Slashdot Mirror
South Carolina Shows How Not To Do Security
CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"
So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.
The point is exactly this, many organizations just keep their data in any convenient format, even it is excel spreadsheets. This are one of the things it is hard to understand, if you want work well done, you call a plumber, and electrician, and they have to be certified, and many years of experience, references, whatever more. And then when it comes to sensitive data that can mean to put people in peril of theft identity, people do it by themselves, or just hire a nobody to do it. ...
I find it kind of amazing that there isn't a law in place defining how personal data is stored in North Carolina. Now, having said that, I have no idea what kind of laws are in place for other jurisdictions. Are there any lawyers out there that can comment?
Hopefully, the people responsible for the design and sign off of the server data architecture were in the 2M plus people who's information was compromised.
myke
Mimetics Inc. Twitter
Outside / 3rd party contractors to blame?
Do they have of staff IT workers or has parts / all of the IT be push to contractors? some times even ones that sub out work / hiring to other contractors?
They add alot of overhead and at times make it hard for a worker who works for a sub to get some things done / add a long paper work / red tape process to get stuff fixed.
It appears as though authentication was bypassed via a malicious email(probably from an SQL injection attack). Then, sensitive data that was NOT encrypted(but should have been) was obtained(Bank Account Numbers, SSN's, etc.). Did you read the article?
I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.
By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?
Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.
Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.
It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.
Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.
well IT needs a union / engineer like signoffs so the IT works can't be pushed around by NON tech PHB's that may buy stuff on the golf course with no IT input or rank IT people my number of tickets and or call times. Even to the point saying we can't buy new software / hardware so find a work around to make X app work in the new OS / workflow even if it does have good security.
Even if the SSNs had been encrypted, the application running on the server still needs access to the SSNs, which means it needs the keys with which the SSNs are encrypted. So anybody who compromises the server on which the application is run, or any machine authorized to connect to that server and view SSNs, compromises the SSNs.
What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?
Taking a step even further back to look at things beyond the state's control, why do we take for granted that "clicking on a malicious email link" is enough to transfer control of your computer to an attacker?
Zooming back in on SC, would encryption have even helped? The compromised credentials allowed for viewing the databases(*). That means they were also able to decrypt them
(*) Which invites the question of whether those permissions were too widely issued.
I don't see how your air gap solution can scale to an organization with millions of customers, such as the call center of an entire state's health system.
there is no reason most govenment employees need a pc connected to the internet. they should be using the equivalent of a dumb terminal that can only access relevant apps running on a server. instead, government employees use their pc as entertainment device. past time to take away their toys and give them a one-use tool
I am old enough to remember when social security numbers were of no value to anyone except the Social Security Administration. The back of large a large stack of wide green bar paper from a discarded mainframe printout was often used for drawing charts and diagrams for other business use. I used it often to draw state diagrams and flow charts for systems (this was LONG before Power Point and Visio). People also took stacks home for kids to draw and color on. Many times the front side of this paper was full of social security numbers and other data that, today, would be valuable to thieves.
The real problem is with social security numbers being used as a personal ID number and that banks and credit card companies rely on this number in this way. In pre-relational database days the number was often used as an index key for the databases of that era. It was and probably still is used as an index in some relational databases to this day even though it is not a good number to use for this since duplicate numbers are far more common than most people think ( we saw perhaps half a dozen per year per 100k social security numbers back in the 1980's)
Perhaps one solution to the problem of the social security number having value and thus being a target for theft, would be to publish everyone's social security number. Then it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit. Something that has no value is not often the target of a thief.
Yes, that will fix things - unions. lol
Management needs to see that proper information security is necessary, nothing more. Hitting them with fines is where it really is.
The non-encrypted file isn't the main problem here. Yes, the file should have been encrypted. But the main problem is that the attackers could get access to it by simply having the employee click on that email link. Clicking a link in an email should never ever enable an attacker, no matter how malicious, to access local files.
The Tao of math: The numbers you can count are not the real numbers.
likely the same price to get new hardware / software and in case of stuff like I-35 bridge collapse we have to wait for something bad to happen be for a issues that are push offed (like do to cost) get's fixed
"Fining" taxpayer funded efforts is rather pointless.
I have seen this kind of thing justified by upper management more times than I can count. The problem is that upper management literally does a Fight Club style calculation that says the costs of data breaches will be less than the costs of security. They /expect/ to have computers routinely hacked and owned by people with malicious intent.
Until the values assigned to the cost of data breaches go up or unless you have some kind of law (HIPAA, SOX etc) this kind of thing will only continue. Public notification laws are one the best things that can be done to prevent this. It's not that the IT pros don't know better, are unwilling to follow best practices or don't care. The problem is that the IT pros that secure these environments aren't allowed to do their job.
When upper management thinks that computer management and security have no value and that security breaches cost less than security this kind of thing is inevitable.
