Target's Internal Security Team Warned Management 236
david.emery writes "According to this story, Target's own internal computer security team raised concerns months before the retailer lost millions of credit card numbers in an attack. (Quoting a paywalled story in the Wall Street Journal.) Target's management allegedly 'brushed them off.' 'At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system.' This raises a more general question for the Slashdot community: how many of you have identified vulnerabilities in your company's/client's systems, only to be 'brushed off?' If the company took no action, did they ultimately suffer a breach?"
Posting anonymously for obvious reasons... (Score:5, Interesting)
Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"
Re:Posting anonymously for obvious reasons... (Score:5, Informative)
Yes, there are horrible security flaws where I work. Things as basic as changing passwords on a regular basis have been brought up repeatedly, and the answer is always, "we can't make people do that", or "that's something to keep in mind for the future, but we have more important things to worry about"
I've worked at two kinds of places - one, where it was pretty much as you described. The second sort was, upon orientation you are given your accounts and access and told they are your responsibility to use discretely and to notify the appropriate support should you even suspect they have been compromised. Failure, in the second case, was ground for discipline or termination of employment.
Guess where things went more smoothly and security issues seldom elevated to crisis.
Re:Posting anonymously for obvious reasons... (Score:5, Insightful)
Ditto here... once you make the employees know that their screw-ups will end up costing them, they tend to not screw up as much, and tend to report things much, much faster should something go awry.
That said, the Target penetration wasn't directly caused by a Target employee/user - the bad guys snuck in through a contractor that was given network access that they should have never had. This was more due to lazy architecture/vlan partitioning than it was $random_employee with a bad post-it note habit.
If anything, the network admins should be facing the barrel before anyone else, followed very closely by most of the security admins, if not simultaneously (excepting the guy who shouted the warning and those who demonstrably supported him; that dude should be promoted post-haste.)
Re:Posting anonymously for obvious reasons... (Score:5, Interesting)
I've worked in the physical security field (cameras, key cards, alarm systems, etc.) for the past eight years, and can tell you that Target's HVAC vendor is in no way unusual. I know of a large security vendor that uses the same username/password combination on every every customer that they ever touch, nationwide, and at most of them they are administrators on the security server. At a lot of them they have remote access.
Re:Posting anonymously for obvious reasons... (Score:5, Insightful)
It's kinda backwards in a way. Retail is always a huge target, the bigger the company the bigger the score. From a security design viewpoint, the "backend" and the "financial" systems should have been physically separated at all times, using some encrypted EDI to exchange whatever (inventory, overstock, per piece price, etc). The credit card terminals should have been "payment only" and not loaded down with all their SHIT like "cash back?" "cure cancer?" "are you sure?" "join our rewards / store card" and wtf other messages I have to tap on your stupid touchscreen a million times just to pay you. Some of them even have ads on them.
Soon, Walgreens, CVS, Dollar whoever...the more sophisticated we make these terminals where our card touches their system, the more exploitable they will become. It's the slow feature creep, the "we need to upload new ad images at 2:50AM" by developers in a far-off land...pushed forward by managers who just want "shiney bright things" that make us give up even more information, waste our time more, and provide little real actual benefit.
Re: (Score:2)
So if an advanced persistent threat had silently compromised your credentials using sophisticated techniques, you would have been on the hook for not identifying the intrusion? Sounds great...
It's also not what he said or even implied. Educating the employee and warning them that they need to be responsible doesn't put them on the hook if a zero day exploit or the like strikes them through no fault of their own.
Re: (Score:2)
Though it does give the ability and justification to do so.
Re: (Score:3)
Generally whomever I worked for took my security warnings to heart (the first production Linux server I ever built was put in place as a mail relay for a Windows-based mail server's SMTP daemon to prevent joe jobs and overcome some nasty security vulnerabilities, with the management's approval).
I can tell you that other kinds of warnings have historically not been heeded. I had a boss who decided that because Windows 2000 Server supported disk mirroring on IDE drives, he didn't need to invest in decent hard
Re:Posting anonymously for obvious reasons... (Score:5, Insightful)
You do realize that making people change their passwords all the time simply leads to people using weaker passwords or writing them down, right? This type of policy though up by some self-proclaimed security expert amongst the IT monkeys almost always leads to worse security than not. And you don't even need to take my word for it:
The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.
https://www.schneier.com/blog/... [schneier.com]
Re: Changing Passwords (Score:2, Interesting)
Places where I've worked that users were required to change their password regularly invariably had the same password but with an incremented number at the end every time they needed to change the password. This allowed them to remember it more easily, be effectively meant they were using the same password.
