
Hackers Get Employee Records at Justice and Homeland Security Depts - pavornyoh
http://www.nytimes.com/2016/02/09/us/hackers-access-employee-records-at-justice-and-homeland-security-depts.html
======
niels_olson
> a social engineering breach, which could involve pulling personal
> information from social media and using it to determine passwords.

I don't understand how relatively low risk, high access-demand systems, like
common terminals in a hospital nurse's station, require CAC access yet high
security data, low access-demand systems, like personnel records, are
apparently accessible with a little Facebook snooping.

~~~
bsder
> low access-demand systems, like personnel records, are apparently accessible
> with a little Facebook snooping.

Precisely because of the low access-demand.

If you're accessing data every day, everybody remembers their password.

If you're accessing data once a quarter, you probably forget your password or
write it down. Or you need to have methods to retrieve it. And, after a couple
rounds of this, the person handling the password recovery gets annoyed and
doesn't do full diligence anymore.

~~~
dogma1138
Or just as likely "Hi I'm Jim from accounting I need to access "bla-bla" to
make sure the benefits are paid..."

Especially if you send it via a decently spoofed email/internal phone system
(if it comes from an internal extension no-one bats an eye) or considering
this is the government a fax might still be used some where.

Heck with "faking" an email on your tablet/phone it's easy to get into allot
of places by just showing it to the guy or gal at the reception if it looks
like it came form some one inside and it's on your ipad it's must be true
because ipads are magic.

