South Carolina Shows How Not To Do Security

CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"

Identity Theft Monitoring Services

So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

Re:Identity Theft Monitoring Services

So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

I agree. Letting the victims freeze their credit for free would do it - actually EVERYONE should be able to do that for free!

But here's something else to consider: this wouldn't be a problem if businesses and Government were more responsible with personal information. If business and Government weren't so ignorant as to use the social security numbers as identifiers. If we had unlimited free credit reports from AnnualCreditReport.com - that's the FTC's website.

And it's not only folks who want to open up a line of credit. Another use of stolen SSNs are for illegal immigrants. They work under the stolen SSN - and if the employer did a background check it would pop up immediately; especially when that many of them use their own names. AND many times, they will file income taxes getting the victim's refund - if any.

And don't get started on what happens to the victim when someone uses their identity and gets arrested.

Government is way too confident with their computer systems and their accuracy.

Re:Identity Theft Monitoring Services

[maxwell+demon]

Notifying the affected people isn't snake oil. If my information was compromised, I'd certainly like to know. If I don't know my information was compromised, I can't know to protect against that.

Re:Identity Theft Monitoring Services

Except, nowhere does it state credit cards. Most states allow/require you to use a checking or saving account (direct deposit) to pay or receive refunds. Imagine freezing your checking account (no more debit card, ATM, checks or online bill pay through your bank, until you have a new account). Switching banks or bank account numbers is time consuming and tedious. Think of all the direct deposit or online bill pays that have to be updated.

Re:Identity Theft Monitoring Services

[guruevi]

He was talking about the ID protection "services". All they do is "monitor" your credit report and then whenever there is something suspicious they try to upsell you their next tier.

Re:Identity Theft Monitoring Services

[aardvarkjoe]

Most states allow/require you to use a checking or saving account (direct deposit) to pay or receive refunds. Imagine freezing your checking account (no more debit card, ATM, checks or online bill pay through your bank, until you have a new account). Switching banks or bank account numbers is time consuming and tedious. Think of all the direct deposit or online bill pays that have to be updated.

Yeah, it will be painful. But there's really no alternative. "Identity theft monitoring" is going to be only marginally effective at preventing problems, at best. The only real option is to make the information that the attackers gained useless, by getting rid of those accounts.

Re:Identity Theft Monitoring Services

[crazyjj]

Letting the victims freeze their credit for free would do it - actually EVERYONE should be able to do that for free!

South Carolina already has that. By law, anyone can freeze their credit for free with the three major credit reporting services at any time for free (and unfreeze, freeze again, etc. for free too).

So what?

There is authentication which is the process for knowning that you are you. The other process is called encryption which is used to hide sensitive data. Here no sensitive data was lost so you are safe (given the authentication works).

Re:So what?

[mastermind7373]

It appears as though authentication was bypassed via a malicious email(probably from an SQL injection attack). Then, sensitive data that was NOT encrypted(but should have been) was obtained(Bank Account Numbers, SSN's, etc.). Did you read the article?

amateurs

[ruir]

The point is exactly this, many organizations just keep their data in any convenient format, even it is excel spreadsheets. This are one of the things it is hard to understand, if you want work well done, you call a plumber, and electrician, and they have to be certified, and many years of experience, references, whatever more. And then when it comes to sensitive data that can mean to put people in peril of theft identity, people do it by themselves, or just hire a nobody to do it. ...

Re:amateurs

it's South Carolina; you don't really need certification for anything. Being a covenant christian is pretty much all the cert you need.

Re:amateurs

I am sure that our private medical records will be be totally safe under Obamacare!

What is the law on personal data storage?

[mykepredko]

I find it kind of amazing that there isn't a law in place defining how personal data is stored in North Carolina. Now, having said that, I have no idea what kind of laws are in place for other jurisdictions. Are there any lawyers out there that can comment?

Hopefully, the people responsible for the design and sign off of the server data architecture were in the 2M plus people who's information was compromised.

myke

Re:What is the law on personal data storage?

It was in South Carolina, and ti was the Department of Revenue. If I had a guess our general assembly did pass a law that required Private companies to encrypt all personal data; however, I suspect that the state gov't and lawyers were exempted. Just normal operating procedures for our state legislature.

Re:What is the law on personal data storage?

I find it kind of amazing that there isn't a law in place defining how personal data is stored in North Carolina. Now, having said that, I have no idea what kind of laws are in place for other jurisdictions. Are there any lawyers out there that can comment?

Hopefully, the people responsible for the design and sign off of the server data architecture were in the 2M plus people who's information was compromised.

myke

Governor Halley blamed the federal government for not providing sufficient regulations regarding the security of sensitive data.
Ironic, isn't it?

Outside / 3rd party contractors to blame?

[Joe_Dragon]

Outside / 3rd party contractors to blame?

Do they have of staff IT workers or has parts / all of the IT be push to contractors? some times even ones that sub out work / hiring to other contractors?

They add alot of overhead and at times make it hard for a worker who works for a sub to get some things done / add a long paper work / red tape process to get stuff fixed.

A General Rule

[mbone]

I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.

Re:A General Rule

They do an excellent job down there with this.

Re:A General Rule

[jimbrooking]

Well, they are doing an effective job at keeping the Confederacy alive!

Re:A General Rule

[Shoten]

I wish I had mod points right now so that I could mod you both up :)

Re:A General Rule

I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.

South Carolina is a leader in bigotry, racism and ignorance.

Re:A General Rule

Well, they are doing an effective job at keeping the Confederacy alive!

Nope, they suck at that, too. Doesn't keep them from trying, mind.

$800,000

[Patch86]

By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

Re:$800,000

Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

Of course not. Punishment is reserved for the serfs, not for disciplining the Lords who make up the rules on the fly.

