Slashdot Mirror
1.5 Million Verizon Customer Records Put Up For Sale (arstechnica.com)
An anonymous reader writes: A customer database as well as information about Verizon security flaws were reportedly put up for sale by criminals this week after a data breach at Verizon Enterprise Solutions. According to KrebsOnSecurity, "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise." The entire database was priced at $100,000, or $10,000 for each set of 100,000 customer records. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site," security journalist Brian Krebs reported. Verizon has apparently fixed the security flaws and has reassured its customers by saying "our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers" and that "no customer proprietary network information (CPNI) or other data was accessed or accessible."
Is it time for companies to keep most customer records "near-line" instead of "online"?
Yes, this may mean having the company put you on hold for a minute or two while your record gets moved from "near line" to "online" when you call for help, but at least "massive" data breaches will be "less massive."
Question: What's another major advantage of keeping records "near-line" besides fewer victims?
Answer: You can keep track of how many records are being moved in any given period of time and quickly respond if the numbers become anomalous.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
That's a load of horse shit. My old F-150 had rust all over it, and it didn't do shit for my security.
Old cars are the only place rust adds credibility.
For the rust dweebs, every language is hackable as long as it's written poorly.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
There's three states:
- internet
- intranet
- offline
I'm guessing the parent post meant "intranet" but didn't know that word.
Phone companies just don't care. My ex went into T-Mobile and walked out with $406 worth of equipment, charging the whole thing to an equipment purchase installment plan. The only problem is, she gave them my phone number, and they charged it to my account! She even gave them her Oregon Driver's license so they didn't charge her sales tax, but at no point did the friendly salesperson think to check that the name, address, and phone number listed at the top of the contract actually matched the name of the person that signed it! (They took it off my account and charged it to hers instead only when I complained in person.)
I've abandoned my search for truth; now I'm just looking for some useful delusions.
What I envisioned was an offline system that could retrieve data in a matter of minutes, with a "skinny pipe, heavily alarmed with independent monitoring equipment" system sitting between the offline storage system and the "main, online" system. "Skinny pipe" to make it physically impossible to do a wholesale data dump in a short period of time, and "heavily alarmed with independent monitoring equipment" so the alarms can't be hacked through normal means (they could be hacked by social engineering or perhaps by side-channel attacks, but the latter is hard and the former can be controlled by limiting access to a few well-trained, loyal individuals).
Essentially this is the computer equivalent of having a locked file-room with only 1 person allowed to access it, with several well-trained, highly-observant, loyal-to-the-company people watching that one person and raising an alarm any time that person's behavior was out-of-the-ordinary. That person would retrieve data from the locked file-room upon request and store changed files upon request, with all transactions logged for audit purposes.
The analogy breaks down since the "main, online" part of the computerized system would have to purge its copies of data after a short period of time - typically hours or days but in some use cases perhaps in seconds or, for that matter, weeks, and that capability isn't reflected in the analogy above.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Companies don't want to invest in actual security though as it costs them lots of money and usually makes a product less friendly.
"it costs the lots of money" vs "going bankrupt from the bad reputation and lawsuits resulting from multiple serious breaches" - which is going to happen sooner or later.
"product less friendly" may be a necessary inconvenience, much like having to lock your home when you go to work every day is a necessary inconvenience.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have to wonder if the value and mostly anonymous nature of Bitcoins are enabling these kinds of deals. I'm not saying Bitcoin is necessarily evil, but do I have to wonder to myself, would these kinds of ransoms and/or sales of stolen data be as easily possible without Bitcoin?