This is ridiculous and really only happens because the cost of securing your customer (or citizen) data is higher than the cost of losing control of it. If the cost of losing data to hacks was, say three times higher than the cost estimated to secure it, the problem would become much less common very quickly.
As it is, states and corporations externalize the costs of hacks to the victims of their incompetence. They have no reason to take opsec seriously because they aren't held liable in even the most egrigious cases. Data should be a liability.
This is the crux of it, methinks. "Data is the new oil" has been a common refrain and as long as the externalities of poor security posture hygiene can be completely outsourced while these companies make mountains of cash by monetizing your every scrap of behavior, attention and information, this will only get worse as every entity seeks to hoard more information on you.
Keeping more data than absolutely necessary for critical business operations should be an existential threat for any entity. Those businesses built on this data ought to take Fort Knox level pains to secure it. Anything short of that and we will continue to exist in a society of deteriorating trust and social contract.
A framing I often use is, "Data is like holding uranium". It can be incredibly valuable, but also very dangerous. You should be very sure that the data you're holding is worth the cost of safely protecting it (a high cost), and if it is not, get rid of it.
Stripe is a good mental model here, I don't want a person's credit card data, I want to charge them for my product. I love storing a Stripe customer ID, if a hacker were to grab that table, I wouldn't lose (a lot) of sleep, they couldn't do much with it. If that table held credit card data...I would.
That farms out a lot of responsibility to Stripe, but for a side project, I don't have the time necessary to do as good of a job at it relative to Stripe.
I think GDPR was a great step in this direction, even with the annoying cookies popups. There's some states in the US with similar laws basically saying "it's legal for you to collect this data, but if you do you need to build systems for people to request all the data tied to them and for it to be deleted". Hopefully the next step would be to make data sharing opt-in, while it's somewhat limited it is really nice that iOS makes apps request access to different data.
I'm really curious how effective these are in practice if someone got logs or backups, but it at least gives people a path to know what data is there remove the active copies
We also need changes so that posession of identifying information is not sufficient to establish identity. That sounds like a tall order but clearly this information is leaking all over the place and just because someone has my identifying numbers and date of birth and mother's maiden name and signature and fingerprints and whatever else, should not be adequate to gain access to bank accounts or execute contracts and other legal agreements.
The hard part of this isn't that we don't know how to do it, it's that people don't like the consequences of it.
Your bank can give you a bank card with cryptographic keys in it and then you need the card to make a transaction. But then if you lose the card...
At which point we fall back to birth certificates and things because there's nothing else available. The alternative would be that if you lose your bank card, you lose your money. Which could be mitigated by e.g. having backup cards that you keep at home in a safe, but some people would lose those too, and what then?
Why would losing your bank card mean losing your money? The bank card would be there to establish identity when performing a transaction. Going to a branch in person with government-issued photo id would be the way to establish identity when generating a bank card. It’s a pain to do, but it only needs to be done for a new account or to revoke/replace a card.
By analogy, the cryptographic key on the bank card is a cross between a session token and a private key. Like a private key, it is never directly exposed for verification. Like a session token, it can be replaced.
At least walking into a bank with a fake birth certificate and other forged identty is not a form of impersonation that can be done remotely and at scale.
I think there's generally considered to be three classes of authentication methods
- something you know, like a password
- something you have, like an RFID card
- something you "are", like a fingerprint
You can add multiple of these and choose from different categories to add security, but each time you do it also gets less convenient. You could require a birth certificate, DNA test, and social security number for any access to a bank account, but then it wouldn't really work as a checking or savings account, and if you lose your birth certificate you're locked out of your account.
Definitely worth considering the other side - when you need to access the account how much inconvenience and delay are you willing to put up with before you can? For a checking account it seems like people usually just want a single one of them - the debit card, account login, or face/fingerprint to authenticate
The common usage of this phrase isn't too inaccurate. Keep in mind what oil does to the environment, not just during spills but even in normal refining!
