My health insurance provider was hacked, and I had to chuckle when I read this line from their letter:
On August 5, 2015, we learned that cyber attackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems. Our investigation further revealed that the initial attack occurred on December 23, 2013.
I may not be quite as sophisticated as these attackers, but if it takes you two years to find an attack that, according to local media reports, affected every single customer, then perhaps there was a corresponding lack of sophistication on the part of the health insurer.
My general, admittedly crude, view is that armoring up your IT organization is expensive and businesses will avoid that expense until successful cyber attacks are viewed as career-ending events for C-level execs above the CIO/CTO. Even better: if standard golden parachute contracts had a clause making them void if a successful cyber attack happened on the C-level’s watch.
Srv
I agree, this kind of thing needs to be an impeachable offense.
Trump’s popularity proves Americans have not given up on government accountability.
Ohio Mom
Remember when it was reported that Aetna was hacked? Neither my husband nor I thought much of it because although we once had Aetna as our insurer, we’d switched over to UHC I don’t know, five or six years ago at the least — way before the hacking was reported.
Then we discovered last spring that someone had our information and was using it to file a false federal tax return. The source of this ID theft: our long ago, and mostly forgotten, relationship with Aetna.
Right to Rise
NEW POLL: Jeb surging-Trump, Carson falling.
http://www.realclearpolitics.com/epolls/2016/president/us/2016_republican_presidential_nomination-3823.html
Oatler.
It’s in times of trouble that you learn that your provider is in fact a Corporation. “Due to an abnormally high volume of callers, your call has been …”
WereBear
When any consequences devolve upon any corporation anywhere, things will change. If not, not.
This is as good a time as any to point out that if you are paying for disability insurance, your chances of actually being able to use it are about 40%. Cases abound of the blind being told they can go into telephone sales, the mentally ill told they have medication so get back to work, and those with “invisible” illnesses, like autoimmune disorders, told flat out they are lying.
If, like Mr WereBear, one fights their way through the maze and forces them to acknowledge a disability, they shift tactics to tricking you into signing backdated or otherwise rigged documents, so they have an excuse to cut off benefits.
It’s the sickest of games, played on the sickest of our population.
Eric U.
@Right to Rise: huh, I see some falling off of Carson and Trump, but in my world, “stuck at 7.8” is not properly described as “surging”
PhoenixRising
Org charts, much as they are derided, show that the C-level is a level in most of the rent-extraction schemes we call ‘health insurers’. However, you’ve got a point.
What will it take to advance data security to typically succeed, not typically fail, at resisting skilled attackers? I like your ideas. Maybe BOD liability passes through to them personally if they failed to adequately fund security?
Because you nailed it: Executives (even the CIO/CTO, often) and directors see IT as a cost center they have to control. It’s really the heart of everything they do, from claims processing to member discounts at the local gym to…
Villago Delenda Est
DING DING DING DING DING
In modern corporate terms, “fiduciary responsibility” means guarding your own potential bonus at all costs.
Villago Delenda Est
@Right to Rise: Heb Bush is dogshit.
As are you.
Snoopy
Ha.
Ha-ha-ha-ha-ha-ha-ha.
Sorry to laugh…you must be new to this country.
redshirt
Large companies are all vulnerable. Many small companies too, but they have a better chance of actually deploying proper security.
WaterGirl
If corporations are people, then why don’t the corporations go to jail when they commit crimes or at the very least are guilty of depraved indifference?
RSA
For what it’s worth, I have the same view, as someone who talks with computer security people all the time.
I think there’s another condition, too, for improvement: Businesses and individuals have to realize that building good software is much more expensive (in time, skill, experience, personnel, etc., not just cash) than it may seem. A friend used to work at the Software Engineering Institute at Carnegie Mellon, and long ago he told me about the software engineering practices in place for manned space flights, where the costs were about ten times what they were in industry, because lives were at stake.
esc
My husband works in IT for a very large company that may well have your credit card information. His job is basically to make sure the subcontractors are really doing what they are supposed to be doing and not leaving ways in to the system so the company passes various inspections.
