compromised even if the malware didn't actually access all of that.
--
- Too many replies beneath your current threshold
Re:Quick... by pinkushun · 2011-01-13 00:56 · Score: 1

More than likely if the PC was up to date, and safe practices were used, then this issue could have been prevented.
That said, such safe practices are much more maintenance and unwieldy in the Windows world - no I'm not dissing, it's fact from experience, as many of you may know.
Technically, Microsoft is accountable. Legally, not.
Re:Quick... by Anonymous Coward · 2011-01-13 03:06 · Score: 0

No, he's pretty much right. Blaming Windows in this case is missing the point, and childish behavior at best. Are you such a child? Seems like it if you automatically assume he is a troll.
The reality is that even Linux will have these issues once more than 2 people begin using it.
Re:Quick... by Anonymous Coward · 2011-01-13 05:54 · Score: 0

Wow haters! They were probably using Windows but I'd bet the user account was an administrator. I've never had a virus or malware because I do my day-to-day activities as a limited user and only use an administrator account to install/remove/update software. I'd argue the same thing could happen if everyone switched to Linux and only used the root account. It's not a problem with the OS, it's a problem with people being too lazy to do things the proper way. Yes, it takes a few more seconds to log off your limited user account and log on as an administrator when you need to install software, but it prevents problems like this.

What should I do? by Anonymous Coward · 2011-01-12 10:14 · Score: 0

I have a PenFed account and haven't heard anything from them. What should I be doing? The article doesn't give any advice.

Re:What should I do? by swilly · 2011-01-12 10:20 · Score: 1

I'm in the same boat. The article mentions that affected customers were reissued credit and debit cards, so presumably not hearing anything is a good sign, but I'll be calling them as soon as I get home.
Re:What should I do? by v1 · 2011-01-12 10:27 · Score: 4, Insightful

usually their first recommendation is to put a watch on your credit score, a lot of the time when a bank has a breech they offer to pay for a year or so of this service to all their members whose information may have been exposed, so you can call them and see what they are offering for safeties after the fact.
Change your pin and password, security question, etc for this account immediately. If you have a pin or other password etc used on that account that you use in other places, you should change those other places also, as they may try to use the credentials on other accounts they can figure our are yours in other places.
Also while you're talking with this credit union, see what they can do to adjust the 'paranoia level' on your account. That's what gets you a phonecall from them when you go on a vacation and buy a bunch of stuff and suddenly the card is getting declined. You want high paranoia on their part for awhile. There may be ways to set reasonable hard limits on charges per day etc a bit like how you can usually only pull $250 cash a day from an ATM. Set those limits temporarily as tight as you feel you can. They may have other options, ask them.
And of course the ever-popular "consider changing banks". Do you really trust them as much with your money as you did before?

--
I work for the Department of Redundancy Department.
Re:What should I do? by Anonymous Coward · 2011-01-12 11:20 · Score: 0

You might look into transaction notifications. I get an instant alert to my cell phone for any transaction over $100. I don't get cell alerts for scheduled home banking payments, but I do get emails on they say they're paid out.
I went a crazy step forward this year as well. I had my credit union issue me ATM-only cards, no Visa/Mastercard, and then destroyed and cancelled the ATM/Visa debit cards. What inspired this is that I had a fraud charge for a business account at the same credit union linked to an ATM/Visa debit card which I've only used in less than a dozen places over 2 years. My business account was fairly easy to spot this on. My personal account at times is rather busy, and if the amount is low enough (this fraud charge was, ~$79), I probably wouldn't notice it.
So, I use AMEX wherever I can, have a non-Checking Visa for places I cannot, and use my ATM+PIN at the local grocers. AMEX/Visa are very easy to dispute charges with and you're never out the cash. Bank-linked cards may reverse all fees in the end, but can be a pain to deal with fixing. I also use Citibank's Virtual Account Number to issue a different credit card number (all linked to my same account) for each online purchase, and I don't use the account for any in-person charges (the physical card is locked up).
Compartmentalize your finances and make it harder to abuse and easier to spot and most of all easier to clean up (as fraud will occur, nothing you can do about it - even having no accounts doesn't prevent someone opening an account in your name).
Re:What should I do? by mswhippingboy · 2011-01-12 12:10 · Score: 1

I just use the simple approach of keeping VERY little money in my accounts. With the economy the way it's been lately, that hasn't been much of a problem.

--
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
Re:What should I do? by palegray.net · 2011-01-12 12:28 · Score: 1

And of course the ever-popular "consider changing banks". Do you really trust them as much with your money as you did before?
Do you really trust any other financial institution with your money more than you trust them? These issues are systemic, not isolated to one or even a handful of financial services firms. You might be surprised to know how many such events occur, but are never properly disclosed.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Re:What should I do? by aztracker1 · 2011-01-12 13:28 · Score: 1

Nope, I do not trust banking institutions.. they're run by computers, and computer algorithms without question with program code created by people, who are fallible. often with no actual human available to identify, confirm or rectify these errors.. I went without a bank account for 5 years because of such an error, and to this day it irks me that I gave in. I've since worked in a lot of "secure" development... it really isn't anything I trust.