The more stringent that the password requirements become, the more likely it is that users are going to start writing them down somewhere or trying to come up with workarounds so that they can remember t
Re: (Score:2)
Where I used to work had a policy like that, and you are right, the number of post-it notes with !t$Feb2014 or similar you could find stuck around was incredible.
It's okay to write them down. (Score:4, Insightful)
As long as you keep them in your wallet then writing them down is fine.
You're MUCH more likely to be aware when someone steals your wallet than when someone steals your password. So keep your passwords in your wallet if you cannot remember them.
Similar for home systems. Keep them safe at home. Criminals breaking into your home to steal stuff are not USUALLY going to be looking for a piece of paper with your passwords on it.
Re: (Score:3)
Re: (Score:2)
For example I tried it for skype and it got rejected for lack of security, while a 7-letter lower case english word plus the number 1 was deemed fine! Go Google!
Google bought Skype?
but when you work with HVAC vendors who sub work o (Score:2)
but when you work with HVAC vendors who sub work out / are not really IT people. Then they may have a few fixed passwords / login's that they need to give out to all the people in the field it's much easier to have fixed one then giving each field tech own log in's that they may not even need day to day or even working at target all the time.
Keeping track of who works for each Contractor / Subcontractor down the line is hard and can be a lot of need less work of adding / removing users who may not even be o
They get their own network. (Score:3)
So they get their own network that does not touch the production network.
Probably just a *DSL/cable from a local ISP.
With a firewall that you control. Heavily locked down. No need for them to hit Facebook from the HVAC, is there? No need for inbound
Re: (Score:3)
and then some cost cutting cutting yoho says why does the HVAC need it's own network cabling and or DSL/cable line? or says we are not paying for cable when we get free directv / dish demo accounts and there is no DSL in the area.
Re: (Score:2)
At which point you move to a different job. If they're that concerned about the cost of a local ISP connection then they're going to be making other bad decisions. Consider that to be the "canary in a coalmine" signal.
I know, it sucks. But if you're having to fight for basics such as that then take your skills to someone who will appreciate them.
And when they ask you why you want to leave your
Re: (Score:2)
and then some cost cutting cutting yoho says why does the HVAC need it's own network cabling and or DSL/cable line?
Bet they won't be asking that anymore - if they do, pointing them to a simple webpage describing the Target hack will shut 'em up in a hurry.
My best answer to such yohos is to demand that the request be in writing, that it be specific, and incldue the text of an email I send them with all the risks listed. Otherwise, no change is made.
You'd be amazed at how many middle-management types quickly decide that maybe their idea isn't as important as they thought when it's their ass on the line... ;)
Re: (Score:2)
A case in point is a phone guy who came in that used a UPS as a drink coaster (he came so close to being a crispy critter) and wanted telnet access to his device from the internet. The device had a username, which was the company name, and no password. Anyone who found the thing would have been able to reap the reward of international phone calls changed to the poor suckers that had bought the equipment if he has got his way.
Th
Re:but when you work with HVAC vendors who sub wor (Score:5, Insightful)
*raises hand* ooh! ooh! Pick me! Pick me! Been there! Done that!
Two things:
1. It's not that they need access to the CORPORATE network. It's that they need access to the INTERNET so that the machinery can report back to the vendor when something starts to go wrong. That's usually in the service agreement. The sooner detected the sooner fixed without problem.
2. For managers who like to look at stuff. There is usually an internal web server on the HVAC. You go there and it displays things like the temp and the humidity and blah blah blah.
Thus, dumb managers (I've dealt with them) want them on the corporate network. It's easier for everyone.* Including the crackers who are looking for these exact vulnerabilities.
*Security people are not included in this definition of "everyone" in this case.
Re: (Score:2)
They probably have several people who can do that. It requires some expertise but not a lot.
I can do that. And I still push for a completely separate Internet connection.
Because once it is on the corporate network it becomes very easy to make mistakes. People think they know more than they really do. Or that they understand the situation when they do not. And the processes that can
Re: (Score:2)
That's why I use tin cans and string.