He is the first person to ever have this job at this international company, he’s only been there for about a year, and the only way his boss could initially sell the decision makers on getting someone like him was to tell them it was a temporary thing to clear out the 15,000 or so item backlog. I’m actually shocked major breaches don’t happen more frequently.
Tommy
@RSA: Good software is expensive to be done right. My experience working for corporate America is firms don’t want to pay for it. Then they are surprised when shit goes haywire.
Mike J
It’s not the expense. You can’t add security. You have to build it in from the ground up. NO company in the world is going to throw away decades worth of systems just to protect a bunch of puny customers. Where are they going to go? Everybody else sucks just as much.
Villago Delenda Est
@Tommy: Of course they don’t want to pay for it. It gets in the way of sacred profit, of sacred bonuses.
The entire focus of modern corporate America is on short term profit.
WereBear
@WaterGirl: That is the door the Supreme Court opened and makes sure will be shut when needed.
Tommy
@esc: Years ago I had an info security firm as a client. The founder was kind of the top, top of his field. Wrote the software for the first firewall among other things. He would never name names but did consulting work for many of the major banks and Wall Street firms. Said they were all hacked and we just never know about it.
DLew On Roids
@redshirt:
It’s the other way around. Small companies don’t have the resources to build SOCs and sophisticated IT systems that could detect and counter intrusion attempts. Large corporations can also afford to spend cash to implement best practices in security (e.g., protecting each IT asset, like a server or laptop with continuous monitoring and filtering, or using virtual desktops that limit the intellectual property that reaches the wild).
There is really is no excuse for a large corporation not to be spending major resources developing secure IT. But almost everyone has been hacked at this point. The question is whether they know it and have admitted it, are lying about it, or are too clueless to know.
ruemara
@WaterGirl: corporations are the right kind of people, not those kind of people.
Villago Delenda Est
@DLew On Roids: “Shareholder value” trumps everything, and “shareholder value” is based on what the shareholders could get for their shares at yesterday’s closing bell.
BR
@WaterGirl:
Yeah — that’s the best remedy to the problems of corporate personhood I’ve seen suggested elsewhere. The equivalent of “jail” for a corporation is something like government receivership, time when you lose your freedom to do what you want and to earn a living independent of the government. All stockholders are wiped out, all profits are taken by the government, and management is booted and replaced by government appointed managers. Once the equivalent number of years of a prison term is completed, the company would then be re-privatized.
The threat of that happening would keep shareholders on their toes, and in turn, management.
Amir Khalid
@Right to Rise:
Like I said in the last thread — not that I was expecting it to register with you — The Donald has over three times Jeb’s support, and Dr Carson more than twice. Jeb is still way, way behind them; he has been such a lacklustre candidate that one must fear for his chances of ever catching up.
justawriter
I would like to see a Congresscritter propose that corporate crime be punished by issuing stock to the government instead of cash fines. Fiduciary responsibility, which I maintain is the Nuremberg defense of the 21st Century, requires corporations to break the law as long as the profits generated exceed potential fines. By getting stocks, which are then dumped on the market, permanently dilutes the profits of the investors, who will then be motivated to dump directors and CEOs who are costing them money. Fiduciary responsibility will then motivate corporations to obey the law.
Baud
They somehow figured out our password was “password.”
Tommy
@Baud: LOL. I read a report that in fact people using password as password was at the top of the list. I think the second was 1234.
PhoenixRising
@Tommy: ‘Admin123’ is 8 characters, uses a capital letter and numbers, and no character is repeated. Meets specs for most ‘security’ code.
scav
Statistical noise is apparently a sign of life and doing better (even at random background static) than even R2R was really expecting must be that vaunted “surge”. I somehow keep thinking of the dead salmom that won an igNobel (in a manner of speaking).
Baud
@Tommy: @PhoenixRising:
Password requirements are getting too long. Now some places want 12 characters.
WereBear
@Baud: As someone who enjoys at times, and at others have been forced by circumstances, to exert mental effort, I really don’t understand people who. just. won’t.
redshirt
@DLew On Roids: I’ve been a CIO at both large and small companies so I’ve seen both sides. Large companies certainly have resources, but they also have innumerable legacy systems that makes it very difficult to implement proper security. The federal government seems to be the best/worst example of this.