FTFY

Re:$800,000

The incompetents rewards the incompetents.
Shooting the messenger protects the incompetents.
When the internet is the messenger, guess what they will do?

Re:$800,000

[timeOday]

If they were to find out a state employee actually perpetrated the hack then you would have some kind of point.

Re:$800,000

[wonkey_monkey]

Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

No, because gaining unauthorised access to a system and failing to do your job properly are two entirely different things.

Re:$800,000

I think this got modded "interesting" because people find it interesting that someone would actually have such a stupid theory.

So... Sucking at your job is now comparable to intentionally breaking into someone else's computer system and stealing information and deserves MORE punishment? Are you on some kind of highly pure crack cocaine at the moment?

Re:$800,000

Should also be mentioned that there's a difference between expenses incurred wastefully and expenses incurred constructively, like the difference between expenses and investments. It's likely that a part of those $800,000 went to finding security holes and improving procedures.

Re:$800,000

Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

Except McKinnon deliberately and intentionally hacked secure systems he wasn't authorized to access, and whoever fucked up on this is likely ignorant, or at worst, negligent. I doubt there was any intention to "refuse to secure data," or "intentionally disclose this data by storing it in unencrypted format."

In much the same way that if I planned your murder in great detail and then killed you according to that plan, I would be charged with a different crime than if I accidentally struck you with my vehicle and killed you.

Re:$800,000

[rgbrenner]

Shame the parent felt the need to post that as AC. Exactly what I would have written.

Re:$800,000

[Patch86]

True. But most countries have laws defining "criminal negligence" for people who cause harm by failing to do their job to an expected basic minimum standard.
http://en.wikipedia.org/wiki/Criminal_negligence

So you take intent out of the equation, you're still left with the same "harm done", the same damages. Maybe the sentence would be 5 years instead of 60 then; should we expect the head of Information Security to get a visit from the Feds on THAT basis?

I'm still going to assume no.

Re:$800,000

[AK+Marc]

Leaving your keys in your running car is a crime. Having a pool without a secure perimeter is a crime. Sometimes negligence is sufficient to be deemed to be a crime, all by itself.

The whole system is to blame.

[Waffle+Iron]

Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.

It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.

Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.

Re:The whole system is to blame.

It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with.

Actually that's 100% FUD. You and the IRS are pretty much the only people that need your SSN. Down-mod parent into oblivion, and up-mod me as +5 Informative.

http://en.wikipedia.org/wiki/Social_Security_number#Use_required_for_federal_tax_purposes

SSN is not an identification card, and up until '72 that used to actually be printed on them explicitly.

Re:The whole system is to blame.

[Waffle+Iron]

Actually that's 100% FUD. You and the IRS are pretty much the only people that need your SSN. Down-mod parent into oblivion, and up-mod me as +5 Informative.

http://en.wikipedia.org/wiki/Social_Security_number#Use_required_for_federal_tax_purposes

SSN is not an identification card, and up until '72 that used to actually be printed on them explicitly.

The utter unworkability of your suggestion in the actual world reminds me of the old Yogi Berra quote:

In theory there is no difference between theory and practice. In practice there is.

Re:The whole system is to blame.

[OzPeter]

>It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with.

No you don't. You only have to hand it over to people when you deal with *gasp* social security and taxation related functions, anyone else has no right to ask for it. Its just that in the US people are so used to handing it over that they do so no matter who asks.

As someone now living in the US, when asked for my SSN I easily get by with saying "Sorry .. I can't remember it" (which is actually the truth, as I have only a vague idea what it is, and when actually I do need it I have to look it up.) and I still get the same level of service.

It was even more amusing watching peoples reactions before I had an SSN when I could honestly say "I don't have one". Even that never caused me a problem.

Re:The whole system is to blame.

[markdavis]

I personally have been REFUSED SERVICE by healthcare organizations when I refuse to provide my SSN, and treated like CRAP by said organizations, too. I have also been refused service by several other

If you read the laws, only the GOVERNMENT is required to provide you service if you refuse to provide your SSN, unless there are laws specifically requiring it (and there are quite a few). There are absolutely no laws that restrict non-government from using SSN as a required ID number.

Don't believe me? Go ahead and try to get credit from ANYONE and refuse to supply your SSN. You will get NOWHERE. Electric company hookup? REQUIRED. Cable TV? REQUIRED. Non-Prepaid phone? REQUIRED. Every one of them claim it is because they are extending the ability to charge for things in advance (toll calls, pay per view, etc). And/or they report back to the credit reporting agencies- which all REQUIRE use of SSN.

The problem with a single ID number is that it makes it incredibly easy for multiple databases to match records on you, which further erode your privacy and security of your information.

Re:The whole system is to blame.

You didn't try hard enough. Anyone that isn't the IRS has no need for your SSN. That's according the Federal Government, you can look it up. SSN is not even guaranteed to be unique...

You can get a Tax ID and use that for everything you were denied.

5 mins worth of online research is enough to prove to yourself that SSN is not a unique ID and the only entity that actually requires your SSN is the IRS.

Re:The whole system is to blame.

-1 lives in mom's basement and only knows what is in wikipedia.


It should be illegal just how many non-tax groups require SSN, but they do it anyway.

Re:The whole system is to blame.

[cdwiegand]

Tax ID == SSN - it still doesn't solve the actual issue of using it (TID or SSN) as authentication, whereas all it is is identification material. And yes, banks DO have the right to demand your SSN, as does your employer, your retirement fund, and any other company where you may make, store or transport money, as they have to report that to the IRS. While insurance companies (and doctors offices) can't use HIPAA to require your SSN (look up the 837P and I specs - SSN is explicitly not required and may not be required), most still put it on their form. Just write "NOT GIVEN - CALL ME" and have yet to be called about it in 10 years of doing so.

Re:The whole system is to blame.