--
Michael J. Ryan - tracker1.info
Re:What should I do? by palegray.net · 2011-01-12 13:31 · Score: 1

I'm not disagreeing with what you've said, but I will point out that security is a process, not a product. It's never "done."

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Re:What should I do? by hal2814 · 2011-01-13 00:43 · Score: 1

They extended me two free years of credit monitoring service in addition to reissuing my cards. You might see if you can get the same.
Re:What should I do? by fulldecent · 2011-01-13 02:20 · Score: 1

Trust them more, they admitted it.
Introduce tort law in the banking sector, just like they have in the medical sector.

--
-- I was raised on the command line, bitch

Legislation by Anonymous Coward · 2011-01-12 10:16 · Score: 0

NOW can we get legislation fixing the authentication problems in our banking system? Or do we need it to happen to every member of Congress, too?

The weak link by nurb432 · 2011-01-12 10:16 · Score: 2

As always, people not following proper procedures.

--
---- Booth was a patriot ----

Re:The weak link by eko3 · 2011-01-12 10:46 · Score: 1

As always, people not following proper procedures.
Is it really people not following procedures? Or is it lack of procedures for people that don't follow procedure?
Re:The weak link by matazar · 2011-01-12 12:23 · Score: 1

It's usually a healthy mix of both.

How can you blame Assange by VincenzoRomano · 2011-01-12 10:17 · Score: 0

When your security leaks like a sieve?
And if those data get secretely sold to bad guys, do you think it's better than free publishing all of them?

--
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]

Re:How can you blame Assange by hal2814 · 2011-01-13 00:51 · Score: 1

What do you mean by "your security?" Are you under the mistaken impression that PenFed is a government entity? It's a credit union like any other. It's charter just happens to define its common bond as those involved in the military. This is not the droid you're looking for.

I still find it crazy that... by Anonymous Coward · 2011-01-12 10:19 · Score: 4, Interesting

I still find it crazy that systems like these don't have dedicated computers for accessing that info. Personally, I *refuse* to enter ANY kind of password into most peoples laptops, let alone access sensitive information belonging to thousands of people. Then again, no one cares about "other peoples information" until that other person is you...

Re:I still find it crazy that... by gclef · 2011-01-12 10:58 · Score: 1

This (and several other comments) really boil down to one thing: the price of security. The companies or organizations that get compromised rarely face any actual cost to being compromised, so the costs for doing security right (like, having dedicated computers for accessing financial information) are seen as "not worth the money."
This will only get better when the cost of being compromised is borne by the group that screwed up, not the customers of that organization.
Re:I still find it crazy that... by shentino · 2011-01-12 13:38 · Score: 1

People are selfish.
News at 11.
Re:I still find it crazy that... by pinkushun · 2011-01-13 01:23 · Score: 1

Geek Tip: It's handy to keep a Live OS on a USB drive on your keyring, for emergency access to sensitive sites, like banking and /.
Re:I still find it crazy that... by Anonymous Coward · 2011-01-13 04:37 · Score: 0

I hear you. Up to now my network was composed of PCs administered by me exclusively. Since new people have been bringing their laptops into the office all the desktops have become infested and I have not entered my admin password into any even once. If I have to access something on the network I go into the server room, make a link somewhere from a read only mount, go back and access it without entering any password. After I'm finished I delete the link. Laptops are literally virus cultures, people have only one for work and personal use, they lend it to their children in the evening, they connect it at hotels and wireless anywhere... they barely work, take 5 minutes to boot and are generally destroyed. If they ask for help I begin muttering about 'complete reinstall' and 'do you have your driver disks' and 'at least two days' and they clutch it and slowly back away, never to ask again. Life is almost back to normal, modulo viruses for the Windows(TM) machines. Oh ho ho.

This what they did for me... by Anonymous Coward · 2011-01-12 10:20 · Score: 2, Interesting

They gave me a new CC# right away, and offered two years free credit monitoring. Meh, Better than nothing I guess.

Malware... by calebpburns · 2011-01-12 10:20 · Score: 1

Members of the U.S. government sure have knack for getting malware.

Facts please! by girlintraining · 2011-01-12 10:20 · Score: 0, Redundant

This is a credit union that happens to be used by military personnel. The credit union is not on a military network.

--
#fuckbeta #iamslashdot #dicemustdie

Re:Facts please! by ShaunC · 2011-01-12 10:26 · Score: 1

Where was it stated otherwise?