When oil is refined, it feeds energy consumption, which can have both positive and negative effects. When data is refined, it feeds AI, which can have both positive and negative effects.
When oil spills, it causes toxic damage to the environment. When data spills, it causes damage to society's individuals and the firms that should have kept the data secure.
It's not a perfect analogy, but there are some similarities.
Would be good to get a value on this liability onto a company’s balance sheet. This could be done as a value of risk, or a cost of insuring against data exposure (should be govt mandated to have insurance). If Lloyds can insure against weather and piracy then someone should be able to underwrite insurance against data breaches.
For government IT in particular, the cost of security is basically infinite because they aren't organizationally mature enough to do anything right. There's no way to make the cost of being hacked infinite; no court or legislature is going to order the DMV to be disbanded.
> There's no way to make the cost of being hacked infinite; no court or legislature is going to order the DMV to be disbanded
Disbanding the DMV doesn’t make the cost to any actor infinite (“DMV” is an abstraction, and state agencies are routinely created amd destroyed, sometimes as political damage control due to IT scandals [0], but that’s not an infinite cost on anyone.)
In 1995 the California State Police were disbanded and their role was given to the California Highway Patrol.
The part of the DMV that performs driver testing isn't the part that loses all your data. It wouldn't be impossible to disband their IT department and give the role to some other government agency.
They could also just, you know, stop collecting it. Print your height and hair color etc. on your driver's license and don't store it anywhere else. Instead store a hash of it at the DMV with the salt stored on the license itself, so you can revalidate the license without being able to reconstitute it.
The cost benefit calculation also includes the odds of being hacked. Enormous numbers of organizations are at risk but most survive by security by obscurity. Most are content to hope to remain obscure.
Especially since the cost of actual security is very high. You have to build it into every aspect of the system. It makes development cost an order of magnitude more and constrains usability... and you'll still never really be certain
When you take employees into account the cost becomes almost insurmountable. Keeping bank style security means tightly limiting access, making even simple operations more work.
That's not an excuse. That's a warning. We are at grave risk, and we need to completely reconsider how almost every piece of software is written. Competence is hard and expensive.
Exactly. Mandate financial compensation for any and all value derived from data that an individual creates, whether they opted in or not.
If YC ran banner ads and my comment is viewed on the same page as an ad, then I should receive some significant percentage of that ad revenue. If an ad is targeted to a customer on IG through an ad campaign, based on the user's data, then the user should get a significant percentage of that ad.
On Qubes OS even a zero-day would likely not be sufficient. It relies on hardware virtualization and runs everything in VMs. My daily driver, can't recommend it enough.
I can confidently tell you that your understanding of security mitigations is flawed. And I say that based on experience not just a baseless opinion. Silver bullets in security don't exist.
Let's every moveit instance was run in a container in a vm and in a dmz (actually moveit transfer is usually deployed in a dmz, isolated from everything else). But the entire purpose of the software is to contain all these important files and expose them to authorized parties, basically a file server (even has sftp!). The threat actors in this case didn't even bother compromising the OS, they just got a session id as a result of abusing sqli and .net deserialization flaw and logged into the webui and downloaded the files. At no point could a vm have stopped any of this.
I said your undersranding is flawed because you mindset is solution centric not data centric. If all an attacker cares about is access to your gmail, a qubes VM with strict selinux rules is useless if they get you to click on a link that exploits firefox to steal your gmail cookies, defeating any yubikey 2fa you may have.
You are too confident. First, Qubes does not use VMware. It uses Xen, which has way less vulnerabilities, most of which do not affect Qubes [0]. And none of them have led to arbitrary code execution in host since 2006, except maybe for VMs with PCI passthrough [1].
Also, Qubes does not trust the hardware emulation [2]. It keeps the trusted computing base as small as possible. Of course, the covert-channel attacks are still possible [3], but they are much weaker and can be mitigated through isolation. Qubes does not implement an ordinary copy-paste functionality; it's implementation is much more secure, see [4,5].