[KingMotley]

Anyone that isn't the IRS has no need for your SSN. That's according the Federal Government, you can look it up.

That depends on your definition of need. Strictly speaking, the federal government doesn't NEED it either. They want it because it makes it easier for identification. They could use a number of other things if they wanted. However, the part of according to the federal government, it is perfectly fine to use SSN as identification. Up until the mid-70's it was printed one very SS card that the number was not to be used for identification, however, in the mid 70's, even the federal government backed down from that and had it removed.

2 mins worth of online research is enough to have proven you wrong on most counts. As for SSN not being unique, it's unique for all living people. SSNs do get reused after someone dies, but that typically isn't a problem in most instances. Yes, some people are giving out a number that THEY were not assigned, either through error, bad memory, or fraud. That just proves that a single (10 digit) number is not good way authenticate people. People can also lie about their names, dates of birth, location of birth, age, hell -- even gender.

I like how people who talk shit and know very little post as AC. Stand behind what you say or don't say it.

Re:The whole system is to blame.

[AJWM]

You and the IRS are pretty much the only people that need your SSN.

But since the IRS needs it, then pretty much everyone with whom you engage in significant financial activity (employers, banks, credit co.s, insurance ...) also needs it, because the IRS requires them to report their activity with you. If you really don't like your SSN being used for this purpose, you are of course free to apply to the IRS for a taxpayer ID number (TIN). So technically the IRS doesn't need it either (if you're self- or unemployed).

I get a huge chuckle out of folks who have to comply with HIPAA (like your doctor, pharmacist, etc) using not your SSN as an ID, but your birthday. I wonder how many John Smiths are born on a given day.

Re:The whole system is to blame.

[Shoten]

This was the department of revenue. At some point, the SSN is important to use for *something,* you know. It wasn't like there was a pizza delivery company using SSNs as customer numbers. It was the Department of Revenue. SSNs are, in effect, meant to be the individual account numbers for state and federal revenue tracking.

If this was any other kind of situation, I would absolutely agree with you. But the way that taxes are handled, using SSNs as an identifier is valid, because of all the background systems meant to prevent money laundering, tax evasion, illegal employment, etc.

Re:The whole system is to blame.

[Waffle+Iron]

Read my post again. I said the problem is that other organizations, not the state of South Carolina, are using SSNs as *secrets*, like a PIN. That means that when this state DB gets hacked, people are agitated because these supposed "secrets" are exposed.

There's not much problem with having a unique ID. It should just always be considered to be public knowledge, and handled accordingly.

well IT needs a union / engineer like signoffs so

[Joe_Dragon]

well IT needs a union / engineer like signoffs so the IT works can't be pushed around by NON tech PHB's that may buy stuff on the golf course with no IT input or rank IT people my number of tickets and or call times. Even to the point saying we can't buy new software / hardware so find a work around to make X app work in the new OS / workflow even if it does have good security.

How is this sort of crypto supposed to work?

[tepples]

Even if the SSNs had been encrypted, the application running on the server still needs access to the SSNs, which means it needs the keys with which the SSNs are encrypted. So anybody who compromises the server on which the application is run, or any machine authorized to connect to that server and view SSNs, compromises the SSNs.

Re:How is this sort of crypto supposed to work?

[maeglin]

Even if the SSNs had been encrypted, the application running on the server still needs access to the SSNs, which means it needs the keys with which the SSNs are encrypted. So anybody who compromises the server on which the application is run, or any machine authorized to connect to that server and view SSNs, compromises the SSNs.

That is not an excuse not to encrypt. Encrypting data and putting the key in a file called encryption.key would be sufficient to stop casual perusal of the data. Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data. Most people are out for a quick win and are not interested in reverse engineering your architecture.

Conversely, if someone knows what they want, where it is and what is necessary to get it then you've got a problem that goes week beyond key management.

Re:How is this sort of crypto supposed to work?

[the+eric+conspiracy]

There are ways around this. For example the SSNs could be stored as a hash and referred to as a hash.

Also the server this application runs on is connected to the internet why?

 

Re:How is this sort of crypto supposed to work?

[KPU]

There are less than 10^9 SSNs. That's a very easy brute force attack.

Re:How is this sort of crypto supposed to work?

[tepples]

Also the server this application runs on is connected to the internet why?

So that users at home can log in and do business with the government from home.

Re:How is this sort of crypto supposed to work?

Then add more rounds. Decide how long you want the process to take and then benchmark the computer so that number of rounds is done. So say you want SSNs hashing process to take 5 seconds and the computer sets it to the number of rounds necessary for that time. Now, even if the attacker is 100x faster, that is still .05 seconds a hash and a total brute time of around 579 days. Of course, that doesn't factor adding a salt or some step that is not easy to make a parallel process or many of the other strengthening processes.

Re:How is this sort of crypto supposed to work?

[blueg3]

That's only worthwhile if you're using the SSNs to compare them against external inputs. In essence, if you're using them as a form of authentication. That's a stupid idea to begin with. As this is the Department of Revenue, they're probably using the SSNs for their actual, tax-related purpose and need them in their original form.

Despite what people seem to think, throwing encryption at a data security problem generally doesn't make it go away.

Re:How is this sort of crypto supposed to work?

[blueg3]

Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data.

So... what you're advocating is literally security through obscurity?

Re:How is this sort of crypto supposed to work?

[the+eric+conspiracy]

That doesn't require the application run on a server that allows connections from the internet.

Usually such things are done on a server that is at least two firewalls away.

Re:How is this sort of crypto supposed to work?

[tepples]

Firewalls can be compromised, and machines behind firewalls can be social-engineered.

Re:How is this sort of crypto supposed to work?

[maeglin]

Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data.

So... what you're advocating is literally security through obscurity?

