3.6 Million Tax Payers Records stolen
- Details
- Category: Breach and Disclosure
It was announced that the State of South Carolina had 3.6 million Tax Payer records including Social Security and 387,000 Credit Card information stolen. It seems, according to the article, that anyone who files a tax return since 1998 may want to continuously check their credit ratings to ensure that everything is safe. The State is also giving free a years worth of Identity Fraud. 1 free year! Wow! The depth of this could be far reaching due to lax security and they only give 1 free year?!
What stands out to me, is that there are only 3.6 million tax payers in South Carolina since 1998? That's an average of 257.143 tax payers per year ? So who is not paying their taxes in South Carolina ? But seriously, a breech of data and PII information is no laughing matter. Anyone, any organization, company or government is responsible for keeping data secure. Especially when it contains information that could directly effect your consumers, constituents, tax payers and population. Everyone should be diligent in ensuring that this information is protected. How can this be done with ever dwindling shrinking resources and funding? As CISO and ISO of your organizations point out the huge risks that are associated with this kind of breech. There are those that slough off the importance of this by purchasing Breech Insurance. I kid you not! There is now available, Breech Insurance to help protect organizations against the massive cost of handling these incidences. But are we getting lazy when this type of insurance is available ? Are we backing off on doing our due diligence of protecting our network and data because the insurance, "has our back" ?
There are dangers in this form of thinking and this type of insurance. When I first heard of this form of insurance about 3 years ago, I laughed and then quickly realized the dangers of this. Since the insurance is there to protect the investments, there will be those within management that deliberately cut back on security services. I've said it before and will continue saying it, "Security is an intangible asset that can only be measured after a breech". Since it is an intangible asset, how do you know what level of costs are and are not acceptable? How do you budget for something that is intangible? Everyone wants this or that technologies, but we all know a patchwork is not as effective as a strong cohesive defense. How can you budget and protect assets that many people are unaware of or don;t want to know about ?
Security in some cases will be degraded to a (sorry stealing a line from Ross Perot) "crazy aunt that no one wants to deal with"? The chicken little of business is what Security is degraded to when you opt for insurance that covers your back moreso than the technology that is available. We can protect your systems and data today. But IT security is always evolving because the bad guys don't sleep. How do you plan and protect against this, with insurance?
We as an industry needs to step back a little and re-evaluate the correct paths and directions instead of suggesting a patchwork of products. A cohesive plan that can evolve as threats do.
Stay safe, protect your ASSets !
Yahoo Voices Hacked, Change your Password!
- Details
- Category: Breach and Disclosure
Well again another giant hit with a simple SQL injection vulnerability. This time it seems that Yahoo Voices, formally known as "Associated Content" which Yahoo purchased and changed the name to Yahoo Voices. Before reading further, we strongly suggest that you CHANGE YOUR PASSWORD if you use this service!
We get a little complacent about changing our passwords periodically. While some large institutions employ a "change your password every "XX" days, a lot more just ignore this. They keep passwords forever because they just do not want to hear people screaming at them "I don't want this" or "I don't think it helps". It doesn't matter how loudly they scream, its a fundamental keystone to Cyber Security, changing your passwords periodically. In some instances people even reuse their usernames or email addresses across everything they touch on the Internet. Sounds dangerous? IT IS !! Let me explain why...
Say you use a password of "pa$$w0rd" on all of your accounts. Banking, GMAIL, YAHOO, credit cards, office, etc all using the same password. You never change this password because, you just don't want to exercise the grey matter between your ears to come up with a new password. One of these accounts, the parent company has been hacked and your email address or username with your password is now out in the public. Ok, so what? right ?
Well there are areas and software packages that can trace all of your footsteps and find out where you frequent, what sites, location, etc that you surf to or utilize on a regular basis. A simple search by a "bad guy" finds all of your sites you log into with the same username, email address and your password. NOW they have everything, your bank account, email access, etc. All because you allowed people to scream at you who are too lazy to secure their information by changing their password and NOT reusing passwords across the whole Internet. Or even reusing your email address or username on every site you log into. Now how do you feel when your boss or contacts gets a nasty email from you, your bank account has just transferred out all of your savings or all of your credit cards are cancelled because some malicious person decided that YOU didn't need them anymore.
This this does not happen ? Pull your head out of the sand!! It happens every day. This is just one form of Identity Theft. Masquerading as you to do whatever they want.
Ok, back to the SQL Injection vulnerability. How long has this vulnerability been around ? 10 years? More ? Yet the some of the most simple of Vulnerabilities are STILL doing damage out there. Why? We add on all sorts of gizmos, doodads and boxes to protect our network. In some instances all of these technologies CAUSE the problem by accidentally opening a hole. The more layers you put on, the more chance of an opening occurring. Or worse, multi-vendor solutions do not address everything you need and cause you to miss vulnerabilities or holes due to a false sense of security. Many people decide its a waste of time to continue to install Application Security measures OR even worse, hire in so called AppSec experts that are never as thorough as they should be.
Maybe 5 years ago, this software was checked by never periodically rechecked. I call it a slice in time vulnerability assessment. By todays standards, an application is secure, but tomorrow or in 3 months a new technique is discovered that CAN exploit a vulnerability that was once found secure.
