Massive data hack

[Boomzilla]

Aug 1, 2023 15:28:48 GMT -5 KeithL said:

I'm with you there...

None of this information is really "secret".
When I went to college my Social Security number was used for both my college ID number and my library card...

This is obviously all information that would be found on a Driver's License...
At one time, all of that information was "publicly available"...
And it is still readily available today for pretty much anyone who works at the DMV...
And I'm pretty sure you don't need Top Secret clearance to get hired by the DMV...
(And can you imagine what it would cost to get a Driver's License or Car Registration if every employee at the DMV DID require security clearance?)

I also distinctly recall what my original, official, government issue, Social Security card looked like...
It was paper, with no picture, and big blue letters on the front stating "NOT TO BE USED FOR IDENTIFICATION".

Therefore the problem is not that "your SSN isn't secure"...
The PROBLEM is that some idiot decided to use your SSN, which was never intended to be secure, for something that it was never intended to be used for.
And, to be fair, this was not a single lame-brained decision... it evolved over time... before anyone worried about security...and would now be very difficult to fix.
Also, to be equally fair, whenever someone suggests creating a truly secure identity card or universal identity database, there is a huge outcry of objections AGAINST it, for various reasons. 

You might like the IDEA that all of the information the DMV has about you could actually be kept secure.
HOWEVER you would not at all like the price tag associated with maintaining that level of security.
(Implementing "real security" tends to be quite expensive.)

Also, if I were to ask you casually, I suspect you would say that "you would want your bank account number and password to be totally secure"...
But do you realize that, if your bank account really was TOTALLY secure, and you forgot your password, your money would be permanently lost?
(The fact that there is a way to reset or override your password is a significant security weakness.. because it offers a way for someone to access your account and steal your money.)

There is actually a perfectly viable compromise...
Where, if you lost your password, it would require three bank employees, acting together, to enact the override...
That way no single employee would have to be trusted with the ability to access your account.
But, of course, that would be a huge nuisance, so we don't bother...

We live in a society that almost totally "runs" on information... 
And, if we REALLY handled that information SECURELY, it would all come to a screeching halt...

You can think about it another way...
If the customers of the Louisiana DMV actually could sue the DMV for their security lapse... WHO WOULD THEY BE SUING?
(Any funds required to pay the settlement would inevitable end up coming out of either taxes... or next years license and registration fees.)
(And, if the DMV outsourced their security, and consider the company they hired to be liable for being sloppy, their only alternative will be to hire a more expensive company to "do it right".)

I should also point out that, because security is actually difficult, and is rarely the top priority, data breaches like this are EXTREMELY common.
And the frequent victims include medical institutions, banks, stores, credit card processing companies, and government agencies and organizations...
(Data breaches and hacks simply usually don't make the news beyond the security industry.)
Therefore you should ALWAYS be at least somewhat "on the alert" for suspicious activity on things like bank accounts and credit cards.

Aug 1, 2023 12:59:39 GMT -5 405x5 said:

Massive data hack is only massive if you give a rats ass about it. Now I’m gonna go wash my car.

You’ve offered a stale bunch of red herring, KeithL.

Data integrity IS feasible with existing technology. A combination of third party authentication (sending a one-time login code to my phone) combined with biometric verification (fingerprint scan, for example) makes hacking too bothersome for hackers to bother with.

If I lose my cell phone, a visit to my bank allows them to restore my accounts to me by verifying my photo and fingerprint. And at that time, they’d require me to scan a new and different finger.

Punishments for data loss must include prison time for all responsible. Until personal liability becomes mandatory, those responsible for data security will never take their work with sufficient gravity. Seems excessive? Count the true cost of data loss.

The DMV of the State of Louisiana is now offering one free year of Norton Security Lock to any citizen whose data is likely to have been compromised. It isn’t NEARLY enough.

[monkumonku]

Aug 2, 2023 0:07:11 GMT -5 Boomzilla said:

Aug 1, 2023 15:28:48 GMT -5 KeithL said:

I'm with you there...

None of this information is really "secret".
When I went to college my Social Security number was used for both my college ID number and my library card...

This is obviously all information that would be found on a Driver's License...
At one time, all of that information was "publicly available"...
And it is still readily available today for pretty much anyone who works at the DMV...
And I'm pretty sure you don't need Top Secret clearance to get hired by the DMV...
(And can you imagine what it would cost to get a Driver's License or Car Registration if every employee at the DMV DID require security clearance?)

I also distinctly recall what my original, official, government issue, Social Security card looked like...
It was paper, with no picture, and big blue letters on the front stating "NOT TO BE USED FOR IDENTIFICATION".

Therefore the problem is not that "your SSN isn't secure"...
The PROBLEM is that some idiot decided to use your SSN, which was never intended to be secure, for something that it was never intended to be used for.
And, to be fair, this was not a single lame-brained decision... it evolved over time... before anyone worried about security...and would now be very difficult to fix.
Also, to be equally fair, whenever someone suggests creating a truly secure identity card or universal identity database, there is a huge outcry of objections AGAINST it, for various reasons. 

You might like the IDEA that all of the information the DMV has about you could actually be kept secure.
HOWEVER you would not at all like the price tag associated with maintaining that level of security.
(Implementing "real security" tends to be quite expensive.)