Hardware-virtualized VMs without any devices attached are extremely hard to escape from or access for other VMs. I am not aware of any successful attempts in the last >10 years.
> qubes VM with strict selinux rules is useless if they get you to click on a link that exploits firefox to steal your gmail cookies
This is wrong, because clicking on a link in my email would open a broswer in a dedicated, disposable VM. Also any attachment would also open in a disposable VM.
Having said that, you are probably right that in this case Qubes itself would not help as the whole database had to be available online.
I'll just say that the entire point of zero-day is that you are not aware of it now and that zero-click attacks exist and also that while your selection of a product based on historical performance under scrutiny is valid, you cannot use that as evidence to claim an attack is not possible.
And again, you miss the whole point of zero-day, it is an unknown. You can create an attacker-hostile environment but you cannot make guarantees or claim a solution is best practice against an unknown/undefined.
As far as I am aware for example, spectre/meltdown or *-hammer attacks could have been used against your disposable vm to read your email vm's memory. There are also hardware attacks against radio controllers/chips that could be used to wirelessly dump memory without your interaction.
You know, I was just telling someone how I thought those scenes in movies where the hacker guy types really fast and hacks everything were silly when I started working in security. Now, I know that if he is just the guy buying/trading exploits and spent a lot of time automating stuff and setting up infra,it is indeed possible to make it all look so easy (but still, some movies/shows take it too far). Especiallu in government work, the guys using the tools are rarely the guys that develop them or maintain their infra. The guys who develop access might also be different from the guys who action objectives or work on exfil or shell management.
I do know what zero-days are. And I do not solely use the historical performance as evidence for strong security.
Did you ever think that such a good performance that Xen and Qubes have is not a mere coincidence? What if I tell you that it is not just a pure luck? It just can't be luck statistically: in the Linux kernel, serious vulnerabilities are found all the time, whereas here they're extremely rare.
Let me tell you that it is actually a result of a good architecture. You know, in Xen, the trusted computing base, i.e., the code responsible for isolation and security is really small: it's of the order of 100k lines of code. In Linux it's millions of lines. Every code has bugs, it's unavoidable, but you simply can't have a similar number of bugs in 100k lines as in millions of lines. There are no "guarantees" here, just pure statistics.
In addition, Xen is very popular among big companies, so its code is constantly checked for bugs by the best people in the field. And zero-days in it are so expensive that you would not waste one on leaking personal data of people for no reason. Security is not about guarantees, it's about probabilities. And they are very small in Qubes, if you are not a big target. Even if you are, they are smaller than for any other system, thanks to the security-oriented design and reliance on compartmentalization.
Yes, Qubes is vulnerable to Spectre, Meltdown, *-hammer attacks. But it never attempted to protect the user against the hardware it runs on. It is physically impossible. Also, hardware attacks like these are exception, not the rule. And even they usually don't lead to VM escapes.
> Government IT is outsourced at prices that could pay top salaries
Mostly, its not; a lot is not outsourced, and a lot that is is outsourced on personal services contracts at rates that even if there was no vendor overhead wouldn’t pay for a top-flight pay and benefits package.
I would guess the hack included data that's not included in those services. Licenses, for example, often come with an audit/validation number that allows for things like online change of address, useful for identity theft. And probably other data elements that are also sensitive (SSN, etc).
Why does the SSN has to be secret? Is that a legacy thing ?
Or maybe a product of not everyone having id ?
Would the combo name + DOB + county of birth be equivalent as unique identifier ?
Just trying to get context, I also lived in place where SSN are not a big deal because they are not used to prouve anything
Unfortunately, and much to the detriment of the American people, many companies have been using SSN (or the last 4 digits, etc) as a password of sorts for decades. And with just a SSN + some other simple identifying information, an attacker could persuade a customer service representative to give them control of an account that is 'secured' in this way.