One very important phrase to remember.... The bad guy never sleeps and is always replaced by more when they stop for a little bit. THEY NEVER STOP. So why does your security department stop ? Why do YOU stop changing passwords or stop reusing email addresses or reusing user names ? Why do YOU continue to make it easy for these sort of things to happen to you ?
Because we are all lazy and in some ways "set" in our ways or habits. We need to break this and focus on Security, not listen to the screamers. We need to be diligent and pro-active. Not re-active!
Stay safe, stop reusing email addresses as user names and using the same passwords!! Just remember to periodically change your password, maybe once a month!
6 Data breaches of 2012 or Can we come out of Panic Mode yet?
- Details
- Category: Breach and Disclosure
Dark reading has just posted an interesting article about the "6 Biggest Breaches of 2012, so far". First off, before you continue to read what I have to say, I suggest reading the article.
Ok, so you are back from reading the article, great!
What is the trend you are starting to see here ? Is there a trend ? what can YOU deduce from the following:
I'll get to my point on trend in a second. however, I want to talk about something that is a fact no matter how you look at it. Anyone that knows of me, knows of my philosophy that I push of "Security is an Intangible" fact. You can spend money on tangible items such as:
- Employees
- HealthCare
- Computer & Networking Equipment
- Office supplies
- Cell Phone and plans
- the list goes on and on and on.... ad nauseum.
You can touch or see the benefits of these items, aka, Tangible items. However you can not see or touch the benefits of Data, Infrastructure, or lump everything together into the term "Cyber Security". You can't realize how important it is until you have a catastrophic event occur.
You've heard the higher ups say "we are spending too much, we need to cut back" or even "we can't keep up with it, outsource it". this all works well if the Vendor you selected is above board on everything. But none really are. They all hide certain facts, especially if they can't handle it themselves.
When and if there is a Breach, then it's a full blown Panic Mode to patch and get the right things in place. Remember this one important fact. No one will stand behind the budget cuts they imposed when a Breach does occur.
Hmm, doesn't this resemble a "head in the sand" Management philosophy?
Side note, a vendor during the 20010 Black Hat Event in Las Vegas placed a perfect example of this. I wrote a small article on this here.
What are the right things when each vendor screams their product is better? Do you also realize that many "solutions" cause their own idiosyncratic problems ? "But we need something in place NOW!" Blank Checks are written to plug the hole in the dike with silly putty. There is no other words for it. Silly Putty.
Panic Mode is a killer and makes organizations do extremely rash and foolish things. See article here on Zappos response last year. Besides, it makes "experts" cringe.
Panic Mode can be described as:
The lack of ability to function in a normal capacity due to an event that triggers panic attacks.
Dictionary Dot Com labels Panic as:
Hooo boy, MySQL problem pops up.
- Details
- Category: Breach and Disclosure
Hoo Boy, a "comical" error leads to MySQL not verifying passwords and allowing access? Yes you read it correct.
It is predicted that well over 900,000, that's Nine Hundred Thousand databases/servers may be susceptible to a little password verification error.
Read the article here: tragically-comedic-flaw-gives-anyone-root-access-900000-internet-servers
The term "token" can be used as a reference to a memento of an event. Dictionary.com states it as 
Sophisticated Attack hits Pacific Northwest National Labs
- Details
- Category: Breach and Disclosure
It is now being reported that the Pacific Northwest National Labs (PNNL) was hit over the July 4th 2011 weekend by a sophisticated hacking attack.
Little is being said about this, but the attack seems to have crippled their network and infrastructure. They had to bring down all services to decipher what has happened. People have reported that the attack has caused their IT people to bring down their network and slowly rebuild it. Logical right ? The depth of services brought down is always an indication to the depth of the attack.
I noted one very interesting phrase in the article. It was reported that "Full access will only be restored once we are able to thoroughly diagnose what occurred and once we have added a security patch that will repel further attacks of this kind." Interesting phrase isn't it ?
Economy being what it is, many organizations have cut back on IT and/or Security departments. Physical equipment and the maintenance of these devices are increasingly being easier to maintain. Thus the need to "cut back"? Security is still that intangible department that some may say "can't justify their existence, we've never been attacked." However blind these words are, it is an integral part of any infrastructure to issue and update systems and software. I think it's called "patch management", isn't it ?
Security and infrastructure co-exist and must do so for any organization no matter how large or small, to survive. No one likes to be told or hear "we have to do this to ensure our data and networks are safe", because the eternal argument will be there's been no attack. How many organizations blindly hide behind this statement? Have they done risk assessments? Have they updated them ? Have they had professional Penetration Testers push their network and/or infrastructure? Do they listen to these findings? "We have no budget anymore", "we're safe because our hardware vendor told us we were". Hasn't anyone ever listened to the old adage "Trust but Verify"?
The more complex a network or infrastructure is, the more chance of a hole or multiple holes opening up. Nothing is ever 100% secure. The proof is in the vast amount of break-ins and hacker attacks that are hitting the news everyday.
Words of advice, listen to your experts, listen to your Security Department. They're not there to berate, but protect and double check things are as safe as they can be.
If you don't have a Security Department, maybe its time to listen to your internal experts ? Maybe its time to take these news events seriously?
It's a new wave out there of Cyber attacks. Either ride the wave to protect yourself or drown in the crashing of the waves.