--
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Re:Facts please! by girlintraining · 2011-01-12 10:45 · Score: 0

Where was it stated otherwise?
Everywhere. References to "air gap" security, references to Wikileaks, and of course -- "the pentagon network" (as if there is actually such a thing...). And this is only in the first few minutes since the story got posted. Just wait a few hours and there'll be dozens, maybe hundreds...

--
#fuckbeta #iamslashdot #dicemustdie
Re:Facts please! by Peeteriz · 2011-01-12 11:59 · Score: 1

The simple solution is to publish (on wikileaks?) the address of the responsible culprit - and the military and ex-military personnel will probably somehow manage to ensure that the data isn't used for malicious purposes.
Re:Facts please! by Anonymous Coward · 2011-01-12 14:21 · Score: 0

I propose they try air tight the next time. That way they would have all the bases covered and it might even be more enjoyable.

Air-gap security! by SaDan · 2011-01-12 10:20 · Score: 2

There needs to be more air-gap security implemented in systems that are as important as banks/credit unions.

I'm not referring to the air-gap currently between the ears of whoever is in charge of their computer systems.

Re:Air-gap security! by Anonymous Coward · 2011-01-12 11:03 · Score: 0

Just how can you air-gap a system that needs to interface with outside agencies to process transactions?
Sneaker-netting it via USB or whatever won't even work (look at the Iranian nuclear program).
Re:Air-gap security! by Anonymous Coward · 2011-01-12 11:19 · Score: 0

Air gap solutions are not particularly feasible due all of the system interdependency. The closest solution to an air gap configuration would be to use something like WTS, Citrix, or a VDI solution but many software vendors don't fully remote setups and hardware devices like signature pads and check scanners are either not support or don't work reliably in that kind of configuration.

Mainframe only? by Anonymous Coward · 2011-01-12 10:22 · Score: 1

What happened to keeping personal information like this to private mainframe computers, with LAN access only? Putting data like this on a laptop is only asking for trouble. We never seem to learn.

Re:Mainframe only? by Anonymous Coward · 2011-01-12 11:07 · Score: 0

The data was unlikely to be stored on the computer and was probably "sniffed" as the notebook communicated with the "core" system. It was only in the second half of last year that the largest credit union software package would support encryption. Many of those credit unions are running a vendor created version of AIX 5.3 (think Windows server embedded) and could not enable SSH. Typically, installing the vendor provided OS updates would remove nearly all software related to OpenSSH. The latest OS patches from the manufacturer install SSHD and the latest client optionally allows tunneling the client session over SSH. Newer"core" system installs, as in the last 12 - 18 months, are using a full version of AIX 6.1 and had SSHD enabled but was only supported for administrative functions. I don't know what core PenFed was using. Any credit union using a mainframe is the exception, not the rule.
Re:Mainframe only? by Anonymous Coward · 2011-01-12 11:35 · Score: 0

I forgot the data could have been in a report saved to the local drive but generally, Social Security numbers are masked in reports.

A case for laws? by DoofusOfDeath · 2011-01-12 10:22 · Score: 2

I wonder if there should be laws that make persons working for banks, utility companies, etc. criminally and civilly liable for violating that organization's IA rules.

I'm talking about organizations responsible for information systems whose compromize could lead to significant public harm.

Re:A case for laws? by TaoPhoenix · 2011-01-12 10:28 · Score: 2

Only if the infected laptop shared two Justin Bieber songs with the host machine. Then we'd see the correct penalalty.

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Re:A case for laws? by OrigamiMarie · 2011-01-12 16:36 · Score: 1

This stuff happens a little less often with credit card numbers because the credit card processors take PCI (Payment Card Industry) standards pretty seriously, audit their big clients yearly, and give the real threat of cutting off companies that don't have enough security. On the other hand, PCI compliance is kind of loose, so I think the real effect of the PCI audits is that they make companies actually _think_ about security. Once you get thinking about security, you can probably do better than PCI requires. As far as I know, the banks as a collective aren't nearly as much into the whole computer security thing.

They only care about their secrets, not your data by Anonymous Coward · 2011-01-12 10:23 · Score: 0

I wonder what will happen the first time data the Government actually cares about is compromised. It will be interesting to compare their response to this to what they would do if someone were to download the TSA's no fly list, for example.

Re:Socialists in the Pentagon? by Anonymous Coward · 2011-01-12 10:30 · Score: 0

Your troll-fu is very weak.

Well played, Iran by Frank+Fry · 2011-01-12 10:32 · Score: 0

This point goes to you.

This is incredibly sad. by jd · 2011-01-12 10:32 · Score: 3, Insightful

Let's look at this.