Re: (Score:3)
They probably have several people who can do that. It requires some expertise but not a lot.
Of course they have people who CAN do that. The better question is - do any of those people have the political clout to require Target to spend money and inconvenience managers and "essential" vendors to prevent a "theoretical" security attack.
Re: (Score:2)
In your situation it sounds like what you need to do is impose a short timeout after each failed password entry, and lock the account after 3-4 consecutive failed password entries. Perhaps you could just impose a temporary timeout on the account after each failed attempt, increasing after each consecutive failed attempt, but I don't think I've ever seen such a system in use.
There's a good argument that this kind of thing should be routine anyway as long as it's reasonably easy to unlock the account. (I.e.
Re: (Score:3)
The flaw in password lockout schemes that lack a timeout is that anyone can lock out anyone's account. I can imagine someone hammering every member of "Domain Admins", "Helpdesk Staff", etc with three fake attempts, and by the time anyone has realized it, it will be difficult to even find someone who can unlock the accounts.
Re: (Score:3)
I hate people who insist that password changes are not a good thing. Look very very few organizations have proper identity and account management.
Password rotation at least closes the hole of former employees still having access at some point in the future.
Everyone's password ends up in a log file somewhere some time, in plain text just laying around. Usually its because they are in a hurry and enter it in a user name field. Password rotation ensures this password will at least at some point no longer be
Re: (Score:2, Insightful)
Password rotation at least closes the hole of former employees still having access at some point in the future.
No. If former employees still have access, that means the network admin folks are incompetent or the off-boarding procedure is broken.
When an employee terminates, their account should be disabled. Problem solved.
There should never be any anonymous or independent accounts that can cause damage (e.g.,, an FTP box could have anonymous access if nothing confidential is kept there, but it should never be allowed write access).
in this cases it may be out side vendors / contrac (Score:2)
In some cases out side vendors / contractors have shaded / fixed accounts / passwords.
Re:in this cases it may be out side vendors / cont (Score:4, Interesting)
Which is a perfect example of incompetence.
Re: (Score:2)
Yes accounts should be cleaned up when people term and if they are not or are not always its an off boarding process problem, or you know like I stated identity management issue. Thing is most companies have problems like that. So not rotate passwords just makes the problem worse, no it's not a solution but it's an additional control that should be in place.
Re: (Score:3)
I got fired from my last job on my day off, but got re-hired three weeks on a different team. We ran into a slight problem with my new email address because my old ID hadn't been archived yet, whatever that act
Re: (Score:2)
I never want to work in such a shithole with such a lack of respect for employees and a use of intimidation. Even the place that fired me by revoking my pass code and locking me out did not show quite that level of d
Re: (Score:2)
It often is.
If given the option dismissal is carried out as "quietly" as possible which usually means not telling anyone other than payroll that the person has gone.
I recently had a situation where a former employee, who left voluntarily to go work for a competitor, was very angry when I found out that he had been gone for a month and removed his email access. It was a ridiculous situation - he felt entitled because he's been using it as his personal email address.
S
Re: (Score:2)
Re: (Score:2)
Inplementing a boneheaded change password policy is not going to make your users act better. You are simply going to make no difference or make it worse.
Re: (Score:3, Informative)
Re:Posting anonymously for obvious reasons... (Score:5, Insightful)
Interesting that you should mention "changing passwords on a regular basis" as a "horrible security flaw". Have you considered that changing passwords generally introduces more risk than it guards against, and doesn't actually have an effect on most actual hack attacks?
The attacker strikes with whatever credentials he finds, whenever he finds them. The second step of an attack is to create a separate back-door, so that if the first password is changed he's back in anyway. And how does an attacker find credentials? When someone's entering them, which includes changing them, or if someone's handling them. There is often a case when you have people who can't remember their newest recently cycled password who call the Help Desk. The phone drone resets it to something like "ForgottenPassword#1", then voicemails the chump with the temporary password. If a hacker's able to listen to their voicemail, he simply calls in a phony forgotten password request and it's Winner, Winner, Chicken Dinner!
So what does changing the password every 30 days actually protect against? I suppose if you wrote the password on your blog, then in 31 days you're safe. Of course, if you wrote the password on your blog, I don't think password rotation should be your highest priority for fixing your security issues. Do you honestly think hackers have machines that can crack passwords in 31 days, but not 30? Either he can crack it in an hour or less, or he likely can't crack it at all and won't bother trying.