Here's a question for you: Name one security technique that doesn't rely on obscurity in some form. Everything I can think that has actually implemented depends on large numeric search spaces, large physical search spaces (brass keys for example), a one time pad (needs to be hidden), steganography, etc. Security and obscurity go hand-in-hand. It is simply unfortunate that obscurity got a bad name along the way for some reason.

But, ultimately, I'm advocating not throwing away security just because it isn't perfect. You may not need the baby, but the bathwater might still be useful.

Re:How is this sort of crypto supposed to work?

[blueg3]

You're playing at equivocation. Obscurity is an enemy not knowing how your system works. Secrets are the pieces of information that are not part of the process of how your system works but are critical to security. While it seems like they're similar, they're not. So most strong digital security systems rely not at all on obscurity, only on secrets.

But, ultimately, I'm advocating not throwing away security just because it isn't perfect. You may not need the baby, but the bathwater might still be useful.

I don't think that's what you're arguing. I don't disagree with that. If you can get some obscurity cheaply, go for it. Some obscurity is better than none. You just can't rely on it.

Regardless, you were advocating adding obscurity as a solution to a security problem. The thing is that that is not a solution and you should never treat it as such. If a system needs to access a database and has the rights to access the database, encrypting the database cannot be relied on to protect against the compromise of that system. If that system can access the database, the compromised version of that system also can. A "solution" that creates obscurity but doesn't actually solve the problem should not be presented as a solution. It's dangerous and counterproductive.

What primary key for person?

[tepples]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

Re:What primary key for person?

[sribe]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

At least in the U.S., there is none. But pretending that the SSN is one does not make it so.

Re:What primary key for person?

[Minupla]

Lack of a single identifying number is not an insolible problem.

Take Canada for example. We have a social insurance number (SIN - way better acronym :)). It is ILLEGAL to require it for anything other then tax purposes (in effect that means your employer and your bank if you have a savings account for most people).

If you go to buy a car, and they want to pull a CB on you, you can say no. If you refuse to provide a SIN, they will match you based on a compound key. (Name, address, telephone, previous address etc).

Ya, some times you get a mismatch, but those are relativity rare and usually resolvable if the person who happens to generate a mismatch isn't attempting fraud. I doubt requiring that SIN would improve things, it'd just provide more opportunities for it to be stolen, as we see in the US.

Does fraud happen? Yep, or I'd be out of a job. Is it common? Nope.

Min

Re:What primary key for person?

[Waffle+Iron]

So everyone as a (mostly) unique ID handed out by the government. That can be used to try to uniquely identify individuals. Great.

But that in no way implies that the ID can be or should be sensitive information. In fact, any such use should be outlawed, IMHO. SSNs should NEVER be part of an algorithm used to validate one's identity for registration or sign-in (unless and until the government starts issuing tamper-resistant smart cards to enable two-factor authentication).

The whole problem is that right now it's trivially easy to provide someone else's SSN to lenders, etc., who incorrectly treat them as secrets. Thus it's trivial to fraudulently establish accounts under the wrong identity, which is the exact thing you said they need to avoid.

Re:What primary key for person?

Actually, pretending the SSN is not does not make it not!

Re:What primary key for person?

You're right that pretending that the SSN is one doesn't make it true. I suspect that there is none, anywhere, and that it is probably not possible to come up with such an identifier. It's a fact of life that we all have to deal with multiple identifiers, all of which are subject to change or being faked. Our institutions need to know this, deal with this, and accept some level of error.

Re:What primary key for person?

[ShanghaiBill]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

Easy answer: SSNs. There is nothing wrong with using SSNs for identification . The problem is that we pretend like they are some sort of secret, and use them as authentication . That is stupid and it should be illegal for an financial institution to use them that way. People should be free to hand out their SSN, or even paint it on their mailbox, without fear of any consequences. We should just assume they are public knowledge.

Re:What primary key for person?

If the credit bureau has access to the SIN then it is being used for more than just tax purposes. Otherwise they could not look you up by SIN if you did offer it up.

Re:What primary key for person?

[AJWM]

The Canadian SIN also has a checksum digit, like credit card numbers, bar codes and ISBNs, but notably unlike US SSNs, which do not. Not necessarily a huge anti-fraud advantage (if you know the algorithm you can create a number with a valid check digit) but certainly proof against random data entry errors.

Although in some cases not having the latter may be seen as an advantage. (Somebody wants to use your SSN as a db key with no legal reason for it being your real SSN, you could just transpose a couple of digits instead of giving them your real one. It'll look like a data entry error. Warning, this may be illegal in some cases.)

Re:What primary key for person?

[chemicaldave]

To further compound the problem, SSNs are increasingly being used as both an identifier AND an authenticater!

Re:What primary key for person?

[sribe]

To further compound the problem, SSNs are increasingly being used as both an identifier AND an authenticater!

Don't you get it? The new standard, instead of two-factor authentication, we're moving to half-factor authentication. Or, for the cynical, half-ass-factor authentication.

Re:What primary key for person?

> pretending the SSN is not

A SSN is not. No need to pretend.

Re:What primary key for person?

[bogjobber]

Using SSNs for identification is foolish as well. They are not guaranteed to be unique identifiers (multiple people are sometimes issued the same SSN by the government and a whole lot more use someone else's SSN illegally), and not everybody is guaranteed to have one.

The system as designed was perfectly fine, because they never planned on using it for ID. But it's still operating largely as it did when it was first implemented even though it's now an ID card, so there are some half-assed hacks being made to try and make it marginally more secure. The government needs to just make a national ID card and be done with it.

I look at the whole picture for my clients

[Beryllium+Sphere(tm)]

Taking a step even further back to look at things beyond the state's control, why do we take for granted that "clicking on a malicious email link" is enough to transfer control of your computer to an attacker?