In short, infected devices have caused serious problems (and occasionally fatalities). The Pentagon has been subject to malware-related cyber-attacks, including (as noted in the list) serious cases of espionage, in the past. That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)

Re:This is incredibly sad. by blueg3 · 2011-01-12 10:37 · Score: 1

That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.
With the current security landscape, this boils down, essentially, to:
(a) People are using computing devices
(b) Some computers are able to connect to the Pentagon network
Re:This is incredibly sad. by TheSpoom · 2011-01-12 10:49 · Score: 1

Except that Windows is more vulnerable to malware than other OSes by orders of magnitude.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Re:This is incredibly sad. by jwarnick · 2011-01-12 11:29 · Score: 1

The Pentagon has been subject to malware-related cyber-attacks... To clarify, it's a credit union and not the actual DoD Pentagon.
Re:This is incredibly sad. by Jeian · 2011-01-12 11:31 · Score: 1

PenFed is not affiliated with the Pentagon, except that the majority of their members are Pentagon employees.
Re:This is incredibly sad. by c0lo · 2011-01-12 12:11 · Score: 1

That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.
With the current security landscape, this boils down, essentially, to: (a) People are using computing devices (b) Some computers are able to connect to the Pentagon network
Best solution... Pentagon to drop the reliance on computers. Errr... wait... and paper too (because the Pentagon papers were... well... on paper).

--
Questions raise, answers kill. Raise questions to stay alive.
Re:This is incredibly sad. by blueg3 · 2011-01-12 14:37 · Score: 1

To meet OP's requirements, number of vulnerabilities doesn't really matter. All systems have some vulnerabilities. With few exceptions, they're not theoretical vulnerabilities, either -- they're actively exploited. So regardless of the device people use, it will be the case that they are using a device that is open to attack.
Re:This is incredibly sad. by hal2814 · 2011-01-13 01:01 · Score: 1

You could probably argue that the majority of Pentagon employees are members but with one million members I highly doubt the majority of PenFed members are Pentagon employees.

I think the only reason Pentagon is in the title is for the prestige. It's wicked cool when you pull out your credit card with a huge Pentagon on it to pay your bar tab. It's also cool when the lady at the tag office looks over your new car paperwork and asks you wide-eyed, "Do you work for the Pentagon?" (To which I have a canned Chevy Chase reply: "No... not anymore.")
Re:This is incredibly sad. by pinkushun · 2011-01-13 01:34 · Score: 1

Well said!
Re:This is incredibly sad. by jd · 2011-01-13 10:47 · Score: 1

The malware-related espionage attack was against the Pentagon. That's an example of something that should not have ever been possible.
That a cyber-attack was launched years later against the credit union when the DoD has already gained experience in defending against cyber-attacks, and experience in the consequences of failing is the part that bothers me.
A hypothetical parallel would be one car manufacturer using a vendor's gas tanks that are prone to exploding after an affiliated manufacturer has already discovered that that specific model of gas tank from that specific vendor is a major hazard. You expect people to learn from not only their mistakes but the mistakes of those they are close to.
This has clearly not happened here. The Credit Union has elected to ignore the lessons learned by those they are close to, presumably in the belief that it's somebody else's problem.
When we define insanity as doing the same thing expecting different results, we need to include "doing the same things as others" as part of that.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:This is incredibly sad. by jd · 2011-01-13 10:52 · Score: 1

Not really. You just require that mobile devices that connect to classified or commercially sensitive networks that relate to defense meet FIPS standards and if they can perform computations are also EAL6 or EAL7 certified.
Yes, there's not much that's at that level, but if you create a demand for such products you will see the production of such products.
It's also true that fixed devices internal to the secure networks don't need to be that highly secure, but you've got to bear in mind that mobile devices are exposed to a greater number of threats from a greater number of directions under a greater number of circumstances. It's only common sense that they be certified to a greater standard.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)

!USAA by T+Murphy · 2011-01-12 10:35 · Score: 1

Summary is misleading "The credit union used by members of the U.S. armed forces and their families" made me think it was referring to my credit union (USAA, open to federal employees and families, not just armed forces). It had me worried for a moment there.

--
My webcomic

Re:!USAA by Anonymous Coward · 2011-01-12 10:45 · Score: 1

USAA isn't a credit union.
Re:!USAA by Anonymous Coward · 2011-01-12 11:05 · Score: 0

True, but still, PenFed is hardly the only credit union serving the armed forces. Or even the only Credit Union in the Pentagon.
Re:!USAA by Anonymous Coward · 2011-01-12 12:00 · Score: 0

Penfed has some pretty good deposit rates. And my auto-insurnace company gives discounts to penfed members.
You don't have to be in the armed forces or even be related to someone. Just be in some organizations that you pay one-time membership fees to.
https://www.penfed.org/howtojoin/overview.asp
I was tempted to join, but they made it too much of a pain to join, so I'm glad I did not.

It's the IT, not the OS by Toe,+The · 2011-01-12 10:35 · Score: 3, Insightful

In the end, these sorts of egregious breaches can be blamed on IT and/or management. The latter mostly in cases where they unduly restrict IT from doing their jobs properly. In other (most) cases, it is because IT wasn't on the ball with security.

