Slashdot Mirror
South Carolina Shows How Not To Do Security
CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"
So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.
The point is exactly this, many organizations just keep their data in any convenient format, even it is excel spreadsheets. This are one of the things it is hard to understand, if you want work well done, you call a plumber, and electrician, and they have to be certified, and many years of experience, references, whatever more. And then when it comes to sensitive data that can mean to put people in peril of theft identity, people do it by themselves, or just hire a nobody to do it. ...
Outside / 3rd party contractors to blame?
Do they have of staff IT workers or has parts / all of the IT be push to contractors? some times even ones that sub out work / hiring to other contractors?
They add alot of overhead and at times make it hard for a worker who works for a sub to get some things done / add a long paper work / red tape process to get stuff fixed.
It appears as though authentication was bypassed via a malicious email(probably from an SQL injection attack). Then, sensitive data that was NOT encrypted(but should have been) was obtained(Bank Account Numbers, SSN's, etc.). Did you read the article?
I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.
By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?
Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.
Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.
It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.
Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.
well IT needs a union / engineer like signoffs so the IT works can't be pushed around by NON tech PHB's that may buy stuff on the golf course with no IT input or rank IT people my number of tickets and or call times. Even to the point saying we can't buy new software / hardware so find a work around to make X app work in the new OS / workflow even if it does have good security.
there is no reason most govenment employees need a pc connected to the internet. they should be using the equivalent of a dumb terminal that can only access relevant apps running on a server. instead, government employees use their pc as entertainment device. past time to take away their toys and give them a one-use tool
What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?
At least in the U.S., there is none. But pretending that the SSN is one does not make it so.
Even if the SSNs had been encrypted, the application running on the server still needs access to the SSNs, which means it needs the keys with which the SSNs are encrypted. So anybody who compromises the server on which the application is run, or any machine authorized to connect to that server and view SSNs, compromises the SSNs.
That is not an excuse not to encrypt. Encrypting data and putting the key in a file called encryption.key would be sufficient to stop casual perusal of the data. Each additional level of obscurity beyond that raises the time and knowledge required to locate, understand and decrypt the data. Most people are out for a quick win and are not interested in reverse engineering your architecture.
Conversely, if someone knows what they want, where it is and what is necessary to get it then you've got a problem that goes week beyond key management.
There are ways around this. For example the SSNs could be stored as a hash and referred to as a hash.
Also the server this application runs on is connected to the internet why?
Lack of a single identifying number is not an insolible problem.
Take Canada for example. We have a social insurance number (SIN - way better acronym :)). It is ILLEGAL to require it for anything other then tax purposes (in effect that means your employer and your bank if you have a savings account for most people).
If you go to buy a car, and they want to pull a CB on you, you can say no. If you refuse to provide a SIN, they will match you based on a compound key. (Name, address, telephone, previous address etc).
Ya, some times you get a mismatch, but those are relativity rare and usually resolvable if the person who happens to generate a mismatch isn't attempting fraud. I doubt requiring that SIN would improve things, it'd just provide more opportunities for it to be stolen, as we see in the US.
Does fraud happen? Yep, or I'd be out of a job. Is it common? Nope.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
"Fining" taxpayer funded efforts is rather pointless.
I have seen this kind of thing justified by upper management more times than I can count. The problem is that upper management literally does a Fight Club style calculation that says the costs of data breaches will be less than the costs of security. They /expect/ to have computers routinely hacked and owned by people with malicious intent.
Until the values assigned to the cost of data breaches go up or unless you have some kind of law (HIPAA, SOX etc) this kind of thing will only continue. Public notification laws are one the best things that can be done to prevent this. It's not that the IT pros don't know better, are unwilling to follow best practices or don't care. The problem is that the IT pros that secure these environments aren't allowed to do their job.
When upper management thinks that computer management and security have no value and that security breaches cost less than security this kind of thing is inevitable.