I know nothing about “MOVEit” but somehow I already know that they suck at the teat of government RFPs to the tune of hundreds of millions of dollars, using an awe inspiring host of buzzwords, to deliver a total cesspool of close-sourced software which is somehow entrusted to the most sensitive data the government handles.
And besides, why wouldn’t an unencrypted backup of the entire DMV database for the State or Louisiana be getting tossed around using such a program?
From my brief experience working at a similar company, calling the software they use closed-sourced is a bit of a reach. When I worked there, we almost exclusively used rebranded and slightly modified open source/freeware CMS systems. Actually the only software we sold that was completely developed in-house were testing/configuration tools or extremely simple and basically worthless LDAP auth based reporting programs that could only be used on-premise.
I can just imagine the buzzword filled sales pitch from one MBA with no tech experience to another MBA with no tech experience and them shaking hands afterwards and saying "excited to do business with you"
And they got promoted and now my private info is public and theyll never see an ounce of accountability.
I strongly recommend that you freeze your credit. It’s not the end all be all but it’s a good way to keep entities from applying for loans, credit cards or open accounts in your name. I don’t know what is the equivalent measure one can take outside of the US.
Why should I do a bunch of work jumping through corporate hoops, including having to assent to a heap of unconscionable legalese bullshit and whatnot, to help these organizations and their conspirators to not libel and attempt to defraud me?
I protect myself per what's legally obligated. For established accounts, that means checking transactions within the regulation E timeframes. For companies that I have no relationship with, that means responding to any notices I actually receive that falsely claim I'm doing business with them or the like. Beyond that, it is not my responsibility to help this terrible financial surveillance industry, which wouldn't even exist if it were up to me.
I don’t know about other countries, but freezing credit in Australia doesn’t really work.
To freeze your credit, you first have to produce your ID to companies such as Equifax which have been responsible for many data leaks. So you’re putting yourself at additional risk.
Secondly, anyone with a copy of your ID can just unfreeze your credit. So it’s basically useless.
In my opinion, freezing your credit is more of a nuclear option. It’s a bit of a pain to unfreeze your credit for valid credit applications or simple credit limit increase requests.
Also I think freezing also prevents soft credit pulls so automatic credit limit increases won’t be given or add an extra hassle of “unfreezing” to get the increase.
What I do is use those “free” credit monitoring services (ie, credit karma, credit sesame) and monitoring provided by some of my credit cards to get full coverage across all credit bureaus.
If any unrecognized application for credit comes through using my information, then I will immediately get notifications.
Otherwise, I just continue as normal. Request CLIs for my current cards and grow my available credit.
It is a giant pain. But freezing doesn't seem to prevent soft pulls, at least, I still see them on my reports.
However, in the past month, despite having frozen credit, someone managed to get a BofA checking account opened enough that I got emails about it, and had to spend a ton of time trying to get to the fraud department (I do have BofA credit cards, which I guess I should have gone through to get to fraud). They had already denied it, but sent me emails, I guess because of the existing accounts with that social.
Additionally, my spouse recently got a Square debit card mailed to her, in the (inaccurate) name of a local business. Again, very difficult to get ahold of the fraud department. Of course, someone rented a luxury apartment in her name in Oakland a couple years ago, and Oakland PD still hasn't called back, and literally nobody else cares; the management was responsive, but said they weren't even sure that they could evict, given COVID; I just hope the rooftop espresso bar is nice for the fraudster.
My company used to use move it but got rid of it in 2017 because of security concerns. Allas our crappy outsourced Hr company didn’t.
My understanding of this attack is that the company
1) didn’t have IP access controls to limit machines that can talk to the moveit manager
2) didn’t have SSL client certificates to prevent a machine from connecting without a valid certificate
Now a sql injection really isn’t good, it’s not hard to protect against, both by sanitising inputs and using prepared statements, but that’s why we have defence in depth
My company certainly does. We use signiant to shift large files around, api is bound on a non routed network segment client certificate proxy to reach it.