Many many small companies have no idea. However, I’m referring to tech start ups and the like who are starting from scratch and they have the potential to implement proper security from getgo. I’ve done it myself a couple of times.
redshirt
@Tommy: There are so many manufacturer default passwords that never get changed.
Here’s something for the hackers: Shoretel phone systems almost always have a password of “changeme”.
Tommy
@Baud: Clearly I don’t work for this firm but go get LastPass. Free for most unless you have a ton of password/logins. It has a password generator. I couldn’t live without it and the passwords it gives I’d never recall in a lifetime.
Mike J
@Baud: Every character you add makes cracking take ~50 times longer. When an attacker can run a password cracker on a graphics card and have thousands of cores all chugging away, you need every edge you can get.
Passwords alone are doomed. Google offers two factor auth, which everyone should use. But even it isn’t perfect.
amk
when do we get to have a cage fight between the trump troll and the dumbya 3.0 dumbshit?
Gimlet
@Tommy:
You can count on it being top-notch when it’s run by the NSA.
Tommy
@redshirt: Yes I am sure. Now I have never been a CIO. Tech is something I taught myself. I have to defer to you. I like to joke I know what I don’t know. Ask questions when you don’t know. So how do we secure companies?
redshirt
@Tommy: Implement the best security protocols recommended by the experts, train your staff, re-train your staff, and then prepare to deal with consequences.
The weakest part of any system is the users, and it shall always be so.
MattF
Yeah, security is hard, harder than just software– which is hard enough– the results are debatable, and usually not directly related to your business, unless you’re a financial institution. The struggle will continue.
Baud
@Tommy:
I’ll be honest, I’ve never gotten around to trusting the online password managers.
Baud
@Mike J:
I think longer passwords means more people will write them down, thus defeating the security benefits.
redshirt
@Baud: I don’t either. Anything centralized can be hacked in one swoop.
Never trust the Cloud.
MattF
@Baud: A few months I had trouble logging in to a new account– the problem turned out to be that the password I used was too long. I was not pleased.
redshirt
@Baud:
Literally. The more complex the password requirements, the more stickies on monitors with the passwords written out. As a result, I often softened the time period required to change passwords. If forced to change passwords every month, for example, people will quickly give up and just write them out on stickies. I settled on a 6 month change, emergencies excepted.
There’s a median level that creates enough password complexity without making it impossible to remember. Usually a required Cap and a number/symbol.
Tip! A great way to create a complex password that is easy to remember is to abbreviate a sentence, then insert a number. Example: “The grey fox runs fast at dusk.”
Tgf1rfad.
That’s a complex enough password that theoretically is easy to remember.
Baud
@redshirt:
My password is easy to remember: Baud!2016!
Tommy
@redshirt: Then when you have like 100 password what do you do? I ask because I get dozens of login info from clients. I want to be as secure as possible. Not a single one of my client’s have been hacked, but if that happened worse case situation.
equs_1776
@PhoenixRising: Yup. If the explosion doesn’t go beyond the containment building, it didn’t happen.
redshirt
@Baud: You should never have your user name in your password.
redshirt
@Tommy:
Someone’s probably going to hammer me, but I create an excel spreadsheet with tabs for all the clients with their user names and passwords. Name the file something innocuous (septsales.xlsx) and save it somewhere out of the ordinary (program files?). Encrypt the file and password protect it with your “root” password.
Baud
@redshirt:
My user name is “password.”
Botsplainer
My passwords tend to consist of words, places, events and numbers with meaning to me, but with some random throwoff digits and capitalizations with odd placements of symbols. A hacker would have to know a shitload about me and my thought processes to even start, and even so, would fail miserably,
Baud
@redshirt:
I do something similar.
redshirt
Also, people, if you have personal information in your email address, stop using that email address and create a new one.
[email protected] gives me your last name and year of your birth. Too easy.
BD of MN
@redshirt:
Remember the Target data breach? Target spent a ton of money of an incredibly sophisticated security system, which was sounding all sorts of alarms. They ignored it….
sukabi
@Eric U.: to a lot of men 7.8″ IS surging.
redshirt
@BD of MN: I got a dream job that almost let me implement all of my security dreams.