Also, if I were to ask you casually, I suspect you would say that "you would want your bank account number and password to be totally secure"...
But do you realize that, if your bank account really was TOTALLY secure, and you forgot your password, your money would be permanently lost?
(The fact that there is a way to reset or override your password is a significant security weakness.. because it offers a way for someone to access your account and steal your money.)

There is actually a perfectly viable compromise...
Where, if you lost your password, it would require three bank employees, acting together, to enact the override...
That way no single employee would have to be trusted with the ability to access your account.
But, of course, that would be a huge nuisance, so we don't bother...

We live in a society that almost totally "runs" on information... 
And, if we REALLY handled that information SECURELY, it would all come to a screeching halt...

You can think about it another way...
If the customers of the Louisiana DMV actually could sue the DMV for their security lapse... WHO WOULD THEY BE SUING?
(Any funds required to pay the settlement would inevitable end up coming out of either taxes... or next years license and registration fees.)
(And, if the DMV outsourced their security, and consider the company they hired to be liable for being sloppy, their only alternative will be to hire a more expensive company to "do it right".)

I should also point out that, because security is actually difficult, and is rarely the top priority, data breaches like this are EXTREMELY common.
And the frequent victims include medical institutions, banks, stores, credit card processing companies, and government agencies and organizations...
(Data breaches and hacks simply usually don't make the news beyond the security industry.)
Therefore you should ALWAYS be at least somewhat "on the alert" for suspicious activity on things like bank accounts and credit cards.

You’ve offered a stale bunch of red herring, KeithL.

Data integrity IS feasible with existing technology. A combination of third party authentication (sending a one-time login code to my phone) combined with biometric verification (fingerprint scan, for example) makes hacking too bothersome for hackers to bother with.

If I lose my cell phone, a visit to my bank allows them to restore my accounts to me by verifying my photo and fingerprint. And at that time, they’d require me to scan a new and different finger.

Punishments for data loss must include prison time for all responsible. Until personal liability becomes mandatory, those responsible for data security will never take their work with sufficient gravity. Seems excessive? Count the true cost of data loss.

The DMV of the State of Louisiana is now offering one free year of Norton Security Lock to any citizen whose data is likely to have been compromised. It isn’t NEARLY enough.

Nothing is foolproof. True, in most cases the third-party authentication combined with biometric verification makes hacking too bothersome for most hackers, but it depends on what can be gained from the hacking. For people like you and me, it's not worth the trouble since whatever things of value they may gain from us are not worth the time and effort. But we read about breeches of security for places that ought to be top-secret and it's because the hackers keep figuring out how to get around whatever security is placed.

Another issue is people complaining about how bothersome it is to do the steps put in place to enhance security. What percentage of people actually use passwords that are strong? I bet the vast majority still use theirs or some significant other birthdates or addresses, and other familiar things as passwords. Then many complain about biometrics because maybe the fingerprint scan doesn't seem to be working. Or, just like it is so much trouble setting up the VCR, it is too much trouble dealing with all these security measures. So their complaints influence the degree of security. In addition to that, biometrics and all these other measures become increasingly invasive in terms of privacy.

I hear what you're saying and all companies should take security extremely seriously but nothing is foolproof.

[405x5]

[Boomzilla]

Depends on the convenience, certainly - I use the Keychain app on my Mac & iPhone that automatically generates strong passwords for everything. I use a fingerprint reader (built into my keyboard) that double-checks biometric data.

For serious security, I'd assume that multiple people would all have to log in with biometric confirmation? There's a data farm here in Baton Rouge. To enter the facility, you come down a hall with cameras. If the tech doesn't recognize you, all doors automatically lock until the tech finds out who you are and what your business is. If you're approved to visit, an authorized employee comes out and his handprint is scanned (while the tech watches on the camera). If the system recognizes his handprint, you leave the hall and enter a "cage" with bulletproof glass. At that point, the authorized employee has to give a signal to the tech that he's not under duress. If the tech doesn't get that day's signal, all doors lock, and both the authorized employee and you are stuck in the cage until police arrive. If you leave the cage with the authorized employee, two security guards search both of you and if you have no cameras or weapons, you can enter the least-secure part of the facility. Server banks with confidential information (hospitals with HIPPA info, Government servers, etc.) are in sealed metal cages. Not even the employees of the data farm can access those servers physically. They can spray fire extinguishers through the cage if a server catches fire, but still can't touch the equipment. The servers are backed up in real time to two other "mirror sites" in different locations (other States / Countries). If your server crashes here, you'll never know it. The other servers take up instantly.

The last flood we had here, there were diesel trucks scheduled to refresh the generator tanks at the server farm. The State Police intercepted the trucks and appropriated the fuel. After the incident, the Server Farm then discussed the situation with Homeland Security and HS agreed that in any future emergency they would supply armed guards to escort the fuel trucks to the Data Farm...

The Data Farm monitors access to ALL servers in their building. Any unauthorized intrusion or unusual traffic creates alarms. Access is interrupted until the potential cyber-intruder is identified and verified.

Even small businesses can afford to use the data farm. When New Orleans flooded after Hurricane Katrina, the Data Farm set up customer shelters in their building that allowed families to move in and stay until they could find alternate lodging. In this way, they kept the businesses of their customers open and online despite their physical locations being flooded.