Changing passwords periodically was only a good idea when there was one password shared by many people, and you had to exclude your former colleagues. But those days ended back with moats and longbowmen on the castle walls. In these modern days of electronic passwords that are never shared, it's a ritualistic holdover with negative consequences.
Re: (Score:2)
In an ideal world. Try coming in to fix other people's stuff as a consultant every now and again and you'll see that your own easily set up and well behaved stuff is the exception and not the rule. For some reason secretarial staff and accounts clerks frequently suggest that there is so
Re: (Score:2)
No. It doesn't. Why? Simple. The Post-It Note will ALWAYS be the CURRENT password. If not why have it there?
Re: (Score:2)
Well, yes no and maybe.
I'd start with asking what kind of access you have as a random SAP user. If that's locked down and restricted, then no big deal. If it allows access that's no different (and yields no real info other) than what you'd find as the logged-in user on the 'main system'** , then again no change, really.
Now if that random SAP user had god-like access or gets way more info than a normal 'main system' login gives them, then yeah, it's a much bigger deal (and your SAP admin needs a good hard bi
customer service portal (Score:5, Interesting)
Years ago I worked for one of the two big American cable companies currently merging. I identified a security flaw in the public facing side of their customer service portal, essentially giving access to all the config files, which contained admin credentials in plain text. I proposed simple solutions, like not allowing directory listings of folders, among others.
They shrugged it off, and to the best of my knowledge, last year the vulnerability was still accesaible
Re: (Score:2, Informative)
You are a pathetic creature.
Re: (Score:3)
In such cases if you implemented the simple security solutions without telling them they would be none the wiser.
Sometimes that breaks things.
I worked at a certain software firm that had a nasty habit of requiring that a few service account user/pass sit right in plain text in an XML file on the front-facing web servers, else the whole thing wouldn't work. Their MSFT kool-aid drinking habit aside, I always found it hilarious that they preached security so hard, yet left such stupid flaws in place for many years (and many versions). Yelling about it got us approximately nowhere, and implementing a fix on our own w/o go
Re: (Score:2)
Raising concerns is easy (Score:2)
Predicting which concerns will be used in an attack is the real game.
Predicting is easy. (Score:2)
The vulnerability used will be the easiest/first one that the attacker can find.
That sounds flippant but it is true. Most attackers won't even bother to map your network/systems. They'll just try whatever they have and use the first thing that works.
I small lawsuit... (Score:3)
Re: (Score:2)
This is a strange story, overall. Target is much more aggressive about computer security than other, similar companies.
I think they would not have a hard time demonstrating to a jury that they made efforts to secure their systems beyond the industry standard. Which makes one wonder what the context of this "they were warned" is.
Every single company (Score:5, Insightful)
There are security concerns in every company, without exception. Obviously, even the NSA itself had inadequate security!
Yes, many times security concerns are brought up, and brushed off. But this is not necessarily an indication of a problem. Every security risk must be weighed based on the likelihood of occurrence, and the severity of the impact, should it occur. Many of these calculations are inexact, and must be based on incomplete information.
Should Target have protected themselves better? Probably. But hindsight is 20/20. The difficult part is to anticipate the problems that might occur, without crippling your organization through impossibly tight security.
Re: (Score:2)
Re: (Score:3)
Which is very comforting to punters who must trust a company with their credentials in order to do business with it.
One solution to mitigate risk is insurance. Companies should have to pay for security insurance. They cannot prevent every break in, but insurance companies have ways of evaluating an pricing risk. Customers would then at least have a shot at being made whole again.
Re: (Score:2)
Cost of failure * rate of failure = total cost of failure is actually detrimental to this approach, most notably because the rate
Re: (Score:2)
Well clearly they didn't calculate the proper cost of their risk assessment, because this breach is going to cost them a hundred mill or so in the class actions and civil lawsuits that result. It'll take years for the payments to be issued, but it's a foregone conclusion that Target is going to pay through the nose for the breach.
Especially now that it's clear they were warned they were at risk of a breach and could have done something about it.
Where I come from, that's called "criminal negligence", a
Re: (Score:2)
Most data privacy legislation I'm aware of says that you have to take all reasonable steps to protect the data. "Inconvenience for the staff" is not a legitimate excuse for not implementing those protections.
