The software industry is full of should-be-criminal forms of negligence.
Things are already horrendously bad. Basically every American's identity could stolen at this point. If any nation state or other actor decided to operationalize any of the big leaks -- eg OPM or EquiFax -- the ramifications would be catastrophic. Imagine millions of people losing their retirement accounts and all their savings. Even if you could correct everything -- and that's a big if -- the process might take years and the intervening panic would be deafening. The amount of anger might even elicit a hot response.
To say nothing of more serious vulnerabilities. We really dodged a bullet on the pipeline ransomware.
I'm morbidly curious how bad of a "Cyber 9/11" we'll need before software starts being taken seriously as an engineering field in which practitioners have professional responsibility.
I would assume that a few nation state actors have already hoovered up all that leaked information and have it implemented in a system that is ready to steal identities, drain accounts, and otherwise wreak havoc on a large scale. They are just waiting for the higher ups to pull the trigger if and when they decide to deploy it.
Yes. I'd be astounded if multiple such attacks aren't ready to deploy. At least 6? Maybe as many as 12. What it's waiting for is a desperate enough actor or a weak enough moment. Russia and China learned from Japan and ISIS et al learned from bin Laden -- divide, don't unite.
But eventually there will be a sufficiently naive actor and/or a sufficiently weak moment.
The tragedy, of course, is that all we have to do is address the totally and completely obvious problem. It wouldn't even be that hard. But we won't. Last 4 of SSN is still enough to transfer a SIM even with explicit direction otherwise, and transferring a SIM is still enough to drain a bank account even with explicit direction otherwise.
Prepare for failure. A good rule, but painful is: The more income tied to an account the greater the difficulty to move the income. I'm too tired to list best practices but for example: Set up canaries, daily emails from your account just for the peace of mind that your email is the primary communication for the account. Biggest assets should take time and multiple steps to transfer or cashout. Know your account managers and be able to contact them directly.
Hi, I hope this doesn't come across as me not respecting your tiredness but could you link or anything to best practices if you don't have the energy to write it out yourself?
Well, I will try. First, I was commenting on my interpretation of the parent comment. Identify theft, and protecting savings and retirement accounts.
Be inquisitive and aware. I think you have this covered by reading hacker news and having an interest in the subject. I've enjoyed reading Slashdot (while it was good) before switching to hacker news, but it's also been a vital ongoing education for me. Comments often having more value than the original article. Being knowledgeable of security risks and common exploits helps prevent falling victim to them.
Steps for securing accounts.
Confirm that you are notified of email address changes.
Confirm that you are notified of any transactions on the account.
Setting up a canary if possible. I set up an email alert on a common event. So, I basically I get an email from the company daily, and this confirms that my email address has not been changed. If you are certain you will be contacted if your email address changes then this is not necessary as the email change notification acts as the warning.
Have email and phone of account representative that you can contact if there is a problem with the account.
That should be all that is necessary.
Now, the day comes, someone has changed your email address. Maybe they even did some transactions. Stay calm, stay professional. Contact your account representative and notify them of the problem. Be able to identify yourself, call from a phone number associated with the account (or previously associated). Be able to answer security questions. Account representative should be able to freeze the account and resolve any issues.
If you're satisfied with the phone call, great. If you're in anyway nervous about the resolution, then create a paper trail, send a letter that documents the issue and your attempts to resolve it.
A quick disclaimer, I'm not an expert. Adjust anything to fit your own needs.
Would you mind clarifying what a canary is? I understand it is referencing the idea of a canary in a coal mine but what does that look like in this context? Other than having a separate account to which you transfer most of your funds so you can't get robbed at gunpoint and be forced to transfer someone your money I'm drawing a blank here - sorry.
A canary is a safeguard against dangers. In my example, my daily emails from my investment account is my canary. When I stop getting emails, I know there's a problem.