In researching this, I studied/interviewed an MIT startup (25 employees) and every single computer was a VM and every single one of them was erased at midnight then re-installed, with the data of course being saved elsewhere. Really good security as it daily wipes out the inevitable security breaches caused by users goofing off.
Steeplejack
Here’s a password question for the security mavens:
Assuming that one has a good password—20 characters, say, with a capital and a few numbers in there (and is that a good password?)—how awful would it be to use that same password for various on-line sites? I’m wondering about the trade-off between the difficulty of cracking a good password vs. once that’s been done the perps could open many doors, not just one.
As my passwords have proliferated, I have taken to noting them in a (password-protected) Word file on my computer, which is another vulnerability. (Yes, I know Word’s password protection sucks.) So I have been wondering if I would be better off with one really good password committed to memory.
ruemara
@Botsplainer: This is what I do too, but I also use a PW manager. There’s too many passwords to remember.
BR
@Steeplejack:
A decent option is to use the PwdHash addon with your good password — you press F2 before typing your password and it generates a new site-specific password based on it.
Amir Khalid
@Botsplainer:
A hacker who was specifically targeting devices used by you (sometimes it does happen) would have done his research and looked up all that personal information about you.
redshirt
@Steeplejack: Think about the real world logistical links between accounts and passwords. For example, if someone hacks your email, will they be able to identify your online bank accounts and then hack them using the same credentials?
Having a complex master password that you can remember is good; I’d recommend using variations of it at different places, specifically those places that can be linked.
redshirt
@BR: The absolute best passwords are those generated by real time security devices. But those are generally not available to users except for specific functions – corporate VPN, corporate banking, etc.
Ruckus
@Villago Delenda Est:
Sometimes the obvious does need to be stated.
MattF
@Steeplejack: The short answer is no. You should have a ‘family’ of passwords, differing by a few (i.e., more than two) characters. This lets you change your password(s) in a less-than excruciatingly painful fashion.
BR
@redshirt:
Agreed. That’s why PwdHash is a good substitute. You only have to remember your one (good) password, and it will hash that with the domain name to generate one that’s site-specific. I use this for all website passwords.
CONGRATULATIONS!
@Mike J: IT security is my living. This is the problem. If it wasn’t built in, I can’t save you. I can at best slow them down.
Nobody is going to rebuild the systems they’ve been using for decades.
Steeplejack
@BR:
The problem is not generating passwords, it is recalling them later when I go back to a site. Once a month I log in at the cable company, the power company and the cell-phone provider to pay my bills, and I almost always have to look up the relevant password in my Word file just because I log in only once a month.
WereBear
I’m very fond of Password Wallet, a great app that keeps all this sorted.
Because I have a few good passwords, but one site won’t allow shifted top of the keyboard, another demands at least three capitalized letters, and so forth.
Steeplejack
@BR:
So does PwdHash “generate” the same site-specific password when I return to that site whenever I need to log in?
Anoniminous
Having system hardware that isn’t designed by idiots would also help.
BR
@Steeplejack:
Exactly — that’s why I find PwdHash useful. Here’s the process for using it:
1. (only one time) Think of a good long password.
2. (only one time) Install the add-on (the Chrome one is a bit better)
3. Go to some website that has a password field
4. Click in the password field, press F2, and type your password
5. After you move to another field, Pwdhash replaces the password you typed with a site-specific password (that stays the same every time you use the same master password on the same site)
You never have to remember anything other than the one password this way — Pwdhash replaces it for you. The only thing you have to be careful of is to not type your password without using Pwdhash first.
BR
@Steeplejack:
Yup. You can try it out at pwdhash.com to see how it works. Type some random password in the box, and the url of the website you want it to generate a password for, and it’ll show you the site-specific password it generates in the add-on.
Mike E
@WereBear: A good friend inadvertently mangled a Yiddish word, which is my go-to password that I’ve spelled using num6er5 and punctu@t!on
Anoniminous
@CONGRATULATIONS!:
So I take it you are a real fan of Bring Your Own Device to work.
:-)
Villago Delenda Est
@redshirt: I HATE “The Cloud”. What “The Cloud” means is SOMEONE ELSE’S COMPUTER which you have NO control over.