In these days & times, GOOD security is NOT that expensive or that intrusive. Want to protect your life savings using the password consisting of your birthday and the name of your family pet? Go right ahead. But the potential consequences are on YOU.

[KeithL]

I'm afraid that, when it comes to security in the real world, my "stale bunch of red herring" is the ACTUAL situation.
The best security we have available today is complex, expensive, and inconvenient... and it still is not perfect...

I don't disagree at all that better security is quite possible to achieve using current technology.
But there are several problems there...

First is the simple fact that, in our current world, convenience ALWAYS trumps good security.
That's the reason why, with every bank I know of, you can reset your password by clicking on a button, instead of making a trip to your local branch.
I should also point out that these days many banks don't even have local branches...
And, of the ones that do, most probably keep stuff like pictures and fingerprints in an online database anyway...
And, yes, two-factor authentication is better... but how much better depends on how it is implemented.
Physical hardware tokens are much more secure - but nobody wants another gadget to carry around - when they already bring their phone with them everywhere.
And third party authentication works great - until someone hacks that third party's security - at which point they get "all the keys".

Second, some data is subject to "more responsibility and accountability"...
For example, medical records are subject to HIPAA regulations...
And HIPAA regulations include both detailed security requirements and substantial penalties when they are violated...
(And you can bet that you are paying for that extra security, and the occasional penalties for violating it, every time you pay a medical bill.)
(It's also worth pointing out that security lapses and data breaches at institutions under HIPAA regulations are still not at all uncommon.)

What happened in Louisiana was that the LA DMV was using a relatively popular commercial program to transfer and access data.
The same program was used, and "trusted", by thousands of companies, organizations, and even one or two national governments.
And "some hackers" broke into the system by taking advantage of a previously unknown security flaw in that software.
Do you honestly believe that the Louisiana DMV had the ability, or the budget, to purchase "better security"?
(There are simply limits in terms of how much money and effort can be expended on security.)

Also, to be quite blunt....
If you look at the information involved... none of it is what I would consider especially private...
It was merely the sort of information found on your Driver's License...
Which is not itself considered to be an especially private document.
(You may be surprised exactly how many people have access to that information.)
The real issue, as I see it, is how much we have come to expect, and rely on, "information being kept private"...

Aug 2, 2023 0:07:11 GMT -5 Boomzilla said:

Aug 1, 2023 15:28:48 GMT -5 KeithL said:

..............................

You’ve offered a stale bunch of red herring, KeithL .

Data integrity IS feasible with existing technology. A combination of third party authentication (sending a one-time login code to my phone) combined with biometric verification (fingerprint scan, for example) makes hacking too bothersome for hackers to bother with.

If I lose my cell phone, a visit to my bank allows them to restore my accounts to me by verifying my photo and fingerprint. And at that time, they’d require me to scan a new and different finger.

Punishments for data loss must include prison time for all responsible. Until personal liability becomes mandatory, those responsible for data security will never take their work with sufficient gravity. Seems excessive? Count the true cost of data loss.

The DMV of the State of Louisiana is now offering one free year of Norton Security Lock to any citizen whose data is likely to have been compromised. It isn’t NEARLY enough.

[Boomzilla]

Aug 2, 2023 15:07:40 GMT -5 KeithL said:

...What happened in Louisiana was that the LA DMV was using a relatively popular commercial program to transfer and access data. The same program was used, and "trusted", by thousands of companies, organizations, and even one or two national governments. And "some hackers" broke into the system by taking advantage of a previously unknown security flaw in that software.
Do you honestly believe that the Louisiana DMV had the ability, or the budget, to purchase "better security"? (There are simply limits in terms of how much money and effort can be expended on security.)...

Any company large enough to sell database software to "thousands of companies, organizations, and even one or two national governments" owes it to their clients to offer better data security. What are they selling? A MS Access database?

Your arguments, KeithL are (and yes, I'm putting words in your mouth, but not very many):

1. Data security is hard and expensive
2. The data being protected isn't really important and is probably available already from multiple other sources
3. Since the users (in this case, the LA DMV) can't afford good data security, it isn't feasible
4. People whose data is stolen should quit griping about it

I can agree with point one, but I strongly disagree with the rest. The software vendor holds primary responsibility for data security. If they can't guarantee that, then they shouldn't be allowed to sell their software. The software vendor should be required to maintain liability insurance equal to the value of the data that their software is being used to handle. The INSURER would then force the vendor to make the software robust enough to repel hacks. THIS would work!

[KeithL]

I do feel obligated to point out again that there is no such thing as perfect security.

For example, the LA DMV was able to be hacked because of a flaw in the commercial data transfer software they chose to use.
You, and a lot of other folks, are placing similar trust in the security on your Apple products, and on the Keychain app you use.
(How certain are you that they are both "more secure" than the program the LA DMV was using?)

It's also worth pointing out that most current biometric data solutions are not especially reliable on their own.
That fingerprint reader on your phone would prevent a random person who found your phone from using it...
As you say, it "double checks you", but it does not provide very strong security against a targeted attack.
If someone specifically stole your phone, and knew what they were doing, it wouldn't be very difficult to bypass the fingerprint scanner.
And, if you use something like a fingerprint scanner to log in remotely, there are a lot of weak points between the scanner and the server...