Re: (Score:2)
Well clearly they didn't calculate the proper cost of their risk assessment, because this breach is going to cost them a hundred mill or so in the class actions and civil lawsuits that result.
Maybe they did calculate it wrong, or maybe they didn't. The odds of me rolling 10 6'a in a row are 1:60M. Now, suppose I roll 10 times and they all come up 6's - does that mean that I miscalculated?
That's the problem with these sorts of issues - the odds of them happening are generally very low, but the impact is high. That means that if you protect against them you lose money compared to all your competitors who don't protect against them. Most likely none of you will have any issues, making the perso
Re: (Score:2)
But many of the steps that could be taken to prevent the problem are relatively low-impact. These also aren't taken.
I do agree that security professionals tend to overemphasize low probability events. If they didn't have that mindset they wouldn't be security professionals. But there are lots of things that could be done, that are low impact, that AREN'T done because it would require management to authorize it, and the people who understand it can't communicate the importance to management. And lots of
Re: (Score:2)
Don't get me wrong - I think companies should generally do more to improve security. The problem is that the short-term thinking that is incentivized by how companies are run makes it almost inevitable that security won't improve. Things will have to get a fair bit worse before companies take it seriously. When the same companies start getting breached annually they'll start taking it seriously.
Re: (Score:2)
"there are lots of things that could be done, that are low impact, that AREN'T done because it would require management to authorize it, and the people who understand it can't communicate the importance to management."
This management needs to be called for authorization for a reason. If that management doesn't understand what they need to manage and authorize, that's bad management per the book.
In fact, it's always bad management.
20/20 hindsight is the island of the damned (Score:2)
I strongly suspect this is not a hindsight problem whatsoever. The problem is that long term risks are usually weighted against short term gains: personal bonus clauses/promotions triggered by a run of street-beating financial quarters.
There's also the problem of risk hacking, where management willing trades the possibility of a huge setback against the likelihood of a good run of beating par.
With a long enough track record of
Close ties to the FBI (Score:3)
There is there problem they are fairly computer illiterate, I've dealt with many FBI computer forensic specialists whatever's that are dumbfounded by a .tgz, unix line endings. Hire out of the Secret Service they understand computers.
FBI troll (Score:2)
Yeah, let's install winzip on all our unix systems so we can use Windows Explorer to view the archives. What, winzip doesn't work on unix? Then let's install WINE so we can use WinZip and Windows Explorer together!
Problem solved!
Comment removed (Score:3)
Re: (Score:2)
Which is academically insane because part of a engineering degree is about teaching the students how to manage. Of course it's clever weasel smart in tunnelling though HR to have those two bits of paper instead of one or one and a real masters degree which requires hard work.
You'd Be Amazed (Score:5, Interesting)
Years ago I worked for a government IT department. A vendor wanted us to try out a product. The device plugs directly into the Internet connection, and monitors every packet, in real time, looking for strings matching an array of string that you provide. We ran queries against our internal databases, and compiled a list of SSNs and CCNs. The vendor programmed that data into their device, which from what I can tell used an FPGA to perform deep packet inspections.
We expected that we might see maybe an email every week or two where someone accidentally sent that kind of information.
First hit occurred 12 seconds after turning the device on.
Second occurred .47 seconds later.
Etc. Etc. Etc.
Within an hour, we had overrun the quota on the network directory where we were logging this data.
We found hundreds of separate systems that were transmitting this kind of data without authorization. We were planning a massive internal sweep to find and fix them all, when the following came down from management:
Shut it down. Remove the device. Destroy all logs, emails, EVERYTHING. Offer the vendor a payment in return for signing an NDA. All employees required to sign secrecy docs (unenforceable at that level of govt, but still.)
I believe this is how the acronym SNAFU came into existence.
Re: (Score:2)
It was cheaper to cover it up then to fix all of the systems that where transmitting that data likely was more then just internal sweep but all of testing / new hardware / software needed to pull it off.
Re: (Score:2)
The vendor wouldn't have been Acxiom by any chance?
Basically, yeah (Score:4, Interesting)
I got my first job in the industry due to that sort of screw-up. A network administrator was "let go" following a server crash and loss of months' worth of data. The backup system hadn't been working. I was hired shortly thereafter to get things back in order.