I would agree. And it starts with taking over the users machine. Once that happens, all bets are off if that user had access rights to the data by some machine. Whether the data (elsewhere) was stored encrypted or not doesn't even matter. If this person had such access it would have to include decrypting it by some means and by that he would give the new owner of his machine full access to the data, too ... even if it wasn't on the same day he clicked the email. Both email reading and web browsing should never, ever, have any means to run any software on the machine. Ideally, people who do have such access should be doing that entirely on machines dedicated to that access which do nothing else (no mail reader, no web browser, etc).
now we need to go OSS in diesel cars
All those businesses and government agencies that allow merely having data, like that which was taken in this case, The fact that I can walk into any bank and open an account in YOUR NAME just because I have YOUR SSN does not mean that I AM YOU. But the vast majority of banks make that assumption. Lots of other businesses types make this kind of assumption, too. Many have expressly even said so. "This account has your SSN, so it must be your account".
The first law we need to have is one that allows people to deny an account. When they do, the only option for the business involved it so actually prove that PERSON (not someone who had their number) was the one that really opened it, or charged it, or whatever. If the named person asserts that it was not them (penalty of perjury, signed), then it must be disassociated with them everywhere immediately, as if it never happened. The only recourse to undo that is prove the named person lied by proving they actually did open the account or whatever was involved. And this law will clearly state that it must be the person, and not their numbers. And this law would have criminal penalties and jail time for anyone that still does stuff like trying to collect debts on this from the person so named once they assert it is not them.
The system of business we use should not, in any way, and under any circumstance, make ID theft be able to cause any harm to whoever's ID was taken. Things like an SSN should be nothing more than information to refer to a person, and not any indication of authorization.
now we need to go OSS in diesel cars
$800,000 - improve information security systems, new IT jobs in SC?
$500,000 - SC police department job security?
$740,000 - USPS? - sure could need some juice there
$250,000 - ah - lawyers again
$12,000,000 - who would get that?
$14,290,000
Actually good if money moves rather than staying static in some folk's accounts waiting for it to increase bu other people's efforts.
I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.
However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.
At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.
Computer modeling for biotech drug manufacturing is HARD!
We should put the blame on a business/legal system that makes the false assumption that only the person identified by some number actually has or knows that number. Since we have to give out SSNs to so many places, our system needs to assume that by having the number, it in no way means the holder of the number is the person identified by it. An SSN is IDENTITY ONLY. It is NOT AUTHORIZATION, ever. It should be impossible for someone to open a bank account in someone ELSE's name. While that is a violation under existing law, it needs to be made equally liable on BOTH parties. If a bank is willing to open such an account, they MUST also be willing to accept the real person's say-so that it is not their account, and completely drop it, and pay the real person for all the damages and costs ... and not be required to be sued to get it. If they refuse and fail to prove that the identified person is lying, it's jail time, baby.
FYI, jail time for a company does not need to mean a PERSON at the company is jailed. It should mean the company itself is jailed ... shut down and non-operational. If it was a real person doing business, they cannot serve their customers while in jail. So the excuse "we need to have this company" operating does not fly. Shut the bank down for a week if they violate a law where, if a real individual had done so would land that individual in jail for a week.
now we need to go OSS in diesel cars
well then IT will need tech schools / trades school as part of the required education and certification. As CS in college does not cover that or only does so on a very top level.
But you may need a Union so the boss can't say if you don't do the signoff we can find some one who will.
Maybe, or maybe the guy that caused the project's costs to get overrun will answer to someone why he let it happen.
The central database itself does not need to encrypted (doing so just means the decryption key has to be there, making the encryption pointless). It needs to be secured against any means of access that does not go through the process (locked building, restricted physical access to data center, armed guards, no internet access to that whole room, etc). Thieves should not be able to get in there at all.
But any data being stored outside needs to be encrypted, and have data compartmentalization on that. There should be no data usable by anyone that steals it. The access process itself should never let the data be outside of its control (it encrypts it if the data goes to storage ... or just prevents it from being stored). Such devices need to have encrypted swap, if any at all.
now we need to go OSS in diesel cars
The central database itself does not need to encrypted
Yeah it does.
(doing so just means the decryption key has to be there, making the encryption pointless)
No it doesn't. The decryption key has to be somewhere, sure, but it can (and should) be provided along with the query extracting the information. Put the keys in the middleware layer (which should reside on a whole different set of servers), not in the DB.