It sounds like your data center has pretty good security...
Although, of course, a lot of trust is being placed on "the trusted tech", who seems to have a lot of access...
And, even if those automated fire extinguishers go off, and the cage stays locked, at some point someone is going to have to come in to do the repairs.

There's also something else I can't resist pointing out... since my background is in both security and, long before that, in network load balancers.
re "If your server crashes here, you'll never know it. The other servers take up instantly."
(I worked for a company called HydraWeb... who sold load balancing hardware to Reuters and many of the Fortune 500 banks... back when that was "cutting edge technology".) 

(The ability to replicate data at multiple locations, then access it as necessary, falls under the general aegis of "backup and load balancing".)  
While that is an excellent reliability feature (ensuring that the data remains accessible)... it is also a significant complication in terms of security.
1. It means that multiple copies of your data are stored at multiple locations.
    (So now you must be concerned with the security at ALL of those storage locations... as well as the security of the transport between them.)
2. It also means that the load balancer that switches between servers in the event of an outage has considerable "access" to all of those servers.
    (If someone is able to compromise the security of the load balancer they may then be able to use it's access to access the data on all of the servers.)

Having duplicate data, stored on multiple servers, mediated by one or more load balancers, makes the system more reliable... 
But, at the same time, it multiplies the number of places in which a single tiny error in configuration may enable someone to "hack into the system"...   

Aug 2, 2023 10:21:33 GMT -5 Boomzilla said:

Depends on the convenience, certainly - I use the Keychain app on my Mac & iPhone that automatically generates strong passwords for everything. I use a fingerprint reader (built into my keyboard) that double-checks biometric data.

For serious security, I'd assume that multiple people would all have to log in with biometric confirmation? There's a data farm here in Baton Rouge. To enter the facility, you come down a hall with cameras. If the tech doesn't recognize you, all doors automatically lock until the tech finds out who you are and what your business is. If you're approved to visit, an authorized employee comes out and his handprint is scanned (while the tech watches on the camera). If the system recognizes his handprint, you leave the hall and enter a "cage" with bulletproof glass. At that point, the authorized employee has to give a signal to the tech that he's not under duress. If the tech doesn't get that day's signal, all doors lock, and both the authorized employee and you are stuck in the cage until police arrive. If you leave the cage with the authorized employee, two security guards search both of you and if you have no cameras or weapons, you can enter the least-secure part of the facility. Server banks with confidential information (hospitals with HIPPA info, Government servers, etc.) are in sealed metal cages. Not even the employees of the data farm can access those servers physically. They can spray fire extinguishers through the cage if a server catches fire, but still can't touch the equipment. The servers are backed up in real time to two other "mirror sites" in different locations (other States / Countries). If your server crashes here, you'll never know it. The other servers take up instantly.

The last flood we had here, there were diesel trucks scheduled to refresh the generator tanks at the server farm. The State Police intercepted the trucks and appropriated the fuel. After the incident, the Server Farm then discussed the situation with Homeland Security and HS agreed that in any future emergency they would supply armed guards to escort the fuel trucks to the Data Farm...

The Data Farm monitors access to ALL servers in their building. Any unauthorized intrusion or unusual traffic creates alarms. Access is interrupted until the potential cyber-intruder is identified and verified.

Even small businesses can afford to use the data farm. When New Orleans flooded after Hurricane Katrina, the Data Farm set up customer shelters in their building that allowed families to move in and stay until they could find alternate lodging. In this way, they kept the businesses of their customers open and online despite their physical locations being flooded.

In these days & times, GOOD security is NOT that expensive or that intrusive. Want to protect your life savings using the password consisting of your birthday and the name of your family pet? Go right ahead. But the potential consequences are on YOU.

[marcl]

Aug 2, 2023 16:00:22 GMT -5 KeithL said:

I do feel obligated to point out again that there is no such thing as perfect security.

For example, the LA DMV was able to be hacked because of a flaw in the commercial data transfer software they chose to use.
You, and a lot of other folks, are placing similar trust in the security on your Apple products, and on the Keychain app you use.
(How certain are you that they are both "more secure" than the program the LA DMV was using?)

It's also worth pointing out that most current biometric data solutions are not especially reliable on their own.
That fingerprint reader on your phone would prevent a random person who found your phone from using it...
As you say, it "double checks you", but it does not provide very strong security against a targeted attack.
If someone specifically stole your phone, and knew what they were doing, it wouldn't be very difficult to bypass the fingerprint scanner.
And, if you use something like a fingerprint scanner to log in remotely, there are a lot of weak points between the scanner and the server...

It sounds like your data center has pretty good security...
Although, of course, a lot of trust is being placed on "the trusted tech", who seems to have a lot of access...
And, even if those automated fire extinguishers go off, and the cage stays locked, at some point someone is going to have to come in to do the repairs.

There's also something else I can't resist pointing out... since my background is in both security and, long before that, in network load balancers.
re "If your server crashes here, you'll never know it. The other servers take up instantly."
(I worked for a company called HydraWeb... who sold load balancing hardware to Reuters and many of the Fortune 500 banks... back when that was "cutting edge technology".) 