Now, that would be the end of the story, except that I was good friends with this administrator. The embarrassing subject of his dismissal didn't come up for about three years, but when it did, and I mentioned my surprise at a fairly intelligent guy allowing backups to lapse for that amount of time, he dug up an e-mail he'd sent to the president of the company, cc'ing the head of HR (who was more or less running the show, for some reason), pointing out the various problems they had - their "server," an old workstation, had been running for two years on a three-month evaluation copy of Windows Server 2000, there were no backup tapes working, and so on. The only excuse they could have had was that the backup thing was buried in a page-long list of serious issues. But when it blew up in their faces, they pinned it on the closest available peon. Assholes.
Re:Basically, yeah (Score:5, Informative)
So... where do I know you from?
You could have described my one and only firing ever, to the word.
Me: "Boss, Beancounter- this backup system is broken and needs to be fixed. here is a cost breakdown for the fix and a loss analysis for failure to fix. It is genius and incorporates existing links and hardware to minimize cost and implement offsite backups for all sites!"
Boss: "Shut up and go fix a printer somewhere."
Fast forward a year- major crash of a POS server. Loss of customer records, $300,000 and 6 months predicted to be spend reconstructing the database from paper records.
Boss: "You are fired for letting this happen."
Me: "...."
Re: (Score:2)
... why did you sue for wrongful termination? I mean, if you had email evidence (as the AC's post indicates) you'd probably have been fine. Nice big severance, etc.
whoops, typo... (Score:2)
Bleh... *why didn't you sue*
I mean, yeah, the US system is absurdly litigation-happy, but refusing to participate in it just gets you run over by it, and that seems to be what happened here.
You don't actually need to file the lawsuit, most likely - just point out that you told them this was coming, and they refused to do anything about it, and that you now hold documentation showing that you were terminated for something that was demonstrably not your fault (your boss's fault, in fact, though that's not nec
I can safely speek for all here (Score:2)
Re: (Score:2)
Happens all the time (Score:3)
This is a frequent occurrence. I used to get upset about it. These days I have seen enough of these exact type of situations blow up that I am content to document my observations, report them to the appropriate people (always a direct supervisor), and then move on with my life. When things blow up, I am covered.
Situations like this are why, although I understand security, I will never work in a security position. There is too much risk and liability, and not enough support.
Here's what happened when I tried (Score:2)
I picked up maintenance of an application that had been built by one of the military business units. For the longest time I couldn't figure out how it was passing user credentials and session state, until I found it all contained in a 2,000 character URL string. That string included the administrator username and password, in plain text.
Instead of being grateful that I raised a red flag on the application security, they tried to insinuate that I was blaming the previous developer. They also insinuated I
Blown Out of Proportion (Score:3)
No Shit (Score:2)
But what really irks me the testimony [reuters.com] that retailer's CTOs gave before congress.
Neiman Marcus CTO:
"I think what we've learned ... is that just having the tools and technology isn't enough in this day and age," Neiman Marcus Chief Information Officer Michael Kingston told the panel. "These attackers again are very, very sophisticated and they've figured out ways around that."
Translation: "We did everything we possibly could, those hackers are just too damn smart. You should probably pass some laws to make knowing how to hack illegal."
Target CTO on if they knew about the attack before they were notifi
Now You Have an Example to Point to! (Score:2)
Re: (Score:2)
Asking the Wrong Question (Score:2)
Duh... (Score:2)
There will be reports, studies etc. that all pointed to this retarded situation within Target. Cripes, any myopic goofball from Deloitte or Accenture could have spotted the problems from 1000 miles from space but it just goes to show how stupid management can be because ultimately it'll wind up on their doorstep. You'll obviously have a few sacrificial lambs too from the cyber-security team and management and bad news for other companies they're probably updating their resumes now. Yes retarded security
this is what you get with outsourcing / contractin (Score:3)
When you have lot's of outsourcing / contracting / subcontracting they don't want to pay the costs of doing stuff right no they want fast / cheap.
I quit my job (Score:2)
We had complex installations of Linux servers that were so old that patching them often required a lot of work to be able to compile the fixes.
After a steady flow of layoffs and cut downs, I was no longer able to keep up with even just the maintenance tasks and the list of critical things that needed fixes grew longer. And forget about trying to find time to do proactive things like planning new systems or capacity planning, since I now had to do everything myself.