These stories come out again and again and again, and yet we still see people being allowed to do the wow-stupidest things you can imagine.

A few simple rules for people who haven't learned from these countless news stories:

1. Company computers should only be allowed to perform company functions, and only company computers should be allowed to access company assets.

2. Computer users should never have more access to their own computer or to company assets than they need. And always be conservative at first, and bump up their privs later if it becomes necessary.

3. In situations where users might have access to assets that could potentially put other people's information at risk, those users should be required to undergo some basic security training.

I'm just typing off the top of my head (I'm sure /. can add a few more), and already I've delineated more than I see done in most operations I've seen. It is rather amazing.

And it is extremely infuriating. These people are in charge of my assets. Increasingly all of us have to (if we want to participate in modern society) put more and more of our data into the hands of others. And again and again they prove that they don't deserve the trust we're putting in them.

Re:It's the IT, not the OS by Anonymous Coward · 2011-01-12 11:44 · Score: 0

I worked at a bank for a few years and I can attest to the fact that banks hire the cheapest IT people they can get. Even worse, banks often put business people in charge of IT. Business folks, of course, have no idea what they're doing, but are usually very adept at the illusion of work/progress/success. In most cases only the programmers know the IT department is a train wreck.
The common business notion that "good managers can manage anything" may be true, but I've worked at a lot of IT shops and never once found this to be the case. Make no mistake, the business person in charge believes it to be a success, only because they have no idea what success really looks like. I turned down a job recently where the CIO was an MBA whose "synergistic" initiatives were causing the best and brightest to vacate stat.
Re:It's the IT, not the OS by turbclnt · 2011-01-12 12:25 · Score: 1

Although I agree with everything you are saying in theory, I think there are some practical matters here that make these things tricky:

1. Company computers should only be allowed to perform company functions, and only company computers should be allowed to access company assets.
So, what is a company function? I agree - changing/revealing SSNs is a company function. However, a ton of viruses come from contaminated USB sticks too. If your job is to review a bunch of vendor presentations from USB sticks/e-mail/other external sources, how do you secure your "company" computer?

2. Computer users should never have more access to their own computer or to company assets than they need. And always be conservative at first, and bump up their privs later if it becomes necessary.
Sounds great. However, it always takes IT at least an hour to do this at my company, so its a royal pain in the ass. If someone could make an automated IT system that gives rights only when needed (yes - just like sudo), I'd be all over implementing something like this because it wouldn't didn't completely screw up work days time after time after time.

3. In situations where users might have access to assets that could potentially put other people's information at risk, those users should be required to undergo some basic security training.
Yep. This happens already. I think you are forgetting that most people are retards when it comes to this kind of stuff though. Oopsie-daises still happen. Maybe at a lower rate than before, but they still happen. And before you say that the solution is just not to hire that person for the job, realize that a lot of times they are the old farts sitting at the top of organizations that are making the mistakes...i.e. you can't fire them (even if you'd like to).
I really think people just need to realize that f-ups are going to happen every now and again. Maybe the easier solution is no SSNs required for bank accounts! No me telling telephone operators secret codes in plain, spoken, English over the phone! That way, all this data could be encrypted in a way that no human would be able to read or retrieve it.
Re:It's the IT, not the OS by Charliemopps · 2011-01-12 12:47 · Score: 1

1. a company computer can just as easily be infected as a private computer. The idea that Antivirus provides anything more than protection against the more common threats out there is the leading myth that lets managers think they are protected. "We have Norton, so we don't have to worry about viruses" I could write a virus, specifically for you... in about 20min and no antivirus would pick it up.

2. This is all fine and well to say... but in actual practice most companies, especially older companies and Government agencies, have a rats nest of legacy systems that their entire infrastructure is tied to. Their billing and account data is on an antiquated Unix server from the 70s. The hardware's been upgraded but Oracles quoted them some stupefying price to move them over to a newer database. The interface is a BBS style monochrome terminal window. About 10 years ago someone that no longer works there and whos name no one remembers wrote a web based front end for it. It's buggy and no one knows what half the commands do anymore but its miles better than the terminal window. But for that to work you need special permissions, and the server hosting the web interface needs permissions to telnet to the Unix system which forces a password change every 30 days. This has to be done manually. But about 2 years ago some act of congress said that XYZ accounts must retain a series of tracking codes for tax purposes. There were only 4 new codes, but updating the old system was impossible and moving to oracle would cost millions. IS was their usual immovable selves and demanded the entire system be scrapped and moved to something more modern, upper management wouldn't have it. So some intern still in community college made an access database and linked the tables to a key on the webapp. But IS was again totally immovable and refused to give access to the company tables for something so ridiculous. Department heads fought but in the end the kid just ended up using Access Jet database. The thing gets corrupted about once a month so now the admins have to repair that routinely. Meanwhile every user that uses that webapp now has to have access installed and permissions to the folder the Jet database is in. About the 4th time some Senior VP trys to look up info for the first time on a Saturday and can't, the order comes down... everyone's got permissions to everything. The fact of the matter is this sort of shit happens all the time... and admins get fired all the time for hiccups that are caused by people not having the right access. An actually breach in security is extremely rare or at least goes unnoticed... and when it does happen they can just blame "Hackers." As far as the majority of management, and the public for that matter, are concerned, hackers are geniuses that can not be stopped once they target you. (see the movie hackers)