Disaster waiting to happen, yet again thanks to marketdroids.
Steeplejack
@redshirt:
This is the crux of it. I think there are very few sites where someone breaking my password could hurt me, and the threat is almost always that they could access my credit card info that I use for payment. And there might be one site (power company) where the payment info leads directly to my bank account.
My credit card and bank account are the chokepoint. I have occasion to look at those at least every few days, so problems from whatever source would be detected fairly quickly. And the bank has automated alerts for dodgy-looking events.
Villago Delenda Est
@sukabi: ISWYDT.
Steeplejack
@BR:
Okay, got it. Is the list of generated passwords saved on my computer or on PwdHash’s website? In other words, if a meteor hits kills my computer, am I screwed? But if PwdHash is saving the list, then if someone hacks them I’m screwed.
I don’t expect you to answer all this in painstaking detail. I’ll take a look at PwdHash. I’m just letting my mind run over all the potential problems. What if I’m not on my computer and I need to log into a site from my phone? Stuff like that.
Ruckus
I use random numbers and letters that mean nothing to anyone. For me remembering them is not a problem but some day it just might be. So I write them down. Not in the computer of course. And I store that some where innocuous. If you can find that sheet you are way too close and hacking is the least of my worries.
Schlemazel
IT security is a topping near and dear to my heart. I have been working this field for more than 25 years. I was away when this got posted and it’s late now but there is a lot to talk about.
redshirt
@Steeplejack: I’d just keep a paper list in my home desk as an ultimate backup. Who’s gonna hack your home desk? If it’s an asteroid, I doubt passwords will be a concern.
I should note I’m curmudgeonly.
PurpleGirl
@Ruckus: A friend had one of his credit cards used fraudulently. He was contacted by NYPD about it. (It was part of an extensive scam NYPD had broken.) He told them that only one person besides himself and his wife knew where the cards were kept or could have used the card number. (That one person being me.) The cops said something about was he sure I wouldn’t have used the card, he told them “she’s known it for years, and if I can’t trust her, I have more problems than one card use.” (He also told them I wouldn’t have bought a fancy man’s watch… he knew what I tended to buy.)
redshirt
Credit card fraud should not be a real concern for anyone. If you get fraudlent charges, the CC companies are generally good about covering your losses.
Think about how unsecure it used to be to use your credit card at a restaurant. They do that carbon copy and then put the charges in later that night. All the while your credit card number, name, and expiration date are just sitting there on a piece of paper for anyone to see.
Steeplejack
This thread just reminded me that last week I got one of those scam phone calls from the “Geek Squad” saying there was a problem with my computer and Microsoft had authorized them to fix it for me. The connection was bad and the caller was a heavily accented male. At first I couldn’t believe what I was hearing, and then I felt sort of excited that I was in the game! I played dumb and old—not a stretch—to draw out the time, and when the guy finally asked me to log onto my computer I said, “Can’t you do it from there?” At that point he must have wised up, because he erupted into profanity and cursed me for wasting his fucking time! I told him, “Fuck you, too!” and hung up. Great feeling of accomplishment.
BubbaDave
A security talk I attended at OSCON this year featured this nugget:
“You can buy credit card numbers off the darknet at 10 cents apiece, number and expiration date. So as developers, if you’re securing credit cards, you don’t need to make them uncrackable– just uncrackable without spending more than $0.10 in time/power.”
Steeplejack
@redshirt:
This has been a very useful thread, and it has gotten me thinking about a lot of this stuff. The fact is that I don’t think I’m very vulnerable, not because I’m extremely secure but because I don’t have that much stuff to protect. It’s basically the bank account and the credit card. Short of someone taking down the whole bank, they have automatic alerts when something odd happens in my account (which occasionally be a nuisance), and, as you said, the credit-card issuers are pretty good about reversing fraudulent charges.
If someone hacks into my power company account, what are they going to do—order more electricity? Same with the cable company or Verizon Wireless. The only real threat is getting my payment information, which all comes back around to the bank.
There is the possibility that if someone got enough of my personal information (SSN, personal details, etc.) they could open accounts in my name, etc., but that wouldn’t be stopped by my password(s) anyway.