I would agree. And it starts with taking over the users machine. Once that happens, all bets are off if that user had access rights to the data by some machine. Whether the data (elsewhere) was stored encrypted or not doesn't even matter. If this person had such access it would have to include decrypting it by some means and by that he would give the new owner of his machine full access to the data, too ... even if it wasn't on the same day he clicked the email. Both email reading and web browsing should never, ever, have any means to run any software on the machine. Ideally, people who do have such access should be doing that entirely on machines dedicated to that access which do nothing else (no mail reader, no web browser, etc).
now we need to go OSS in diesel cars
it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit.
The laws must be changed to say that a Social Security number, by itself, proves nothing. It should not prove that a debt exists or that any other legally binding agreement was entered into by anyone. As long as businesses can get away with using the SSN as both an identifier and an authentication, which is how this whole "identity theft" nonsense got started in the first place, they will continue to do so. Therefore, the only viable solution is to render the Social Security Number legally worthless as proof of anything. They ought to be just numbers, nothing more.
What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?
Easy answer: SSNs. There is nothing wrong with using SSNs for identification . The problem is that we pretend like they are some sort of secret, and use them as authentication . That is stupid and it should be illegal for an financial institution to use them that way. People should be free to hand out their SSN, or even paint it on their mailbox, without fear of any consequences. We should just assume they are public knowledge.
I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.
However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.
At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.
Computer modeling for biotech drug manufacturing is HARD!
It should say that SSN is nothing more than identity (as if pointing at a person). It should specifically say that anyone (individual, business, or corporation) who assumes than an SSN is AUTHORIZATION shall be CRIMINALLY (as well as civilly) liable for having committed a crime of fraud upon the identified person.
now we need to go OSS in diesel cars
Maybe, or maybe the guy that caused the project's costs to get overrun will answer to someone why he let it happen.
The central database itself does not need to encrypted (doing so just means the decryption key has to be there, making the encryption pointless). It needs to be secured against any means of access that does not go through the process (locked building, restricted physical access to data center, armed guards, no internet access to that whole room, etc). Thieves should not be able to get in there at all.
But any data being stored outside needs to be encrypted, and have data compartmentalization on that. There should be no data usable by anyone that steals it. The access process itself should never let the data be outside of its control (it encrypts it if the data goes to storage ... or just prevents it from being stored). Such devices need to have encrypted swap, if any at all.
now we need to go OSS in diesel cars
Also the server this application runs on is connected to the internet why?
So that users at home can log in and do business with the government from home.
I am not sure about the union part but it absolutely should have engineer type signoffs.
Most engineers in charge of building things that can hurt people of those things fail are required to prove their expertise and conform to both a professional code of conduct and civil codes that define a framework within which the engineer's must be done. Information technology has no such thing, and as others have already observed, this allows bean-counters, PHB's, and frankly, IT "engineers" who lack the requisite expertise, to put systems in place that have nowhere near the proper level of security measures around those systems. We've seen a few attempts from various sectors (HIPAA, PCI, SOX) to force some standards and accountability on entities in those sectors, but it's a patchwork of bureaucratic noise that, most often, doesn't result in the desired level of security. The one partial exception is PCI. If you are a vendor large enough to fall into the "Level 1" category, your stuff must be reviewed regularly by a third party. That rule is enforced by the banks, whose money is at risk. They really don't give a rat's ass about card-holders.
And that is the problem. The SC Dept. of Revenue didn't have enough skin in the game to give a shit about, so they didn't. That needs to change. If you're going to build things that can hurt people when they fail, be those things skyscrapers, bridges, airplanes, or information security systems, you should have to prove that you know what you are doing and have your work reviewed by someone else who knows what they're doing.
Using SSNs for identification is foolish as well. They are not guaranteed to be unique identifiers (multiple people are sometimes issued the same SSN by the government and a whole lot more use someone else's SSN illegally), and not everybody is guaranteed to have one.
The system as designed was perfectly fine, because they never planned on using it for ID. But it's still operating largely as it did when it was first implemented even though it's now an ID card, so there are some half-assed hacks being made to try and make it marginally more secure. The government needs to just make a national ID card and be done with it.