Zooming back in on SC, would encryption have even helped? The compromised credentials allowed for viewing the databases(*). That means they were also able to decrypt them

(*) Which invites the question of whether those permissions were too widely issued.

Re:I look at the whole picture for my clients

[gagol]

Insecure operating systems and client software is as much to blame here.

Question about network and data security

From someone who's pretty familiar with computers generally, but not really networking or database security:

Why not have a separate hardware-based system to control database and record access?

Let's say that in order for an administrative worker to access a record in a database, the system sends an automated request to the hardware controller of the storage medium. This hardware controller is connected to a separate terminal with all manners of statistics and controls on the pattern of access.

A computer requests access to every record? Then someone has to physically walk over and type YES on the terminal. A computer or department requests access to an unusually high number of records? Red flags appear and the responsible person can simply call someone in the department to ask what they are doing. An attack tactic of distributing requests could be defeated by snooping outbound traffic.

You could also have a separate hardware path for operations that need processing of every record rapidly, only to be done by computers in a "safe zone" not connected to the rest of network.

So a hardware access path to user systems that is presumed to be hacked at all times and hence statistically monitored and controlled, a hardware access path that is presumed trusted only for computers off the grid, and a hardware control path.

If you go with the notion that every system WILL be hacked eventually, then this seems like a way to limit damage greatly. Or?

Re:Question about network and data security

[tepples]

I don't see how your air gap solution can scale to an organization with millions of customers, such as the call center of an entire state's health system.

And if it the file had been encrypted?

That would've somehow made it magickally OK?

The Russian hackers (who aren't really at fault here) would've had all the time and resources needed to crack the file.

Or should we put the blame on Microsoft for STILL not securing their OS after billions of dollars thrown at it.

Or should we put the blame on the email program?

How about the developer of the anti-virus program the state purchased and spent hundreds of thousands of dollars on to prevent just this thing?

Or maybe we should blame the developer of the SMTP protocol?

Re:And if it the file had been encrypted?

[Skapare]

We should put the blame on a business/legal system that makes the false assumption that only the person identified by some number actually has or knows that number. Since we have to give out SSNs to so many places, our system needs to assume that by having the number, it in no way means the holder of the number is the person identified by it. An SSN is IDENTITY ONLY. It is NOT AUTHORIZATION, ever. It should be impossible for someone to open a bank account in someone ELSE's name. While that is a violation under existing law, it needs to be made equally liable on BOTH parties. If a bank is willing to open such an account, they MUST also be willing to accept the real person's say-so that it is not their account, and completely drop it, and pay the real person for all the damages and costs ... and not be required to be sued to get it. If they refuse and fail to prove that the identified person is lying, it's jail time, baby.

FYI, jail time for a company does not need to mean a PERSON at the company is jailed. It should mean the company itself is jailed ... shut down and non-operational. If it was a real person doing business, they cannot serve their customers while in jail. So the excuse "we need to have this company" operating does not fly. Shut the bank down for a week if they violate a law where, if a real individual had done so would land that individual in jail for a week.

don't secure it, take it away

[iggymanz]

there is no reason most govenment employees need a pc connected to the internet. they should be using the equivalent of a dumb terminal that can only access relevant apps running on a server. instead, government employees use their pc as entertainment device. past time to take away their toys and give them a one-use tool

Re:don't secure it, take it away

[Bearhouse]

This is modded insightful? There are plenty of reasons why a Gov.employee should be able to access the internet from their work device(s). Would be better to say that 1. Such access should be better protected and, 2. internal systems should be isolated from anything that (inevitably) slipped through

Re:don't secure it, take it away

[Guppy06]

there is no reason most govenment employees need a pc connected to the internet.

What makes "government employees" fundamentally different from "private sector employees?"

Re:don't secure it, take it away

[Skapare]

Encapsulate and isolate. The work devices should be used for work function, only. No PERSONAL surfing. In addition to that, all devices with access to sensitive data shall be completely separate from devices that can access the internet. The database itself must be fully secured. It does not need to store data encrypted, since it would just need to have keys to function. The data is going to be decrypted under process control. What needs to happen is to identify where process control can be bypassed. The glaring example is someone with access to the data on a laptop or tablet AND store the data there. The device can be stolen and access by NON-process means is possible (direct disk dump, for example). THIS is where the data needs to be encrypted with the key NOT stored on the device.

In the case of the South Carolina breach, the central database is not the issue. The PC that let someone into the data is the issue.

Re:don't secure it, take it away

The database itself must be fully secured. It does not need to store data encrypted, since it would just need to have keys to function.

No, that's insane. The database most certainly needs to store bank information encrypted. Yes, it would need to have names and SSNs unencrypted in order to perform queries, but there's no reason that credit card and bank information would have to be encrypted. You shouldn't be allowed to perform queries based on those anyway.

Re:don't secure it, take it away

[Skapare]

Nothing is gained by this. You still need to be able to decrypt in the process. And the database is part of the process. This is just silliness for manager to get brownie points.

Re:don't secure it, take it away

[iggymanz]

we taxpayers are paying their salaries, so I care about the government employee doing the work I am paying them to do. that is the only difference. sure, most private sector employees also do not need a pc connected to the internet

Publish Social Security Numbers

[Gim+Tom]

I am old enough to remember when social security numbers were of no value to anyone except the Social Security Administration. The back of large a large stack of wide green bar paper from a discarded mainframe printout was often used for drawing charts and diagrams for other business use. I used it often to draw state diagrams and flow charts for systems (this was LONG before Power Point and Visio). People also took stacks home for kids to draw and color on. Many times the front side of this paper was full of social security numbers and other data that, today, would be valuable to thieves.