Which is what makes it even more annoying when someone decides “oh I can save a few bob by giving our employees private information to the lowest bidder as the cost won’t fall on my departments budget”
Too many finance companies depend on National ID number, date-of-birth and Driver's License numbers to verify the identities of applicants for bank accounts, loans, credit cards etc.
At this point, assume that all your personal information is out there. There are some steps you can take to make it a little more secure for yourself. In an ideal world, the fintechs and banks would protect you better, but we do not live in that world.
* If you are in the US, go to one of the credit bureau sites (Transunion/Experian/Equifax) and sign up for a fraud alert. You'll need to provide your current phone number and what this does is this: no fintech/bank is supposed to create an account or issue credit in your name unless they have verified the activity with this phone number.
* If you have previously been a victim of fraud, sign up on one of the aforementioned bureaus for an Extended Fraud Alert.
* Isolate your email tied to your finance accounts from regular email that you give out on website signups, doctors' offices, etc. Only your bank/brokerage needs to know that this email exists
* If you can afford to, pay to track leakage of this information on the dark web or password sharing forums
* Use a password manager
* Use 2FA on all your accounts and use an authenticator app if possible. It's not ideal but it's better than the SMS/email 2FA
* If your telecom provider supports it, ask them about how you can protect yourself from sim-swapping and porting. Add a PIN to your phone provider account if you can.
Wait, why should I take steps to prevent some random asshole defrauding a bank?
I am not the victim, nor a participant in fraud in that situation, the bank is. Maybe they should follow some steps and not give out money to randos that walk in and ask for it?
I get what you mean but sometimes it's really difficult for a bank to tell if it's really you or someone pretending to be you. Funnily enough, if we all "walked in" physically to a bank, it would be much easier for them to tell :). But now, they have to rely on phone numbers and emails and SSNs to tell them if it's really you. They don't have much of a choice - would you have any suggestions on what they could use?
Going to a branch physically is impractical these days - how many of us have even been to a branch that houses our brokerage or 401k accounts for instance? And so many mainstream Fintech apps like Stripe and Robinhood don't even have branches.
1. It's not my job to tell a bank how to not get defrauded. That's their problem.
2. If they are stupid enough to lend/send money to random people over the phone, that's their problem.
3. If they don't have enough branches open to support in-person services, which forces them to turn to over-the-phone work, that's their problem.
There's many other things they could do. Snail-mail identity confirmation, partnering with FedEx or another bank whomever to attest identity, etc, etc. It's not my problem if they are too cheap to operate branches, and too lazy to do any of those things, just like it's not my problem if you keep a chest of gold coins in your unlocked shed, and then go on to tell everyone about it!
Don't states already sell this info to private investigators? I guess this breach would include social security numbers but half the country as already had theirs leaked anyways.
The entire premise of "identity theft" is backwards. No one stole my identity, no they committed fraud against the bank.
In any other context fraud costs are born by the victim of the fraud, i.e it should be the bank. Only in "identity theft" do we allow a 3rd party of the fraud to be liable for the damages.
My UK equivalent (NI number), and usual things like DoB, Address etc leaked a couple of weeks ago thanks to my company outsourcing to layers of companies who seem to have transferred PI by sending to pastebin or something. (Same moveit thing)
My company just cries “it’s not our fault” when it clearly is. The larger problem here is that this bit of unchangale data can be used not just to open lines of credit but do things like take student loans out.
Those loans are then automatically deducted from your salary and they won’t stop doing that even after you flag it. a private company can steal money from you after they cock up.
Aren't National Insurance numbers purely for state pension contributions? I don't think it's like what the USA SSN has been butchered as. When I was at college in the USA the SSN was used as your student ID and the prof printed them on attendance sheets each lecture and passed it around the room.
It’s used for various government and tax purposes. You can seemingly use it to apply for state benefits and then have them paid elsewhere, then get threaded with being arrested for fraud. Same with student loans. One person on a radio phone in a couple of days ago had had both happen
And then many of my employers use or used it as employee number (or last 4), and same passed an attendance sheet with my full name n last 4 of social around.
