FWIS3

[Sigma_Orionis]

Hopefully he was easy to identify because of the amount of traffic he had to generate to get the info. Which, with some luck, should be a much better deterrent than anything else.

[Sigma_Orionis]

The Cloudfare Folks published more info on how the winners of the challenge did it.

[Sigma_Orionis]

Damned if you do, Damned if you Don't

https://vivaldi.net/blogs?view=entry&id=27907

Heartbleed is a very serious issue, and getting the word out to all affected parties is necessary, but I am starting to think that the press coverage, with all its hype and incorrect statements about issues surrounding the problem (such as "change your passwords immediately!" before the servers are patched, and "Heartbleed related certificate revocation will slow down secure surfing") has, at least to some extent, become counter-productive.

[Sigma_Orionis]

Apparently there was a third victim

And not because they had vulnerable web servers, they had vulnerable Network Gear.

He explained the hackers took advantage of the fact that Franklin, Tennessee-based CHS, used products made by Juniper, a firm that makes hardware and software to manage computer networks.

Like many of its competitors, it took Juniper several weeks to patch all its affected code after the Heartbleed alert was issued.

[Swift]

It seems to me that the reports of some new company or organization getting hacked and a hundred million billion passwords being stolen is becoming almost a daily occurrence. The most recent one is this health care system.

I don't know about the rest of the non-computer experts out there, but if anything, all these stories are having the opposite effect on me. It is making me care less and less about cyber-security and changing my password. Part of that is because it seems to me that I would be needing to change all my passwords on an almost daily basis. And given that I have literally dozens and dozens of passwords, that isn't possible.

Second, it seems like it is inevitable. If these hackers keep stealing the info on a couple of million accounts on a regular basis, odds are they are going to get me eventually.

And lastly, it seems like it actually doesn't matter what I do, since I can't do anything about it. Take the hospital system example. I have to give hospitals information such as my Social Security number, credit card info, date of birth, etc. if I wish to be treated at that hospital. I have no control over what they do with that info, or how securely they protect it. Am I suppose to pick hospitals based on the cyber security rating? That might be a little bit of a challenge in the middle of my heart attach.

[Sigma_Orionis]

Yep, the reported incidents are getting more and more common.

And no, you shouldn't have to worry about it. Passwords are a crummy method of authentication though.

Usually there are three methods of authentication:

- Something the User knows (passwords, security questions etc.)
- Something the User has (Security Tokens, Code Cards)
- Something the User is (retinal scan, fingerprints etc.)

All of them have varying problems and all of them are hackable. You might have heard the term "Two Factor Authentication" that is merely a way to authenticate you that implements two of the three methods mentioned above.

A couple of years ago, I remember posting about a company that was supposed to be considered the "gold standard" for non password-based authentication RSA SecureID, being hacked, the hackers stole information that would allow them to hack their way into institutions that used their products, and one of the companies that got hacked as a result was Lockheed (might have heard of them? Big time US Defense Contractor, they make fighter jets and stuff like that....).

No, you shouldn't have to choose a Bank or a Hospital or a particular service because of some "Cyber security rating". And no, I have no answers, and No, nothing I say here will make you feel any better or make you change your mind. It sucks, period.

[Swift]

A couple of years ago, I remember posting about a company that was supposed to be considered the "gold standard" for non password-based authentication RSA SecureID, being hacked,

They are who our corporation uses for our security tokens

No, you shouldn't have to choose a Bank or a Hospital or a particular service because of some "Cyber security rating". And no, I have no answers, and No, nothing I say here will make you feel any better or make you change your mind. It sucks, period.

I didn't expect you would (have the answers). It is nice at least to get a confirmation from someone in the biz.

[geonuc]

A couple of years ago, I remember posting about a company that was supposed to be considered the "gold standard" for non password-based authentication RSA SecureID, being hacked,

They are who our corporation uses for our security tokens

Some nuclear utilities too.