The real problem is with social security numbers being used as a personal ID number and that banks and credit card companies rely on this number in this way. In pre-relational database days the number was often used as an index key for the databases of that era. It was and probably still is used as an index in some relational databases to this day even though it is not a good number to use for this since duplicate numbers are far more common than most people think ( we saw perhaps half a dozen per year per 100k social security numbers back in the 1980's)

Perhaps one solution to the problem of the social security number having value and thus being a target for theft, would be to publish everyone's social security number. Then it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit. Something that has no value is not often the target of a thief.

Re:Publish Social Security Numbers

[CodeBuster]

it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit.

The laws must be changed to say that a Social Security number, by itself, proves nothing. It should not prove that a debt exists or that any other legally binding agreement was entered into by anyone. As long as businesses can get away with using the SSN as both an identifier and an authentication, which is how this whole "identity theft" nonsense got started in the first place, they will continue to do so. Therefore, the only viable solution is to render the Social Security Number legally worthless as proof of anything. They ought to be just numbers, nothing more.

Re:Publish Social Security Numbers

[Skapare]

It should say that SSN is nothing more than identity (as if pointing at a person). It should specifically say that anyone (individual, business, or corporation) who assumes than an SSN is AUTHORIZATION shall be CRIMINALLY (as well as civilly) liable for having committed a crime of fraud upon the identified person.

Re:Publish Social Security Numbers

[DMUTPeregrine]

In addition, the entire database of SSNs should be published as public information. A reasonable time (say, ten years) until that date should be allowed to let businesses update their systems and people to understand that the SSN is an identifier only.

Re:well IT needs a union / engineer like signoffs

[hsmith]

Yes, that will fix things - unions. lol

Management needs to see that proper information security is necessary, nothing more. Hitting them with fines is where it really is.

Encryption Is Too Hard To Do?

Sorry, Nikki, but that makes you sound like Barbie saying 'Math is hard'. So much for countering sexist stereotypes.

"clicked on an email link?"

What in the hell kind of operating system gets infected by malware if you merely "click on an email link?" In no way should that run an executable or allow any privilege escalation without explicit permission.

Wanna bet this was a Windows system being used in a place where Windows has no business being used??? Windows is NOT secure for this kind of application, and should never be used in such mission critical systems.

The non-encrypted file isn't the main problem here

[maxwell+demon]

The non-encrypted file isn't the main problem here. Yes, the file should have been encrypted. But the main problem is that the attackers could get access to it by simply having the employee click on that email link. Clicking a link in an email should never ever enable an attacker, no matter how malicious, to access local files.

likey the same price to get new hardware / softwar

[Joe_Dragon]

likely the same price to get new hardware / software and in case of stuff like I-35 bridge collapse we have to wait for something bad to happen be for a issues that are push offed (like do to cost) get's fixed

Re:well IT needs a union / engineer like signoffs

[thrillseeker]

"Fining" taxpayer funded efforts is rather pointless.

This happens because of 'acceptable risk'

[onyxruby]

I have seen this kind of thing justified by upper management more times than I can count. The problem is that upper management literally does a Fight Club style calculation that says the costs of data breaches will be less than the costs of security. They /expect/ to have computers routinely hacked and owned by people with malicious intent.

Until the values assigned to the cost of data breaches go up or unless you have some kind of law (HIPAA, SOX etc) this kind of thing will only continue. Public notification laws are one the best things that can be done to prevent this. It's not that the IT pros don't know better, are unwilling to follow best practices or don't care. The problem is that the IT pros that secure these environments aren't allowed to do their job.

When upper management thinks that computer management and security have no value and that security breaches cost less than security this kind of thing is inevitable.

Re:This happens because of 'acceptable risk'

Do your really think that government would apply these sorts of standards to themselves? Not likely. They only apply these standards to outside organizations, they would never think to assume the costs themselves.

Re:The non-encrypted file isn't the main problem h

[Skapare]

I would agree. And it starts with taking over the users machine. Once that happens, all bets are off if that user had access rights to the data by some machine. Whether the data (elsewhere) was stored encrypted or not doesn't even matter. If this person had such access it would have to include decrypting it by some means and by that he would give the new owner of his machine full access to the data, too ... even if it wasn't on the same day he clicked the email. Both email reading and web browsing should never, ever, have any means to run any software on the machine. Ideally, people who do have such access should be doing that entirely on machines dedicated to that access which do nothing else (no mail reader, no web browser, etc).

The real blame for this goes to ...

[Skapare]

All those businesses and government agencies that allow merely having data, like that which was taken in this case, The fact that I can walk into any bank and open an account in YOUR NAME just because I have YOUR SSN does not mean that I AM YOU. But the vast majority of banks make that assumption. Lots of other businesses types make this kind of assumption, too. Many have expressly even said so. "This account has your SSN, so it must be your account".

The first law we need to have is one that allows people to deny an account. When they do, the only option for the business involved it so actually prove that PERSON (not someone who had their number) was the one that really opened it, or charged it, or whatever. If the named person asserts that it was not them (penalty of perjury, signed), then it must be disassociated with them everywhere immediately, as if it never happened. The only recourse to undo that is prove the named person lied by proving they actually did open the account or whatever was involved. And this law will clearly state that it must be the person, and not their numbers. And this law would have criminal penalties and jail time for anyone that still does stuff like trying to collect debts on this from the person so named once they assert it is not them.

The system of business we use should not, in any way, and under any circumstance, make ID theft be able to cause any harm to whoever's ID was taken. Things like an SSN should be nothing more than information to refer to a person, and not any indication of authorization.

Boost local economy?

[no-body]

$800,000 - improve information security systems, new IT jobs in SC?
$500,000 - SC police department job security?
$740,000 - USPS? - sure could need some juice there
$250,000 - ah - lawyers again
$12,000,000 - who would get that?


$14,290,000

Actually good if money moves rather than staying static in some folk's accounts waiting for it to increase bu other people's efforts.