(The ability to replicate data at multiple locations, then access it as necessary, falls under the general aegis of "backup and load balancing".)  
While that is an excellent reliability feature (ensuring that the data remains accessible)... it is also a significant complication in terms of security.
1. It means that multiple copies of your data are stored at multiple locations.
    (So now you must be concerned with the security at ALL of those storage locations... as well as the security of the transport between them.)
2. It also means that the load balancer that switches between servers in the event of an outage has considerable "access" to all of those servers.
    (If someone is able to compromise the security of the load balancer they may then be able to use it's access to access the data on all of the servers.)

Having duplicate data, stored on multiple servers, mediated by one or more load balancers, makes the system more reliable... 
But, at the same time, it multiplies the number of places in which a single tiny error in configuration may enable someone to "hack into the system"...   

Aug 2, 2023 10:21:33 GMT -5 Boomzilla said:

Depends on the convenience, certainly - I use the Keychain app on my Mac & iPhone that automatically generates strong passwords for everything. I use a fingerprint reader (built into my keyboard) that double-checks biometric data.

For serious security, I'd assume that multiple people would all have to log in with biometric confirmation? There's a data farm here in Baton Rouge. To enter the facility, you come down a hall with cameras. If the tech doesn't recognize you, all doors automatically lock until the tech finds out who you are and what your business is. If you're approved to visit, an authorized employee comes out and his handprint is scanned (while the tech watches on the camera). If the system recognizes his handprint, you leave the hall and enter a "cage" with bulletproof glass. At that point, the authorized employee has to give a signal to the tech that he's not under duress. If the tech doesn't get that day's signal, all doors lock, and both the authorized employee and you are stuck in the cage until police arrive. If you leave the cage with the authorized employee, two security guards search both of you and if you have no cameras or weapons, you can enter the least-secure part of the facility. Server banks with confidential information (hospitals with HIPPA info, Government servers, etc.) are in sealed metal cages. Not even the employees of the data farm can access those servers physically. They can spray fire extinguishers through the cage if a server catches fire, but still can't touch the equipment. The servers are backed up in real time to two other "mirror sites" in different locations (other States / Countries). If your server crashes here, you'll never know it. The other servers take up instantly.

The last flood we had here, there were diesel trucks scheduled to refresh the generator tanks at the server farm. The State Police intercepted the trucks and appropriated the fuel. After the incident, the Server Farm then discussed the situation with Homeland Security and HS agreed that in any future emergency they would supply armed guards to escort the fuel trucks to the Data Farm...

The Data Farm monitors access to ALL servers in their building. Any unauthorized intrusion or unusual traffic creates alarms. Access is interrupted until the potential cyber-intruder is identified and verified.

Even small businesses can afford to use the data farm. When New Orleans flooded after Hurricane Katrina, the Data Farm set up customer shelters in their building that allowed families to move in and stay until they could find alternate lodging. In this way, they kept the businesses of their customers open and online despite their physical locations being flooded.

In these days & times, GOOD security is NOT that expensive or that intrusive. Want to protect your life savings using the password consisting of your birthday and the name of your family pet? Go right ahead. But the potential consequences are on YOU.

And .... 6 years ago the second largest pharmaceutical company in the world was hit with a malware attack that was so fast it got all the way to the replicated servers all over the world before they could shut everything down.  Poof!  Whole systems and datasets lost.  I got there a year later and they were still rebuilding software systems.

p.s. they fired the CIO.  Took them a year and a half to find someone else to take the job.  He lasted a year and quit.

[KeithL]

I don't specifically disagree...

The catch is in the details.
Many software vendors simply will NOT "guarantee that their product is perfect"...
In fact many have specific disclaimers to the contrary...
(Go read the fine print on virtually ANY product that you own or use.)

HOWEVER.... as for your suggestion that ...
"The software vendor should be required to maintain liability insurance equal to the value of the data".
I would assert that, based on current public opinion on the subject, the parties involved HAVE "adequately compensated the victims for the damage they have suffered".
It seems that they offered the victims a free one-year subscription to Norton Lifelock ... 
And that subscription is the equivalent of "purchasing insurance against possible damage for the victims caused by their data being exposed".
I'm pretty sure that, if this were to get anywhere near a lawsuit, that would be held to be "adequate compensation for the risk incurred by the victims".
(And, considering that it's virtually impossible to sue a government agency anyway, I'd say they were lucky to get that.) 

Aug 2, 2023 15:46:36 GMT -5 Boomzilla said:

Aug 2, 2023 15:07:40 GMT -5 KeithL said:

...What happened in Louisiana was that the LA DMV was using a relatively popular commercial program to transfer and access data. The same program was used, and "trusted", by thousands of companies, organizations, and even one or two national governments. And "some hackers" broke into the system by taking advantage of a previously unknown security flaw in that software.
Do you honestly believe that the Louisiana DMV had the ability, or the budget, to purchase "better security"? (There are simply limits in terms of how much money and effort can be expended on security.)...

Any company large enough to sell database software to "thousands of companies, organizations, and even one or two national governments" owes it to their clients to offer better data security. What are they selling? A MS Access database?