WereBear
@Steeplejack: That’s the problem with hacking your healthcare company; a lot of that is stuff that can be used by banks and credit card companies.
Citizen Alan
Every time I read an article about a major corporation being hacked, I think about the britcom “The IT Crowd,” in which the head of a major corporation is so ignorant about IT that he appoints as his Head of IT a woman who lied on her resume, does not actually know what IT is an acronym for, and pronounces computer as COMputer. Oh, and her staff, as a joke, gives her a box with a little blinking light and successfully persuades her that it is literally the entire Internet and if she drops it and breaks it, it will destroy the world.
Ruckus
@redshirt:
Worse is when your card is taken away and returned by the server. They now have your number and your signature. It doesn’t take very many dishonest people in this chain to steal from you. Happened to a friend, he now refuses to have his card out of his possession. For places where the server takes the bill to the register, he pays cash.
Do remember that when there is a fraudulent charge on your card the merchant pays. Not the cc company or the bank. The merchant. The bank/cc co thing is as the merchant, you took a bad card or a bad check, not our fault. It’s important to report any problem to your cc company right away to get a stop on the account so that the card is declined. And if you think that companies don’t take this loss into account when pricing goods……. So we all pay for the theft.
BR
@Steeplejack:
Pwdhash doesn’t store anything — it’s completely algorithmic. It just generates it on the fly.
redshirt
@Steeplejack: Identity theft is the real concern. That can fuck up so much. A stolen credit card number is extremely minor in comparison.
That’s why using Social Security numbers for identification purposes is so dangerous. No security system should even consider using SS numbers.
WaterGirl
@ruemara: Corporations are aren’t just people, they are white. And rich. And they get tax credits not handouts.
WaterGirl
@BR: That works for me. Accountability, people! It shouldn’t just be for the little guys.
Renie
@Right to Rise: Shouldn’t you be doing homework? Tomorrow’s a school day. Your book report is probably due.
LongHairedWeirdo
@DLew On Roids:
I don’t say what is *truth*. But, a large company is more likely to have a dozen DBAs for 400 database instances, and a small company is more likely to have one or two DBAs for 10-20 database instances, and each one is responsible for “their” database servers.
I would trust someone to be *able* to give love to “their” servers to make them secure. if they have 10 database installations.
I would also trust a large company to be *able* to implement universal rules that either treated all databases as highly secure, or that classified them and had policies in place to make sure security best practices were in place, even though they don’t “own” any and are responsible for 3-4x as many servers per capita.
But *both* would be vulnerable to the correct type of attacker. And remember, social engineering is almost always the weak spot in security.
J R in WV
The last place I worked, I ran the development side at the end of my career, and since I had been there when the DBs were designed, I did a lot of data access/reporting. We provided tons of data to, well anyone who asked, mostly. We had a great Oracle DBA who managed the DBs, and I think the network guys were ok too. It was hard to be sure, they were so secretive.
Then not long ago I ran into a former co-worker who I always got along well with. The former great DBA was now the manager, replaced my boss. So I imagine their security is as superior as can be. Except for the users who don’t understand that “password” is not a good password. Even if you capitalize the P AND the W.
redshirt
The best report I ever ran was for Ned Johnson and his top lawyer and it was personally requested. To be 24 and have a report request from the 3rd richest man in the world (at the time) was titillating. I nailed that graph FYI.
Barry
@Right to Rise: “NEW POLL: Jeb surging-Trump, Carson falling.”
I’ve said it before, and I’ll say it again – the Klown Kycle has started. Each whackjob will get their month in the spotlight, until it’s clear just how bad he/she is.
Barry
@redshirt: “Someone’s probably going to hammer me, but I create an excel spreadsheet with tabs for all the clients with their user names and passwords. Name the file something innocuous (septsales.xlsx) and save it somewhere out of the ordinary (program files?). Encrypt the file and password protect it with your “root” password.”
Or get a small notebook, and write them down. Use a cryptic abbreviation for the site name.
People would have to physically possess that notebook.
JustRuss
I know security specialists in their early 20s making six figures. In an age where offshoring IT to India for pennies on the dollar is SOP, no surprise that corporations hate paying what it takes for decent IT security.