[SciFi Chick]

It seems like, on a scale like this, we're probably dealing with terrorists that would like to cripple us technically, more so than someone who wants to steal $20 out of my bank account. Does that sound like a reasonable assessment?

[Swift]

It seems like, on a scale like this, we're probably dealing with terrorists that would like to cripple us technically, more so than someone who wants to steal $20 out of my bank account. Does that sound like a reasonable assessment?

That isn't my assessment (but what do I know). My guess is that this isn't someone who wants to steal $20 out of your bank account, its a criminal organization who wants to steal $20 out of millions of bank accounts. Or better yet, sell the information to another organization that wants to do that.

[Sigma_Orionis]

Yup, security experts have been warning about stuff like that for years.

and BTW RSA's behavior regarding their hacking was inexcusable.

[SciFi Chick]

It seems like, on a scale like this, we're probably dealing with terrorists that would like to cripple us technically, more so than someone who wants to steal $20 out of my bank account. Does that sound like a reasonable assessment?

That isn't my assessment (but what do I know). My guess is that this isn't someone who wants to steal $20 out of your bank account, its a criminal organization who wants to steal $20 out of millions of bank accounts. Or better yet, sell the information to another organization that wants to do that.

That works too. I'm actually okay with having small amounts stolen. I don't like it, but shit happens. It's the idea of having my poor, sad bank account cleaned out completely that I can't handle.

[Sigma_Orionis]

In this BBC article the author muses using biometrics.

If you ask me, the least bad of all options are passphrases combined with another method, most probably Biometrics, security tokens or cards sound like they will be hard to implement on a very large scale.

[SciFiFisher]

In this BBC article the author muses using biometrics.

If you ask me, the least bad of all options are passphrases combined with another method, most probably Biometrics, security tokens or cards sound like they will be hard to implement on a very large scale.

The US DOD and the VA use a user ID, Password, and a smart chipped ID card. They make you set up an underlying user name and password for the system. for daily logging in you have to use your smart chipped ID card and a "pin" which is usually a 6 letter phrase or number series. The ID card is linked to your user name on the system. If they don't all match up they deny access.

In spite of this both systems have had data stolen. Usually in the form of a laptop that some idjit decided to leave in a car so it could be stolen. Both systems have also had virus intrusions and hacker attacks. The weak link is usually someone who decides that it should be ok to download that sweepstakes prize claim form that will let them claim the £1,000,000 that uncle Wallybongowallawanga left them in Nigeria.

[Sigma_Orionis]

Two factor authentication can't protect against layer 8 stupidity

I've installed RSA Security authentication systems twice, they work in a manner similar to what you mention, the expensive versions require you to use both the code given by the token and a PIN. The code is modified when a user enters his PIN. In the cheap version, the user PIN is entered as part of the code given by the token. the token changes the code every minute. I've seen that used by Banks for their corporate customers, for us rabble they issue a card with coordinates and use a challenge response system to get the values of the coordinates, it's basically the "el cheapo" version of it.

The thing is that at least some manufacturers integrate the biometrics to the user hardware, if you use a lot of websites that are password protected and (in the unlikely case) that they want to provide support for two factor authentication, I doubt very much that all those will issue cards (let alone tokens). I think that even if it was possible from a financial point of view, integrating the token functionality into the user hardware would be unpractical.


Edited for Clarity

[Sigma_Orionis]

Bad year for Secure Communication Protocols all around

Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

Microsoft stuff has a bug that at first blush looks very similar to Heartbleed

Patching as I write this, MEH!

[SciFiFisher]

Bad year for Secure Communication Protocols all around

Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

Microsoft stuff has a bug that at first blush looks very similar to Heartbleed

Patching as I write this, MEH!

Order more glue?

[Sigma_Orionis]

A couple of cans of Raid would be more useful (rather hard to find these days on the glorious socialist land of the spiritually enlightened idiots), you damned evil imperial imperialist capitalist gringo of the evil imperial imperialist capitalist gringo empire