Your arguments, KeithL are (and yes, I'm putting words in your mouth, but not very many):

1. Data security is hard and expensive
2. The data being protected isn't really important and is probably available already from multiple other sources
3. Since the users (in this case, the LA DMV) can't afford good data security, it isn't feasible
4. People whose data is stolen should quit griping about it

I can agree with point one, but I strongly disagree with the rest. The software vendor holds primary responsibility for data security. If they can't guarantee that, then they shouldn't be allowed to sell their software. The software vendor should be required to maintain liability insurance equal to the value of the data that their software is being used to handle. The INSURER would then force the vendor to make the software robust enough to repel hacks. THIS would work!

[Boomzilla]

Nothing is perfect. But data security SHOULD be improving logarithmically. This is the age of AI. If AI isn't being used to SECURE data, then it'll certainly be used to HACK it.

The "trusted tech" at the data center is a team of three employees all of whom have to "vote" that they've been given the OK by both the visitor log and the employee in the cage. The pair of armed security guards on the server floor are supervised by another in the control center.

A VPN is continuously monitored (both by electronic means and by the teams at all three data centers). Not that it means anything, but to date, the data center has never been hacked (although they've prevented thousands of attempts).

To the best of my knowledge, Apple's Keychain has never been hacked.

[KeithL]

I DO have an interesting question for you...

How would you feel if, in fact, the software WAS robust enough to do its job perfectly...

But it failed because the company who bought and used it missed a critical setting...
Clearly spelled out at the bottom of page 497 of the configuration manual...
(Which, of course, they were instructed to read carefully, and fully understand, before setting up and enabling the software.)

If you think I'm being hyperbolic here then you've never seen the manuals for a big Cisco router.
(Many of those have whole shelves full of manuals... all of which contain crucial details... many of which could conceivably lead to awful problems if overlooked.) 
I think you really do underestimate the complexity of the things we're talking about.

Aug 2, 2023 15:46:36 GMT -5 Boomzilla said:

Aug 2, 2023 15:07:40 GMT -5 KeithL said:

...What happened in Louisiana was that the LA DMV was using a relatively popular commercial program to transfer and access data. The same program was used, and "trusted", by thousands of companies, organizations, and even one or two national governments. And "some hackers" broke into the system by taking advantage of a previously unknown security flaw in that software.
Do you honestly believe that the Louisiana DMV had the ability, or the budget, to purchase "better security"? (There are simply limits in terms of how much money and effort can be expended on security.)...

Any company large enough to sell database software to "thousands of companies, organizations, and even one or two national governments" owes it to their clients to offer better data security. What are they selling? A MS Access database?

Your arguments, KeithL are (and yes, I'm putting words in your mouth, but not very many):

1. Data security is hard and expensive
2. The data being protected isn't really important and is probably available already from multiple other sources
3. Since the users (in this case, the LA DMV) can't afford good data security, it isn't feasible
4. People whose data is stolen should quit griping about it

I can agree with point one, but I strongly disagree with the rest. The software vendor holds primary responsibility for data security. If they can't guarantee that, then they shouldn't be allowed to sell their software. The software vendor should be required to maintain liability insurance equal to the value of the data that their software is being used to handle. The INSURER would then force the vendor to make the software robust enough to repel hacks. THIS would work!

[KeithL]

I'm afraid I still have to disagree with you about one major point.

The software vendor is partly responsible for security...
BUT THE END USER ALSO SHARES PART OF THE RESPONSIBILITY...

In this particular case there was apparently a lapse in the security of the data transport software.
(And I do not blame the end users in this particular case... beyond the basic fact that customers never want to pay more for better security.)

HOWEVER, the fact remains that most users are NOT willing to pay the price, in terms of lost convenience, for proper security.
For example, one way for any DMV to provide better security is simple... require all renewals to be done in person.
This would eliminate all of the security risks associated with Internet access.

Oh, and your bank, no more online transfers...
We'll go back to doing all banking in person...
And, if the teller on duty doesn't know you personally, any other teller will be required to pull your fingerprint card and check it.
(And, of course, that means that you'll only be able to bank at your home branch.)

And you can forget that nice password app...
All passwords must be created manually... and may not be stored on any electronic device...

My guess is that you would NOT be willing to give up all that convenience for "real good security"...

Aug 2, 2023 16:34:04 GMT -5 KeithL said:

Aug 2, 2023 15:46:36 GMT -5 Boomzilla said:

Any company large enough to sell database software to "thousands of companies, organizations, and even one or two national governments" owes it to their clients to offer better data security. What are they selling? A MS Access database?

Your arguments, KeithL are (and yes, I'm putting words in your mouth, but not very many):

1. Data security is hard and expensive
2. The data being protected isn't really important and is probably available already from multiple other sources
3. Since the users (in this case, the LA DMV) can't afford good data security, it isn't feasible
4. People whose data is stolen should quit griping about it

I can agree with point one, but I strongly disagree with the rest. The software vendor holds primary responsibility for data security. If they can't guarantee that, then they shouldn't be allowed to sell their software. The software vendor should be required to maintain liability insurance equal to the value of the data that their software is being used to handle. The INSURER would then force the vendor to make the software robust enough to repel hacks. THIS would work!