3. And they'll be playing games on facebook all the way through the class. I took such a class myself and one of the questions I got wrong was: "When on a business trip, if you're going out for the evening you should: A. Leave your laptop in the locked hotel room B. Take the laptop with you. According to them the correct answer was B. But I see the likely hood of my laptop getting stolen or forgotten in a bar far more likely than someone breaking into my hotel room and steeling corporate data. I think the ambiguity of the question itself underlies just how difficult security really is.
Re:It's the IT, not the OS by Anonymous Coward · 2011-01-12 13:18 · Score: 0

Oh... it gets worse, brother. I just finished a short contract at a firm I will refer to as ShittyStink, who is now one of largest background and title tracking service providers for lenders. All the users in the company have XPboxen... upon which they all have administrative rights... and all the passwords are the same. The backend is entirely Windows servers as well. Oh, a few years back they tried to tighten security by moving to a thin client schema that sorta rhymes with tangy fruit... you know the tech I speak of... c.2003 it was hot stuff. Today? Not so much.... The place is literally falling apart, and it absolutely IS the fault of the IT dept there that is filled with smiling spineless stuffed shirts (excluding the lower level tech specialists, who basically just follow the ridiculous orders of their uninformed superiors).
Before you apply for a loan consider that your personal information may be handled poorly by the institution that you are applying for a loan through... but you can be assured that the bigger leak is when that institution outsources.
I actually looked into the whistle blower protection laws because I found the institution so lacking in regard to ANY security practices, let alone best practices. Unfortunately for me, they aren't actually hurting the environment or your drinking water (thus no whistleblower protections for me), just operating botnets with your SS#, bank account info, addresses, names... everything about your identity that you want kept secret... flitting around their network for anyone (hopefully not their employees, but malicious attackers) to harvest.
I realize I am opening myself up to criticism here, thus the AC post, but I assure you for the first month of the contract, pointing out security issues was an email to my supervisor at least a few times a week, who would repeatedly "take it under advisement"... until I was so browbeaten by their smiling ignorance that I just stopped altogether... omg, sooo happy that contract has ended. Worried, however, if I ever need a loan I know what's really happening with my personal info (good thing I'm broke, I guess... no one would want my identity :P)
Re:It's the IT, not the OS by Anonymous Coward · 2011-01-12 15:10 · Score: 0

The correct answer was to cross out both A and B and write in, "Use full-disk encryption so it doesn't matter whether I leave it in my room to risk getting stolen by night-maids, or take it with me and risk it being forgotten at a restaurant or stolen from my rental car."
But then you get to the real world, where the answer is, "Have a different password for every single company resource and keep the big list of passwords on a web page on the company intranet."
Re:It's the IT, not the OS by nobodie · 2011-01-12 19:12 · Score: 1

I agree 100% but, what are people doing? When I investigated the crapware that my bank put on a virtual copy of winXP (required by the bank so that it could connect to the bank site with IE6, no this is not a joke) it quickly became apparent that I should not/ could not use the USB dongle they SOLD me for the connection. The dongle had no real use beside triggering IE6 to download a certificate and a few other "programs" necessary for the connection. I used it once and it was so unfriendly and stupid i threw it away.
Ah, yes, then I uninstalled the 4 different programs that had been installed and purged the certificate from my system. All gone? Anti-virus check on the system showed that what remained were two virus/ trojans as well as "virus writing" software. WTF? My guess is that the bank used viruses to install stuff into the registry so that they didn't have to get permissions through the admin or from windows but could just use a virus to get in. These viruses and the software were all in hidden folders that had been created by and for the banking software, so there was little question about their provenance.
Did it screw the system? damned if i know or care. not like it really mattered to me, it was just a virtual copy of windows that didn't count for doodly squat, but the principle was stunning.

--
Subversion of spatial scale luxury decoration ideas.
Re:It's the IT, not the OS by couchslug · 2011-01-12 23:22 · Score: 1

As a PenFed customer, I'll be contacting them.
Corporations in charge of important personal data should choose security over convenience, should not use Windows, should not WANT to use Windows, and should lock down their systems.
IMO they should restrict uses to thin clients at the their brick-and-mortar locations. No laptops, no mobility, tough shit.
An institution that serves the military should have a military chain of command, give orders not requests, and crush anyone who doesn't obey them.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Re:It's the IT, not the OS by hal2814 · 2011-01-13 00:39 · Score: 1

As another PenFed customer, I'm surprised they didn't contact you. They sent me a letter a few days ago explaining the situation and offering 2 years of free enrollment in one of those identity theft tracking services. I also have a new credit card and number being mailed to me.