Re:well IT needs a union / engineer like signoffs

[Ambassador+Kosh]

I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.

However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.

At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.

well then IT will need tech schools / trades schoo

[Joe_Dragon]

well then IT will need tech schools / trades school as part of the required education and certification. As CS in college does not cover that or only does so on a very top level.

But you may need a Union so the boss can't say if you don't do the signoff we can find some one who will.

Re:well IT needs a union / engineer like signoffs

[KingMotley]

Maybe, or maybe the guy that caused the project's costs to get overrun will answer to someone why he let it happen.

Re:The non-encrypted file isn't the main problem h

[Skapare]

The central database itself does not need to encrypted (doing so just means the decryption key has to be there, making the encryption pointless). It needs to be secured against any means of access that does not go through the process (locked building, restricted physical access to data center, armed guards, no internet access to that whole room, etc). Thieves should not be able to get in there at all.

But any data being stored outside needs to be encrypted, and have data compartmentalization on that. There should be no data usable by anyone that steals it. The access process itself should never let the data be outside of its control (it encrypts it if the data goes to storage ... or just prevents it from being stored). Such devices need to have encrypted swap, if any at all.

It's not a problem...

The Gov. checked and his SS # and bank account # was not among the list that was hack'd,
more importantly, no one on his staff, close friends, family, and his dog either (the dog's account,
if you should ask, is the laundry account).

Republicans feel this way; it's just the way they are. Very sad...

Re:The non-encrypted file isn't the main problem h

[AJWM]

The central database itself does not need to encrypted

Yeah it does.

(doing so just means the decryption key has to be there, making the encryption pointless)

No it doesn't. The decryption key has to be somewhere, sure, but it can (and should) be provided along with the query extracting the information. Put the keys in the middleware layer (which should reside on a whole different set of servers), not in the DB.

Compliance does that, regulations prohibit securit

[raymorris]

I work for a state agency doing IT. Our state is just as bad because a) IT people aren't trained properly in security and b) "security" regulations prohibit actual security. It often happens that a secure design can't be used because it wouldn't be in compliance with laws and regulations, so an insecure system must be used. For example, last week we needed a secure hash token to secure a transaction. SHA-128 or 256 was the right way to do it, but the law says all hashes must be MD5 (which has been broken for several years). MD5 wouldn't work, so we went with NO security token in order to comply with "security" regulations. Accrediting security engineers the same way we do mechanical engineers and requiring that systems get signed off by a licensed security person would work FAR better. There is no way I'd sign off on most of our stuff without some significant, but simple and obvious fixes. Another example - regulations say employee passwords must be changed every 90 days, and must include a number, so everyone has a simple incrementing password, typically myname1, myname2, myname3, etc. Those same policies limit passwords to only EIGHT characters. If I had to sign off the security, as opposed to following bureaucratic regulations, the first change would be that pass phrases should be 14 characters minimum.

Re:well IT needs a union / engineer like signoffs

[Jawnn]

I'd love to spend my mod points on you, brother, but your sage words deserve more....

I am not sure about the union part but it absolutely should have engineer type signoffs.

Most engineers in charge of building things that can hurt people of those things fail are required to prove their expertise and conform to both a professional code of conduct and civil codes that define a framework within which the engineer's must be done. Information technology has no such thing, and as others have already observed, this allows bean-counters, PHB's, and frankly, IT "engineers" who lack the requisite expertise, to put systems in place that have nowhere near the proper level of security measures around those systems. We've seen a few attempts from various sectors (HIPAA, PCI, SOX) to force some standards and accountability on entities in those sectors, but it's a patchwork of bureaucratic noise that, most often, doesn't result in the desired level of security. The one partial exception is PCI. If you are a vendor large enough to fall into the "Level 1" category, your stuff must be reviewed regularly by a third party. That rule is enforced by the banks, whose money is at risk. They really don't give a rat's ass about card-holders.
And that is the problem. The SC Dept. of Revenue didn't have enough skin in the game to give a shit about, so they didn't. That needs to change. If you're going to build things that can hurt people when they fail, be those things skyscrapers, bridges, airplanes, or information security systems, you should have to prove that you know what you are doing and have your work reviewed by someone else who knows what they're doing.

The law is the problem

[raymorris]

The law often causes information security problems in my state. The laws and regulations reflect what some politician thought sounded good twenty years ago, when the law was written. For example, mandating MD5, which is broken, whenever a hash is used. Since hashes can only be MD5, SHA256 is illegal. Sometimes we have to use no hash at all when MD5 won't work. We would make things much more secure if the law didn't get in the way.

Mod raymorris up... apk

Sounds like he's "telling it how it really is" from a standpoint of guys attempting to DO THE JOB RIGHT, but have their hands tied...

* VERY INFORMATIVE... & sounds like a few of the "regulations" need redesign/rethinking (ala your example on encryption levels used)!

APK

P.S.=> Good post - enlightening in fact!

... apk

Government needs to address and solve it

[bussdriver]

Identity and Authentication are government problems that need to be addressed.
Regulations regarding the use of ID and authentication need to also exist. A company should have to fight to get approval for demanding Identification from a consumer. The SSN system needs upgrading; including the ENFORCEMENT of the laws passed a century ago banning the use of SSN as a unique identifier outside of SS. The replacement ID needs to include a name, photo, fingerprint... and like I said already, strict rules on where it can be required. ALSO, some nations have regulations requiring IN-PERSON identification for certain things - making automated identity attacks implausible.

Authentication does not have to involve identity, but some corps want to FORCE the two to be the same and that requires laws (aka regulation.)