I can give up. Since so many third-parties continue to act as if these are "secret" (relying on them for "authentication") giving up does me no good.
I guess I can try to avoid doing business with companies who insist on using these "secrets". Sometimes I don't have a choice, though.
It would be wonderful to have ubiquitous PKI for every citizen in the United States. I don't trust private companies to do it. A large segment of the electorate would never trust the government to do it. (I like the idea of the USPS leveraging their tremendous physical presence and delivery infrastructure to do it, personally, but I think that would meet about the same level of opposition as the government doing it.)
I guess we'll just continue with this ridiculous charade of "secret" numbers, the silly idea of "identity theft", and most of the consequences applying to the individual.
This is the crux of the problem. IDs were never designed to be secret. In many countries it is required by law for hotels to take a copy of your passport. That’s fine, but what isn’t fine is when someone can use that copy to take out credit in your name. ID documents should only have power when produced in person. Having a copy of the data proves absolutely nothing and banks should not allow credit to be taken out with such weak verification, let alone make it the victims fault for having their “identity stolen”.
The very same Louisiana that insists that age verification on websites is completely safe and reasonable? Shocking. Sadly, probably not the first such breach we'll see, though perhaps the least embarrassing.
The digital drivers license app LA Wallet that can be used to satisfy this has an ownership interest by/connections with the senator who passed that law
To clarify this was a supply chain compromise attack - several states and other governments were hit, not that it excuses blame from Louisiana but if anything is a testament to the issue of centralization.
They didn't mention if the attackers got photos too. If not this time, next time.
I believe the "identification by digital photograph" that is being rolled out at US airports (no longer need to show ID at some security checkpoints) is based on photographs shared by state-level driver's license/id card.
Increased roll-out of facial recognition technology probably increases the value of stealing headshots associated with other identity information.
I believe federal "RealID" requires states to maintain a database of digital photographs from identification documents. I think almost all states do that now.
I think the “photograph” at airports is more than that. You need to load your id onto your phone, take pictures of yourself, have them reviewed (not sure if this is automated or by a human), and be approved.
After that it’s a combination of your phone/watch plus your photo.
It’s not perfect, but it’s more than just comparing your photo to your drivers license photo.
The last time I flew, it was not all lines, but just one "experimental" line, and it was not something I opted in to or signed up for or supplied a photo or anything else for voluntarily -- everyone in this one line (which was just a "standard" line, not tsa-pre or what have you), you didn't have to show ID, you just had to show your boarding pass and then look into a camera until the guy said "good".
IRS.gov requires facial recognition to log in. I know because I tried yesterday and it wouldn't accept me (presumably because i had no beard in my ID photo)
The thing that irritates me is that New York sells its DMV data to the foreign company operating the private toll highway in Toronto. Giving even less data protection than some Canadian provinces that refuse data sharing.
Hope those in "minimal government" red states are looking forward to their porn-watcher registries eventually leaking. (No, this isn't hyperbole, go look it up)
Well, even in your "mention" there is no "mention" of your sourcing for this claim. Because they published a write up for the actual vuln, a simple web search does not cough up any such reports
You need ID to purchase alcohol and firearms, drive, police are obnoxious about asking for ID in any situation even if it's an unconstitutional request (that most people don't have the resources or even knowledge to deny/fight).
Lets hope these States and others that may be keeping these MOVEit breaches hidden issues new Licenses for free.
My State use to use your SSN for its License ID, but they changed moved away from that over 20 years ago. Glad they did. BTW, as noted Oregon too, I am sure there are others.
Glad we are all on Real ID, that sure helped out the Russians a lot. But Real ID did nothing useful for me.
As it is, states and corporations externalize the costs of hacks to the victims of their incompetence. They have no reason to take opsec seriously because they aren't held liable in even the most egrigious cases. Data should be a liability.