I'm not happy about the situation but how they're handling it is everything I've come to expect from PenFed.
Re:It's the IT, not the OS by Anonymous Coward · 2011-01-13 02:02 · Score: 0

Another PenFed customer here. I've received no letter. Guess I'll contact them myself
Re:It's the IT, not the OS by Anonymous Coward · 2011-01-13 08:49 · Score: 0

Windows isn't the problem you retard, Linux will have the same issues at some point. They'll just use a different vector of attack.

McAfee or Norton? by Anonymous Coward · 2011-01-12 10:38 · Score: 0

They were probably running McAfee or Norton. It seems quite a number state and federal organizations still use the relatively useless security software from these two awful corporations.

Re:McAfee or Norton? by monkyyy · 2011-01-12 11:12 · Score: 0

wasn't aware mcafee was in bisness, and norton has important customers?

--
warning pointless sig

Re:They only care about their secrets, not your da by Anonymous Coward · 2011-01-12 10:42 · Score: 0

They'd have you deported to Sweden on charges of "sex by surprise".

Not so fast by Anonymous Coward · 2011-01-12 10:43 · Score: 0

This is an opportunity for more spending. More spending is justification for a bigger budget. A bigger budget is the objective of every politician and bureaucrat. (You do realize that every year, government costs more than the year before, don't you?) Finally, this makes the business of government more lucrative for those who can exploit -- ahem, "distribute" -- that cash flow for personal gain.

You're not in the business of government, are you?

Freeze credit now by Anonymous Coward · 2011-01-12 10:47 · Score: 0

Freeze your credit and put a fraud warning on your profile with ALL three bureaus. I wouldn't trust your credit union to do that.

Credit monitoring tells you someone has gotten credit out in your name after the fact and two years free isn't enough. It should be for life.

See clarkhoward.com for more info - search for "Credit Freeze" and "Identity theft".

The CAC number 404.892.8227 is out so far this week because HothAtlanta in still under snow and ice.

Re:m\od up by Anonymous Coward · 2011-01-12 10:58 · Score: 0

uh, what?

This is why I don't belive in Conspiracy Theories by Timmy+D+Programmer · 2011-01-12 11:07 · Score: 2

Because let's face it, the US government can't even keep ANYTHING secret or secure. Apparently not even their darn bank accounts.

--

(If at first you don't succeed, do it different next time!)

database design is at fault by SethJohnson · 2011-01-12 11:30 · Score: 1

That information should have been encrypted within the database. Why, just the other day SQLServerCentral.com posted a tutorial on creating a transparent database encryption layer. When managing critical information like SSN's or embassy cables, clear text is just asking for a compromise.

Oh, and I am not saying Windows is anything at all good to have in anyone's life. In fact, the insecure nature of laptops and malware demands that security be increased closer to the sensitive data.

Seth

--
$5 / month hosted VPS on linux = awesome!

Re:database design is at fault by Anonymous Coward · 2011-01-12 11:56 · Score: 0

The database was unlikely to be on the notebook due to:
a) size. 1 million member w/ at least a 6 month transaction history puts the size in at least the 500GB - 1TB range.
b) probably a proprietary core system database format. The databases tend to not be standard proprietary formats like DB2 or MS SQL but instead tend to be in a proprietary core system database format.
See comments http://it.slashdot.org/comments.pl?sid=1948112&cid=34855456 and http://it.slashdot.org/comments.pl?sid=1948112&cid=34855736 for other possible vectors.
NCUA has been working with the core system providers to set deadlines on encrypting client sessions and databases. Currently, database information only has to be encrypted when it leaves the possession of the credit union.
Re:database design is at fault by SethJohnson · 2011-01-12 13:00 · Score: 1

Sorry to write a vague comment.

I never assumed the database was on the laptop. Encrypting data within the database means that client compromises like this one still protects critical assets such as SSN's. It means, as I alluded to in my original post, that a person or piece of malware, can't execute a select social_security_number, address, patient_name from patient_table and store the resulting rows in a clear text file. Well, at least the resulting rows will be encrypted in DES or some such algorithm. This has nothing to do with encrypting the communication between the client and the database server. It has everything to do with encrypting the content of the database and using a secure mechanism to read and write to those rows in an encrypted format. Developers can still work in the database without themselves being able to see or touch the content. Same with users. Same with compromised laptops. etc. etc.