[KeithL]

Hmmmmm..... could be....
(Most people do seem to agree that using Apple's Keychain is better than not using it... as long as you are still careful.)

thehackernews.com/2023/03/new-macstealer-macos-malware-steals.html
www.bleepingcomputer.com/news/security/new-macstealer-macos-malware-steals-passwords-from-icloud-keychain/
www.cnet.com/news/privacy/keysteal-exploit-attacks-macos-keychain-to-take-all-your-passwords/
www.the-sun.com/tech/7050083/iphone-icloud-keychain-warning-how-passkeys/

And, yes, AI is already being used BOTH to improve security and to improve attacks against it.

I should also take this opportunity to address a few common myths about VPNs...
A VPN provides a secure link between two devices (which can be between a client and a server, between two servers, or something else).
And a properly configured VPN generally cannot easily be "hacked into" - in the sense that "you cannot get at data inside the tunnel from outside".
Unless, of course, someone has found a flaw in the VPN software, or in your browser or the server's software.
(Also note that, in terms of security alone, an ordinary HTTPS connection offers similar benefits.)
And, because of this, VPNs and HTTPS connections are rarely compromised that way.

Instead they are usually compromised using some variation of something called "a man-in-the-middle attack".
To offer an example...
You think you've established a secure connection to your bank, but the hacker has "tricked" your browser, possibly using some little piece of malware...
Instead of a secure connection to your bank, when you entered your bank's web address, what you got instead was a secure connection TO THE HACKER'S COMPUTER.
At that point he can simply pretend to be your bank, ask you for your password, then "hang up" once he has it...
Or, if he chooses to, he can establish a connection to your bank, using your password, and pretending to be you, and relay what you do back and forth.
(He is now "the-man-in-the middle"... you think you're talking to your bank... and your bank thinks you're talking directly to them... but HE gets to see everything you and your bank say to each other.)
Of course various measures are employed by everyone involved to make this difficult or impossible to do...
And, of course, hackers continually try diligently to find flaws in these countermeasures...

In the case of your data center... I suggested that having multiple locations was a security weakness.
If I were able to compromise one of the load balancers that routes traffic between those locations...
I would then be able to intercept the connection coming from one location - and "move the connection from THEIR other location to MY location". 
And, again, they have measures in place to make this difficult, and hackers make a business of finding flaws in those security measures.
But it's sort of like the problem with leaks on submarines... a very tiny leak can become a major problem very quickly.
And, unlike water dripping from a hole in a submarine, the first thing hackers often do is to install special software to "hide the leak".

Also, not to be smarmy, but you should be the first one to agree with my slight correction...
That data center has never ADMITTED that they've been hacked... due to any fault of theirs... at least AS FAR AS THEY KNOW...

I'm NOT just being smarmy there...
Most of the major data breaches you read about in the news have been ongoing for days, or even MONTHS, before being discovered. 
So it's only reasonable to assume that there are a few ongoing right now that haven't been discovered yet.
And, with all of the liability and embarrassment involved, there's a lot of incentive NOT to admit, or even to outright cover up, suspected or "patched" leaks.
(That's why standards like HIPAA include penalties for poor security... and really big penalties for getting caught covering up or failing to report them.)

In fact, one of the most profitable and rapidly growing "business areas" for hackers is "ransomware"...
With some ransomware the victim's data is garbled or encrypted and the hacker offers to sell them "a key to recover their data"...
(One local police department admitted to paying a ransom to regain access to their fingerprint files...)
But, in other cases, the hacker merely promises, in return for being paid the ransom, to NOT release or post sensitive data that they've stolen.
("Pay us or we'll embarrass you by posting a list of your customers, their home addresses, and their credit card numbers".) 
(And, while many victims ADMIT to having paid a ransom, we must assume that many prefer NOT to publicly admit that their security was compromised.)

This is a huge, current, ongoing problem...
And it is costing a lot of companies a lot of money...
So it's not like "nobody cares about security"...
And, if there was an easy solution, they would be doing it... 

However, to be fair, I would HOPE that your bank is doing more to protect your password than the DMV is doing to protect your exact weight and eye color...

Aug 2, 2023 16:24:42 GMT -5 Boomzilla said:

Nothing is perfect. But data security SHOULD be improving logarithmically. This is the age of AI. If AI isn't being used to SECURE data, then it'll certainly be used to HACK it.

The "trusted tech" at the data center is a team of three employees all of whom have to "vote" that they've been given the OK by both the visitor log and the employee in the cage. The pair of armed security guards on the server floor are supervised by another in the control center.

A VPN is continuously monitored (both by electronic means and by the teams at all three data centers). Not that it means anything, but to date, the data center has never been hacked (although they've prevented thousands of attempts).

To the best of my knowledge, Apple's Keychain has never been hacked.

[LuisV]

Do what you can to protect yourself... use 2 factor authentication (2FA) where available and look into Yubikeys.  They are a hardware based 2FA solution... well worth it.    

[KeithL]

I think this post actually requires a concise simple answer...

Data security IS improving logarithmically...
But the skills exhibited by the best hackers out there are also improving at a similar pace...
And, as systems become more complicated, and more interconnected, the attack surface available for hackers to attack is also increasing.

