Our server costs ~$56 per month to run. Please consider donating or becoming a Patron to help keep the site running. Help us gain new members by following us on Twitter and liking our page on Facebook!
Current time: March 29, 2024, 8:47 am

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ask a computer security expert.
#21
Ask a computer security expert.
(May 24, 2015 at 1:45 am)Minimalist Wrote: That makes sense but it isn't very reassuring.  We have had several hacks over here of high value targets..... like Target.

The Target hack was actually a very interesting case of how even security measures can fail if they aren't set up correctly or properly protected.

If I recall correctly, the hackers found a web server connected to the Internet, exploited it, and gained access to the internal network. On this network was a distribution server which would push software updates to all Target store POS (point of sale) systems. This is a pretty nice setup; it means the POS systems can all be updated with the latest software, security updates, etc.

Of course, if the distribution server is compromised, that setup becomes dangerous. As it happens, the distribution server was compromised, and the hackers used it to push a malicious update to every POS system. The update would cause the POS systems to store credit card details and send them back to the hackers.
Reply
#22
RE: Ask a computer security expert.
Hey Tib, thoughts on the veracity of this AV chart?

http://chart.av-comparatives.org/chart1.php

I'm currently using BitDefender for my PC and Android phone based on the numbers there.

Also, what would you have done differently than the IRS to prevent the breach?  In case you're not aware, 100,000 people's tax records were stolen from the IRS' transcript site.  It used weak authentication - just a SSN and valid email address - and people who had stolen others' identities simply entered their stolen info, provided an email address, and had unfettered access to those individulals' records.

Talking with a friend, I suggested two factor authentication, but access could be a problem since not everyone owns/has access to a cellphone or PC.  Is there anything else that could be done in that case?
"I was thirsty for everything, but blood wasn't my style" - Live, "Voodoo Lady"
Reply
#23
RE: Ask a computer security expert.
We got caught in this one.

http://www.mercurynews.com/health/ci_274...t-you-need


Quote:Hackers stole data on up to 80 million current and former Anthem health care customers, including names, birth dates, Social Security and medical ID numbers, email addresses, street addresses, telephone numbers and employment data , including income.



So far, no problems but we did get the advisory letter.  Might have lucked out because we just enrolled in Anthem when we turned 65 but didn't start using it until January.  Not much of a history.


BTW, I never saw the details on the Target hack.  What passes for "news" over here just said that it was done - not how.  
Reply
#24
RE: Ask a computer security expert.
(May 27, 2015 at 4:15 pm)KevinM1 Wrote: Hey Tib, thoughts on the veracity of this AV chart?

http://chart.av-comparatives.org/chart1.php

I'm currently using BitDefender for my PC and Android phone based on the numbers there.

Also, what would you have done differently than the IRS to prevent the breach?  In case you're not aware, 100,000 people's tax records were stolen from the IRS' transcript site.  It used weak authentication - just a SSN and valid email address - and people who had stolen others' identities simply entered their stolen info, provided an email address, and had unfettered access to those individulals' records.

Talking with a friend, I suggested two factor authentication, but access could be a problem since not everyone owns/has access to a cellphone or PC.  Is there anything else that could be done in that case?

AV-Comparatives are pretty thorough and open about their testing techniques, so I'd definitely trust them as an independent testing organisation. From the looks of the graph, BitDefender seems like a good choice. Might have to switch over from Kaspersky when our license runs out.

As for the IRS breach, I believe more validation of the user identity should have been performed. For instance, you should not be able to take a social security number and a mailing address (both of which are pretty easy pieces of information to get...your employer likely has both) and get copies of tax records. Rather, what should happen is the following:

1) User without an IRS.gov account enters their SSN and address.
2) IRS.gov checks the SSN and address match what they have on file, and asks user to enter an email address / username.
3) IRS.gov then mails a randomly generated password to the user's mailing address, which they can combine with their username to log in.

It's not a perfect system, as a really dedicated attacker could sit and wait for the mail I suppose, but ultimately those cases of fraud are going to happen one way or the other anyway.
Reply
#25
RE: Ask a computer security expert.
(May 28, 2015 at 12:10 am)Tiberius Wrote:
(May 27, 2015 at 4:15 pm)KevinM1 Wrote: Hey Tib, thoughts on the veracity of this AV chart?

http://chart.av-comparatives.org/chart1.php

I'm currently using BitDefender for my PC and Android phone based on the numbers there.

Also, what would you have done differently than the IRS to prevent the breach?  In case you're not aware, 100,000 people's tax records were stolen from the IRS' transcript site.  It used weak authentication - just a SSN and valid email address - and people who had stolen others' identities simply entered their stolen info, provided an email address, and had unfettered access to those individulals' records.

Talking with a friend, I suggested two factor authentication, but access could be a problem since not everyone owns/has access to a cellphone or PC.  Is there anything else that could be done in that case?

AV-Comparatives are pretty thorough and open about their testing techniques, so I'd definitely trust them as an independent testing organisation. From the looks of the graph, BitDefender seems like a good choice. Might have to switch over from Kaspersky when our license runs out.

Cool beans.  I know something about security on the web side of things, given what I do.  Like, not falling for database injections, XSS, that sort of thing.  I'm not too familiar with desktop solutions, however, which is why I asked about the chart.  Seems like there's a ton of different sources pointing at different products for different reasons, and since I'm the family's 'computer guy', I want to make sure I don't self-sabotage.

Quote:As for the IRS breach, I believe more validation of the user identity should have been performed. For instance, you should not be able to take a social security number and a mailing address (both of which are pretty easy pieces of information to get...your employer likely has both) and get copies of tax records. Rather, what should happen is the following:

1) User without an IRS.gov account enters their SSN and address.
2) IRS.gov checks the SSN and address match what they have on file, and asks user to enter an email address / username.
3) IRS.gov then mails a randomly generated password to the user's mailing address, which they can combine with their username to log in.

It's not a perfect system, as a really dedicated attacker could sit and wait for the mail I suppose, but ultimately those cases of fraud are going to happen one way or the other anyway.

Yeah, the problem really lies with the SSN.  If someone else has it, it doesn't matter what else you do.  The thief can simply provide an address (electronic or otherwise) that exists, or a secondary identifier (phone #).  I wonder if working backwards would make more sense.  Have someone enter in their real name, real address, and an email address.  Then send out a tokenized link that brings them to a SSL-protected form where they enter in their SSN as the final check.  Lock them out after 3-5 failed attempts.  It won't stop an identity thief from succeeding, since they'll already have the SSN, but on the surface it seems a little better than just giving everything away to a specified email address when the SSN matches.  At the very least, there are more breakpoints involved, as every piece of data entered up to the SSN would be checked.
"I was thirsty for everything, but blood wasn't my style" - Live, "Voodoo Lady"
Reply
#26
RE: Ask a computer security expert.
I use avira, based on the guys from av-comparatives... it used to give a few more false alarms... but I rather see false alarms than miss a real one.
Reply



Possibly Related Threads...
Thread Author Replies Views Last Post
  Ask a computer security expert (part 2) Tiberius 31 10301 July 18, 2017 at 3:28 pm
Last Post: Edwardo Piet
  Ask a psychiatric/hospital security guard... Bob Kelso 34 6402 September 20, 2015 at 9:27 pm
Last Post: Bob Kelso



Users browsing this thread: 1 Guest(s)