Seth

--
$5 / month hosted VPS on linux = awesome!
Re:database design is at fault by zippthorne · 2011-01-12 15:14 · Score: 1

When managing critical information like SSN's or embassy cables, clear text is just asking for a compromise.
Both of those things are run by people who think that it's their job to compromise...

--
Can you be Even More Awesome?!

will they catch the offender before it's too late? by Gravis+Zero · 2011-01-12 11:37 · Score: 0

it seems like a running theme that the government makes a slow/half-assed attempt to apprehend this criminal brand of hacker. this seems like one situation they should actually putting significant resources into tracking down a jailing this individual and anyone that purchases the data regardless of the nation they are in. i know they can do it, i saw how quickly the got to Bradley and how many strings they have been pulling to get to Assange. this seems like one enterprise worth shutting down regardless of cost.

--
Anons need not reply. Questions end with a question mark.

Re:This is why I don't belive in Conspiracy Theori by BenSchuarmer · 2011-01-12 12:03 · Score: 1

Maybe that's what they want you to think.

One of two things MUST happen by erroneus · 2011-01-12 12:07 · Score: 1

Either Microsoft fixes the problems (yeah, not going to happen) with its Windows OS or banking and other institutions must ban the use of MS Windows machines for handling sensitive information such as this.

At the very least, requirements that such machines can NEVER have been used to connect to the internet or process email that might originate from the internet must be issued. These lax security policies are making victims of their customers and good luck getting your SSN changed after it has been used for fraud.

Re:First? by HomelessInLaJolla · 2011-01-12 12:17 · Score: 1

The sentiment of "first" and "never done this before" is somewhat relevant.

"A laptop", only one? Cue the neverending laughter. Let us make an educated ballpark guess at the number of employees who access their personal banking information with an infected laptop. Session hijacking, background processes, like most of the office people who use online banking are watching a physical LED to see if there is additional traffic outside of their control after they log in. Maybe some folks, even in IT, do not know this but it is not very difficult to establish and maintain entire TCP/IP sessions without making a single LED blink or even turn on. I ran my entire LAN in what I comically dubbed "silent mode" and that worked for outgoing communciations as well. The wired router LEDs were completely dark (when I wanted them to be; ie. they were not broken). The wired ports of the wireless router were completely dark. Wireless communications still blinked.

Obviously the cable modem lights still worked as expected. Exploits existed but I did not want to taunt my provider.

--
the NPG electrode was replaced with carbon blac

espionage? by Anonymous Coward · 2011-01-12 14:36 · Score: 0

Gee, I wonder who would be interested in which U.S. military service members are having financial difficulties?

Skype Worldwide Customer Database Compromised? by Anonymous Coward · 2011-01-12 16:24 · Score: 0

You register with Skype using a unique, private, pseudorandom alphanumeric 12-character long email address that you use nowhere else, and then what happens? I did this as protection against possible spam and so did four colleagues in Japan. Today we all suddenly received various spam emails that were addressed to these unpublished email addresses that we registered with Skype. The only plausible source of the email addresses is Skype's Worldwide Customer Database. A friend who works in Skype admits they run their customer database on a Windows system, but denies any system breach. What's going on? Has Skype suffered a system breach or has somebody inside Skype leaked their database to spammers?

Re:This is why I don't belive in Conspiracy Theori by hal2814 · 2011-01-13 00:58 · Score: 1

So a private company having a security breach is evidence that the US government can't keep anything secret or secure?

OMFG by hesaigo999ca · 2011-01-13 01:58 · Score: 1

The pentagon, which is renowned for being anal about security, let someone plug their unsecure laptop unto their network and just start accessing data at the tip of a hat.....i do not believe it, they probably are not sure of where this breach came from, and this is their cover story....so in case we see conf. info showing up only they had in public domains, now they can save their *sses, as they let us know about it.

This was news on Jan 6 today is the 13th by Anonymous Coward · 2011-01-13 03:36 · Score: 0

Infected Laptop Leads to Data Breach at Pentagon Federal Credit Union, SoftPedia, January 6 2011

Notification to the NH Attorney General's Office, December 30, 2010.

There may be even earlier public reports.

This is not news to affected PFCU members either. I was notified that my data might have been compromised and issued a new credit card and offered free monitoring services weeks ago.

As a member-owned credit union PFCU is accountable to its members. They, or should I say as a proud member, we, take our responsibilities to our fellow members very seriously.

Clarification: PenFed is not "the" credit union by MrAtoz · 2011-01-13 06:10 · Score: 1

PenFed is one credit union used by members of the armed forces, but it is not the big player -- that's Navy Federal Credit Union (NFCU). It has three times the members (3M vs. 1M) and assets ($43M vs. $15M) that PenFed has. Not to minimize the impact, but the article reads as if all military personnel who join a credit union are affected, and this is not the case.

Slashdot Mirror

Pentagon Credit Union Database Compromised

108 comments