I cannot remember the details, but one of my favorite canarys was a website that had a paragraph that basically stated we have not been compromised in the past 24 hours. It had a timer that had to be rest daily or the paragraph whould disappear from the website.
Thanks, but I can't take credit :) I think I first came across this term in a foreign affairs article, and from then on used it often in presentations to various brain-dead military officers who all seemed to have degrees in Biblical Studies from colleges whose boards are full of Domionionism types.
In any case, the term has been around for a while. Unfortunately, our officer corps is populated by weak-minded fools who have more allegiance for their quasi-Baptist cults and podcast hosts than their country. They all seemed to have a multi-year education in how to use Hebrew language factoids for isogesis, but had no god-damned clue what a "heap" was, and were effectively mid-level managers of "Cyber Operations"...
Our current state of affairs in the civilian sector isn't too surprising and I have infinitely more confidence in random banks and credit "borough" companies than I do in our military.
All of that to say: a cyber 9/11 attacking civilian infrastructure is a best-case scenario because that's where all the good people are. An actual 9/11 will probably attack the defense sector where all the incompetents work and will be way worse than actual 9/11. You have officers with theology degrees from shit-tier southern bible colleges to thank for it. After we're done bombing whatever rural town the hacker happened to live in, our next two steps should be professionalizing software engineering and writing history books about how christian fundamentalists destroyed the integrity of the US officer corps.
I didn’t realize there was so much religion in the military. Gun in one hand bible in the other is the dumbest thing I can think of. Do they actually think if heaven and god was real they would be invited? Ha! I would love to hear how a military man justifies going to war and then preaching the bible surely the two go against each other.
So you’re saying that is a gigantic target for China and Russia to go after lol. It would mean some change for the which might not be bad but that’s kinda like arguing for terrorism, which would be illegal and actually have enforcement behind it.
No, it's far too large and undivisive a target for China or Russia. They're both too smart for that. They fuck shit up in ways that are partisan and divisive.
This is more of an NK/non-state-actor "burn it all down" move.
if that were to happen it would be a "to big to fail" event. the gov would bail everyone out and mandate a reset to what ever it was believed to be before. bank accounts, retirement accounts etc would be reimbursed up to the FDIC limit. credit reports would be rolled back to the last known good value. it would probably fuck things up short term but long term it would lead to better security of consumer data
Suppose NK or some non-state actor has access to EquiFax or OPM data. Or just a conglomeration of various other data leaks, some of which are probably still unknown or at least unannounced. Suppose that actor launched a plan with trivial lead-time and resources -- say, 1-3 years with 10-50 trusted primaries and however many in-the-dark "contractors".
Do you really think the result wouldn't be turmoil for at least weeks, if not months, and take a year+ to unwind? Serious question. If so: please explain.
I don’t see why. I think it’s generally silly to think of your work computer/account as a place for anything private. Even if they won’t normally look at it, it’s all fair game if e.g. someone subpoenas them. My employer had a team which did a similar thing to the GP (had a spreadsheet with everyone’s password) in case someone was out and had some crucial file on their computer. And while they have since stopped doing that, it is because they improved processes such that it wasn’t needed and not because it became acceptable for the team to fail to carry out a large portion of their business activities or obligations because someone important was sick.
The problem is that the spreadsheet meant that exploiting one user meant exploiting the whole team but you can have this kind of privilege escalation in plenty of other ways. An easy way is to give people lots of permissions so that they can get their work done, or to just be bad at revoking permissions once they are no longer needed. Plenty of companies deliberately give people wide read permissions as a part of a culture of openness.
It's not about it being private - clearly the business can have root/admin/domainadmin/whatever access.
However your username and password identifies you. If user "johnsmith" does something, then that's because johnsmith has logged in. Now IT may have changed the password to allow them to log in as johnsmith (either following some odd policy, or a rogue IT worker), but that would be in the audit log.
If a company needs more than one person accessing an account for some reason, they should create a generic account (e.g. "z_reception" for a generic reception machine).