Also, a government system can be put in place to verify your AGE without giving away your ID - so you can go to a bar without that bar selling your data to an aggregation company profiling you for others. A digital signing system can provide authentication absent of identification for: AGE, LEGAL CERTIFICATIONS / PRIVILEGES (driving or even public officials), and even incorporation could be signed by the state. These are things that are done with an old insecure methods already today. A card with 2D barcodes could provide many forms of authentication; and each could be handled separately so your BAR couldn't see you were also a cop when they checked your age. Yes, your face could be on the card to prevent borrowing of them but your NAME doesn't need to be.

Re:well then IT will need tech schools / trades sc

[lgw]

This works fine for Professional Engineers (PEs) in civil engineering with no union. PEs are hard to come by, and if you sign off on something you shouldn't you lose your PE cert (and may face harsher penalties). Your boss can't push you around when you're hard to replace, and you face worse penalties for letting him than merely being fired.

Unions remove worker accountability, never the other way.

Re:The non-encrypted file isn't the main problem h

[lgw]

Clicking a link in an email should never ever enable an attacker, no matter how malicious, to access local files.

When you find a way to make that true, make sure to let the entire security industry know. Drive-by malware is pretty bad these days - between Java and Adobe products, almost any end-user is going to be running some sort of scripting engine in his browser, and none of the sandboxing is ever perfect. "Local files" are a particularly easy target, because you generally don't even need root, just some flash/pdf/java/whatever exploit to do some file reads as the logged-on user.

The burning question...

How can this help Stephen Colbert become Jim DeMint's replacement?

Re:well IT needs a union / engineer like signoffs

[lucm]

I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.

However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.

At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.

I once had to deal with a client whose IT manager refused to encrypt the SAN, refused to encrypt the databases and saw no point in filtering the traffic between Development and Production servers. Apparently this was all overkill. And guess what, that IT manager was an engineer.

An engineer ring does not make one any wiser.

Re:well IT needs a union / engineer like signoffs

[slick7]

Yes, that will fix things - unions. lol.

And Star Wars shows how not to be a repressive government. 1984 is not just a book, it's a blueprint.

Where oh where is Steven Colbert?

Where oh were is Steven Colbert? ...And where is the account number to his private SuperPAC?

Re:The non-encrypted file isn't the main problem h

[maxwell+demon]

Just having the browser and email program running under a separate user account from the internal stuff would go a long way at protecting local files.

Re:well IT needs a union / engineer like signoffs

This. Under certain circumstances, IT needs to be able to legally tell corrupt bosses and corrupt politicians NO, that is not how things are done and won't be done this time.

Unfortunately, that is going to take a long time. The first and logical response in this hellhole of a "free market" we have is that employers will get rid of/terminate the contracts of people who say things like that and get others to say their ideas are OK. This even happens with engineers today to some extent. Since a lot of systems are totally insecure, and yet not breached (mostly due to lack of being targeted) the bosses have "evidence" that it's OK to cut corners. So then you get into mandatory security audits which again will turn into things like what keeps happening with SCADA systems--where companies that do a good job and point out flaws aren't exactly at the top of everyone's go-to list while those that will sign off on anything are immensely popular with non-IT people who think connecting utility control systems to the Internet is a good idea. It is unfortunately going to take a long time to put in place the framework to accomplish this, but it probably needs to be done. It'll take some of the fun out of the profession, but it will also eventually remove a lot of unqualified idiots from the profession and that's not such a bad thing in the long run.

There will be obstacles and serious ones. In this specific instance of course we're talking about South Carolina, where they have a batshit-crazy governor who is vehemently anti-worker and pro-corporation, and things like that don't help matters one bit. The last thing that's going to happen there is anybody taking direction from people who actually have knowledge and work for a living.

Y'ALL Blow my little mind

As I study your collective comments I am vrey impressed. all are exceptional, in their own way! But the under reoccuring theme in all of them is "THIS IS SERIOUS BUSINESS! MAYBE EVEN WORSE THAN YOUR HOSPITAL VISIT" My humble opinion is yes of course they should have certified IT pros making the decisions not some politician with a axe to grind or a palm to wet, even though there are only a few bad apple politicians we all know some can be biased Y'all are brilliant Tj

IT security not worth the cost in SC.

It's south carolina, it's a assbackards state. I'm surprised they could find people to cobble together an managed IT system. IT Security? Pfft that's too hard for them. The state doesn't even have an NFL team. The biggest employers in the state are the SC goverment and a university. Most of the people in that state are poor and don't even have a computer. Good luck trying to steal 1 dollar from an overdrawn bank account, or getting declined when trying to open a line of credit for 100 dollars. It's like building a 2 million dollar vault to protect a 12 year old pizza.
 

Protect yourself-don't give it to anyone who asks

Just one comment here...just because someone ASKS for your social security number doesn't me you have to GIVE it to them.

Nearly every doctor's office I visit has a place on the form for the SSN...and I refuse to give it to them. I simply leave it blank. Only once can I remember someone bugging me about it (an urgent care visit about 2 months ago) and I flat out told them they were not getting it. They said they "needed it to identify me with the insurance company." I slapped my insurance card down, pointed to the number on the front of it, and said "THAT's how you identify me with the insurance company." When the intake admin continued to make lame excuses as to why they needed it I finally asked them if they were refusing me treatment...and golly gee, I got to see a doctor without any more issues.

I had a medical bill go to collections once and when I called to make a payment the jerk on the other end of the phone said he needed my SSN before he could take a payment. After informing him he wasn't getting it, and going back and forth with him for a few minutes, I finally asked him "are you refusing my payment?" After a long pause...gee...he took my credit card number.

Too many people, trying to be helpful, will give others personal information that they should not give out just because someone asks for it. Always, always, ALWAYS ask yourself if someone requesting your SSN really needs it. Odds are, if it isn't tied to reporting taxes (such as a bank account or some such), they don't need it. Find out for sure before you give it to anyone...because once you offer it up it is theirs for the keeping.