-- Alastair
I work for a state agency doing IT. Our state is just as bad because a) IT people aren't trained properly in security and b) "security" regulations prohibit actual security. It often happens that a secure design can't be used because it wouldn't be in compliance with laws and regulations, so an insecure system must be used. For example, last week we needed a secure hash token to secure a transaction. SHA-128 or 256 was the right way to do it, but the law says all hashes must be MD5 (which has been broken for several years). MD5 wouldn't work, so we went with NO security token in order to comply with "security" regulations. Accrediting security engineers the same way we do mechanical engineers and requiring that systems get signed off by a licensed security person would work FAR better. There is no way I'd sign off on most of our stuff without some significant, but simple and obvious fixes. Another example - regulations say employee passwords must be changed every 90 days, and must include a number, so everyone has a simple incrementing password, typically myname1, myname2, myname3, etc. Those same policies limit passwords to only EIGHT characters. If I had to sign off the security, as opposed to following bureaucratic regulations, the first change would be that pass phrases should be 14 characters minimum.
I am not sure about the union part but it absolutely should have engineer type signoffs.
Most engineers in charge of building things that can hurt people of those things fail are required to prove their expertise and conform to both a professional code of conduct and civil codes that define a framework within which the engineer's must be done. Information technology has no such thing, and as others have already observed, this allows bean-counters, PHB's, and frankly, IT "engineers" who lack the requisite expertise, to put systems in place that have nowhere near the proper level of security measures around those systems. We've seen a few attempts from various sectors (HIPAA, PCI, SOX) to force some standards and accountability on entities in those sectors, but it's a patchwork of bureaucratic noise that, most often, doesn't result in the desired level of security. The one partial exception is PCI. If you are a vendor large enough to fall into the "Level 1" category, your stuff must be reviewed regularly by a third party. That rule is enforced by the banks, whose money is at risk. They really don't give a rat's ass about card-holders.
And that is the problem. The SC Dept. of Revenue didn't have enough skin in the game to give a shit about, so they didn't. That needs to change. If you're going to build things that can hurt people when they fail, be those things skyscrapers, bridges, airplanes, or information security systems, you should have to prove that you know what you are doing and have your work reviewed by someone else who knows what they're doing.
The law often causes information security problems in my state. The laws and regulations reflect what some politician thought sounded good twenty years ago, when the law was written. For example, mandating MD5, which is broken, whenever a hash is used. Since hashes can only be MD5, SHA256 is illegal. Sometimes we have to use no hash at all when MD5 won't work. We would make things much more secure if the law didn't get in the way.
Identity and Authentication are government problems that need to be addressed.
Regulations regarding the use of ID and authentication need to also exist. A company should have to fight to get approval for demanding Identification from a consumer. The SSN system needs upgrading; including the ENFORCEMENT of the laws passed a century ago banning the use of SSN as a unique identifier outside of SS. The replacement ID needs to include a name, photo, fingerprint... and like I said already, strict rules on where it can be required. ALSO, some nations have regulations requiring IN-PERSON identification for certain things - making automated identity attacks implausible.
Authentication does not have to involve identity, but some corps want to FORCE the two to be the same and that requires laws (aka regulation.)
Also, a government system can be put in place to verify your AGE without giving away your ID - so you can go to a bar without that bar selling your data to an aggregation company profiling you for others. A digital signing system can provide authentication absent of identification for: AGE, LEGAL CERTIFICATIONS / PRIVILEGES (driving or even public officials), and even incorporation could be signed by the state. These are things that are done with an old insecure methods already today. A card with 2D barcodes could provide many forms of authentication; and each could be handled separately so your BAR couldn't see you were also a cop when they checked your age. Yes, your face could be on the card to prevent borrowing of them but your NAME doesn't need to be.
Democracy Now! - uncensored, anti-establishment news
This works fine for Professional Engineers (PEs) in civil engineering with no union. PEs are hard to come by, and if you sign off on something you shouldn't you lose your PE cert (and may face harsher penalties). Your boss can't push you around when you're hard to replace, and you face worse penalties for letting him than merely being fired.
Unions remove worker accountability, never the other way.
Socialism: a lie told by totalitarians and believed by fools.
Clicking a link in an email should never ever enable an attacker, no matter how malicious, to access local files.
When you find a way to make that true, make sure to let the entire security industry know. Drive-by malware is pretty bad these days - between Java and Adobe products, almost any end-user is going to be running some sort of scripting engine in his browser, and none of the sandboxing is ever perfect. "Local files" are a particularly easy target, because you generally don't even need root, just some flash/pdf/java/whatever exploit to do some file reads as the logged-on user.
Socialism: a lie told by totalitarians and believed by fools.
I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.
However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.
At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.
I once had to deal with a client whose IT manager refused to encrypt the SAN, refused to encrypt the databases and saw no point in filtering the traffic between Development and Production servers. Apparently this was all overkill. And guess what, that IT manager was an engineer.
An engineer ring does not make one any wiser.
lucm, indeed.
Yes, that will fix things - unions. lol.
And Star Wars shows how not to be a repressive government. 1984 is not just a book, it's a blueprint.
The mind conceives, the body achieves, the spirit manifests.
Just having the browser and email program running under a separate user account from the internal stuff would go a long way at protecting local files.
The Tao of math: The numbers you can count are not the real numbers.