As a simple example...
That Apple Keychain may be carefully designed and reasonably secure...
But it was still designed by human beings... and relies on the security of other software also designed by human beings...
(It relies on the security of other software modules in your iPhone to protect IT from being attacked.)
And that Apple Keychain offers "a rich prize" for the hacker who figures out how to get past it...

Aug 2, 2023 16:24:42 GMT -5 Boomzilla said:

Nothing is perfect. But data security SHOULD be improving logarithmically. This is the age of AI. If AI isn't being used to SECURE data, then it'll certainly be used to HACK it.

The "trusted tech" at the data center is a team of three employees all of whom have to "vote" that they've been given the OK by both the visitor log and the employee in the cage. The pair of armed security guards on the server floor are supervised by another in the control center.

A VPN is continuously monitored (both by electronic means and by the teams at all three data centers). Not that it means anything, but to date, the data center has never been hacked (although they've prevented thousands of attempts).

To the best of my knowledge, Apple's Keychain has never been hacked.

[Boomzilla]

For situations where the legitimate data OWNER has responsibility for their own data security (logging into an account, for example), then YES the data owner shares data security responsibility.

But in the case of the LA DMV, the data owner is totally innocent. The entire responsibility for data security is shared between the software provider and the software user. No matter how you try to twist it, the victim has suffered real harm in terms of potential identity theft, possible credit card fraud, etc. A year of free Norton is grossly insufficient compensation.

Until data loss is criminalized for software suppliers and purchasers with penalties commensurate with the value of the data, data loss will continue to be widespread. Fact.

There is NO EXCUSE for data loss.

[405x5]

Aug 3, 2023 21:35:11 GMT -5 Boomzilla said:

“But in the case of the LA DMV, the data owner is totally innocent. The entire responsibility for data security is shared”

A PERFECT and totally secure Department of Motor Vehicles 🚗!!
Now, THAT would be one for the books! 

[KeithL]

Data THEFT is in fact criminalized - FOR THE CRIMINALS WHO STEAL DATA.
If the criminals who stole that data are ever identified, captured, and returned to a relevant jurisdiction, they will face heavy fines and serious jail time.

HOWEVER, 
Let's assume that your home was robbed...
And it turned out that the thieves had entered by exploiting a known weakness in your door lock...
(Almost all of the door locks found on homes these days can easily be opened by using a $5 "bump key".)
The THIEVES would be subject to substantial penalties for their crime.
But I cannot imagine that anyone would consider company who made the $25 lock on your front door to be "liable for the value of everything that was stolen"?
(Their product worked reasonably well... and it was your choice not to purchase a more secure, but far more expensive, door lock.)

I would suggest that this situation is analogous to that one...
The DMV chose to use "a well known commercial product" based on the assumption that "it would provide a reasonable level of security".
They chose a product that was intended for "typical business use" and was considered to be sufficient for that purpose.
And the data they were securing was NOT considered to be sensitive enough to be protected by a strong standard like HIPAA.
According to all the reports the data theft was done via a previously unknown weakness in the code.
(The situation would be different if the company had been aware of the weakness but had failed to fix it or notify the customers using it... but that was not the case.)

Also, contrary to what you assert, there is in fact a significant difference between REAL harm and POTENTIAL harm...
So far, as far as we know, none of the "victims" has suffered any REAL harm.
The subscription to Norton Lifelock is essentially insurance against data theft (in the same way that homeowners insurance protects you from home theft).
This means that it is directly analogous to providing medical insurance, or the promise of medical coverage, to workers exposed to a POTENTIALLY dangerous chemical.

I must also point out that you are hyperbolically exaggerating the value and danger of the data that was stolen.
Compared to the sort of data protected by standards like HIPAA the data held by the DMV is NOT considered to be especially sensitive...

If you really find this situation troublesome...
Then you might try asking your bank how THEY secure your data... for example when you log into their website.
(Although I very much doubt that you will receive a meaningful answer.)

Aug 3, 2023 21:35:11 GMT -5 Boomzilla said:

For situations where the legitimate data OWNER has responsibility for their own data security (logging into an account, for example), then YES the data owner shares data security responsibility.

But in the case of the LA DMV, the data owner is totally innocent. The entire responsibility for data security is shared between the software provider and the software user. No matter how you try to twist it, the victim has suffered real harm in terms of potential identity theft, possible credit card fraud, etc. A year of free Norton is grossly insufficient compensation.

Until data loss is criminalized for software suppliers and purchasers with penalties commensurate with the value of the data, data loss will continue to be widespread. Fact.

There is NO EXCUSE for data loss.

[Boomzilla]

So you’re saying that investors have their life savings protected by $5 security (and NOT insured by FDIC or anyone else?

[KeithL]

Here are a few articles about the OVERALL situation...

techcrunch.com/2023/07/27/us-government-contractor-says-moveit-hackers-accessed-health-data-of-at-least-8-million-individuals/
securityintelligence.com/news/the-moveit-breach-impact-and-fallout-how-can-you-respond/

I would like everyone to note two things:

1.
Considering the overall scope, the Louisiana DMV, and their customers, are a really tiny part of the overall situation.

2.
Major breaches like this are relatively commonplace.
(According to one article this may be the biggest one, in one industry, this year....)