So I had informed my bosses of the problems
Typical Navy Response (Score:2, Interesting)
As a former US Navy nuclear engineer, I informed management of material and procedural problems related to the nuclear reactor plant on board the USS La Jolla on a weekly basis. Have you ever gone to your boss with a technical manual that perfectly explains the "unexplainable problem" he's having, have him brush you off, and less than a week later that problem destroys a major system, causing millions of dollars in damage and endangering the entire ship? I have. I'm pretty sure none of my complaints were ev
Two ways of looking at it (Score:2)
There's the default way -- self-absorbed managers deliberately ignoring and not understanding security warnings, wanting to keep earning bonuses for all the money they saved, etc.
Then there's the alternate explanation, IT security people seeing threats without any conclusive proof, wanting to spend a metric ton of money, expand their empire and cause a bunch of disruption that might not even accomplish anything but create chaos and complexity.
I've seen both. It's easy to see how this could be a combination
Re: (Score:2)
Default passwords (Score:2)
Years ago I noticed bad default passwords on a professional industry website. Think doctors or bar association, that kind of thing. So basically every one in the country along with their dues payment info and personal profiles are accessible through a simple mangling of their name.
I reported it and was ignored. It's still like that. Professionals indeed.
"bin Laden determined to strike US" (Score:2)
"Alright, you've covered your ass now."
Brushed off? Valentines Day? (Score:2)
Looked for, found, reported, was fired. (Score:2)
I was the responsible IT manager, over all devs. admins, ops and security.
Reviewed all contracts and implementations, upon taking over the job.
Discovered some seriously, bad stuff.
Developed plan to *quietly*, discretely, repair over short time period.
"Rebury the bodies"
Turned out the responsible party was the CEO's favorite, "baby shark".
Got cardboard boxed. Out day after board presentation.
So it goes.
Interesting point:
All of those devs, techs and security people who moan about the lack of management suppo
Criminal charges for management (Score:2)
Liability? (Score:2)
See, this is the problem with companies like Target not having legal liability for such things.
Because if they were legally responsible for it, they couldn't just brush it off, do nothing, and then let millions of credit cards get compromised.
To me, the company should be paying a huge fine for what can really only be called indifferenc
General QA Problem (Score:2)
Re: (Score:2)
I remember one system someone was trying to break into. I was sitting in my office, with a coworker, watching the traffic and everything. Very entertaining. They had walked into our honey pot.
Re: (Score:2)
I've been doing security analysis stuff for close to six years now. And I've got to say this article doesn't surprise me in the least. We'll notify customers for months and years on end about serious and silly flaws in their system. We so rarely see any real effort to fix stuff that it is always shocking when someone actually loads a quarterly patch, even if it is nearly a year out of date. I always have to give a nervous giggle when our leadership brags on how secure our systems are, because one day I know
Re: (Score:2)
You know this isn't going to end well for you, right? You don't think the guys above you are going to pay for the inevitable breach and scandal. Oh no, they will all point the finger at you, and by the time the legal department has finished with you, you'll forget you ever had an asshole that wasn't six inches wide.
Re:Oh boy... Here we go... (Score:4, Informative)
document, document, document. And keep copies where you can get them once you are frog-marched out of the building wearing the scapegoat collar.
Re: (Score:2)
In some environments, keeping documentation of any official communications off-site is a breach of your employment contract.
First, never sign such a contract or work for someone who demands such a thing - you know you can cross that line out and initial it, right?
Second, let 'em try to sue - they'll be too damned busy fending off reporters from major media outlets who won't stop asking why they refused to do something about it after you warned them, and why they're now trying to sue you for it. I know they say no publicity is bad publicity, but there are exceptions where bad publicity will cost them a whole lot more than they ba
Re: (Score:2)
My last job we had a code monkey who was supposed to be some sort of PHP "rock star". He managed to write a program that made it to production that could download any file on the filesystem. He then improved it so that it could delete any file on the filesystem. Because of the decision of another web "rock star", this web server ran as root. The reaction from management? "eh. We get our shiny new data!" I decided then and there that if I wanted to be in a band, I want to work with rock stars. Otherwise, I'd
Re: (Score:2)
Because it involves admitting something is wrong - see also the opposition of the US Nuclear lobby to thorium reactor research for another example of that mindset. The way around it is to find some way of suggesting that an improvement does not in any way imply that there was anything at all wrong with the old way which was implemented by people that will distantly re