Are There Security Risks When Millions are Suddenly Working from Home? (cnn.com) 95
"The dramatic expansion of teleworking by U.S. schools, businesses and government agencies in response to the coronavirus is raising fresh questions about the capacity and security of the tools many Americans use to connect to vital workplace systems and data," reports CNN:
As of last week the Air Force's virtual private networking software could only support 72,000 people at once, according to a federal contractor who was also not authorized to speak on the record, and telework briefing materials viewed by CNN. The Air Force employs over 145,000 in-house civilian workers, and over 130,000 full-time contractors.
As they increasingly log on from home, Americans are having to meld their personal technology with professional tools at unprecedented scale. For employers, the concern isn't just about capacity, but also about workers introducing new potential vulnerabilities into their routine — whether that's weak passwords on personal computers, poorly secured home WiFi routers, or a family member's device passing along a computer virus.
Long-time Slashdot reader Lauren Weinstein also worries about a world where "doctors switch to heavy use of video office visits, and in general more critical information than ever is suddenly being thrust onto the Internet..." For example, the U.S. federal government is suspending key aspects of medical privacy laws to permit use of "telemedicine" via commercial services that have never been certified to be in compliance with the strict security and privacy rules associated with HIPAA (Health Insurance Portability and Accountability Act).
The rush to provide more remote access to medical professionals is understandable, but we must also understand the risks of data breaches that once having occurred can never be reversed.
As they increasingly log on from home, Americans are having to meld their personal technology with professional tools at unprecedented scale. For employers, the concern isn't just about capacity, but also about workers introducing new potential vulnerabilities into their routine — whether that's weak passwords on personal computers, poorly secured home WiFi routers, or a family member's device passing along a computer virus.
Long-time Slashdot reader Lauren Weinstein also worries about a world where "doctors switch to heavy use of video office visits, and in general more critical information than ever is suddenly being thrust onto the Internet..." For example, the U.S. federal government is suspending key aspects of medical privacy laws to permit use of "telemedicine" via commercial services that have never been certified to be in compliance with the strict security and privacy rules associated with HIPAA (Health Insurance Portability and Accountability Act).
The rush to provide more remote access to medical professionals is understandable, but we must also understand the risks of data breaches that once having occurred can never be reversed.
Security Risk? Not at all! (Score:5, Funny)
I don't let anybody into my house who doesn't work here, I know them all personally from the mirror.
Re:Security Risk? Not at all! (Score:5, Insightful)
And I suspect that the Corona virus is going to be one of the points in history where the way we live and work changes.
Human life have often changed in leaps even if there's progress in between the leaps.
The main thing is how well you can adapt to changes that occurs, but the environment you live in must allow for it too.
Re:Security Risk? Not at all! (Score:5, Interesting)
And I suspect that the Corona virus is going to be one of the points in history where the way we live and work changes.
Yeah, I've been speculating about this to some of my coworkers. While some jobs are unlikely to change (telehealth in particular always seems like a compromise, excepting perhaps for triage, and normally is implemented strictly for monetary purposes), and the many small-minded managers will continue to fight it as before (my boss's boss comes to mind), I am expecting that millions and millions of people are going to figure out "hey, I really can do my job just as well remotely!" and start demanding the right to do exactly that.
Re: Security Risk? Not at all! (Score:5, Interesting)
Re: Security Risk? Not at all! (Score:4, Interesting)
Or a lot of people are about to realize just how nice it is to not be in the same building all the time...
I love my house, where everything I need to live is in one nice, private, large enclosure.
...that they really treasure having people around...
People suck. Period. The less I have to be around them, the better.
...that meetings are better than endless typing...
Having my life constantly interrupted by the very things I'm trying to avoid is not something I find desirable. In the rare case that coworkers have something to offer me that I don't already know, I can email them.
...and that, hey, having a place to do a job where your tools are all in the right place and the space is oriented for doing that job is WAAAAAAY better than being at home.
All of my tools are Open Source, and I have them both at work and at home. At work, I replicated (to the extent possible) the productive environment I have at home. Given workplace legal politics, the work environment is unavoidably more stressful than my home.
Your post just described the clinical insanity of extroversion. Given that I've never had the same desires as extroverts, I find your arguments to be incomprehensible and unrelatable. For the life of me, I have never understood how people can consider any of your bullet points to be in any way desirable (with the possible exception of workplace tools that are not easily replicatable at home).
Re: Security Risk? Not at all! (Score:4, Insightful)
Re: (Score:2)
It really depends on what you're doing, and whether you enjoy it, and if you are functional on your own.
If what you're doing is physical and creative, you may well find that being around a group of others with subtly different tools is a benefit because you can use their tools as well as your own.
For many or even most already computer-related jobs, they are easily done from your sofa with an incredibly inexpensive piece of computing equipment.
Some people also find motivation in a cooperative routine. I've d
Re: Security Risk? Not at all! (Score:1)
This incorrectly assumes that the factors you describe are present in the average office. In truth we have excessive lighting, no control over temperature, shitty cubicles, constant interruptions, and nasty smells. One has to get up at least an hour earlier and lunch prep is at best a filthy shared microwave dripping with nastiness. Plus employment options are limited to whoâ(TM)s where you live.
No thanks.
Re: (Score:2)
I am expecting that millions and millions of people are going to figure out "hey, I really can do my job just as well remotely!" and start demanding the right to do exactly that.
I doubt it. Millions and millions of people already know they can do their jobs remotely, and already want to work from home. The problem is that millions and millions of managers fear for their useless jobs, and refuse to relinquish their psychotic need to control other people's lives.
What I expect to happen is that productivity, efficiency, and happiness will go up significantly while we're working from home. After the Coronavirus threat passes, 99.9% of all businesses that authorized work-from-home wi
Re: (Score:2)
Telehealth is actually surprisingly effective. But not in the way you imagine - this is not a doctor consulting you through the phone, but doctors consulting each other through carious conferencing means.
It means with the right hookups and hospital to hospital links (and clinic to hospital, etc) suddenly you have an arsenal of specialists everywhere. So a rural hos
Re:Security Risk? Not at all! (Score:4, Insightful)
This is actually pretty likely. Now that remote office capabilities are in place, it's likely that remote working will be a lot more popular. The main thing standing in its way are micro-managing PHBs who fear that it may become obvious that they are generally superfluous and at best not too detrimental to productivity.
Re: (Score:2)
My coworkers and I suspect that when management sees no real dip in productivity and a big dip in office overhead that they'll start to question why they're spending so much money on a giant, old office building that is energy inefficient and in need of a lot of repairs. Our only concern is if they pick an extreme. We don't want to work there everyday, and we don't want to work from home everyday. But we also don't want to hot-desk. I'm not sure what the happy middle is.
Re: Security Risk? Not at all! (Score:2)
Re: (Score:3)
Pair programming is a lot harder when you canâ(TM)t see the other personâ(TM)s facial expressions because the screen is full of code.
Two screens on each end, plus a reasonable video-conferencing tool with the ability to present your screen should address that.
And the endless typing to spell things out that could have just been said in a brief sentence to the team sitting at our desks.
Meh. Where I work people tend to type at each other a lot of the time even when they're sitting right next to each other, so as to keep the communications asynchronous and not break into the other's flow. If enough needs to be said that typing is inefficient, standard practice is to message them and ask if they can talk. Only if and when they reply in the affirmative is it manner
Re: (Score:2)
Over here it's mostly a legal thing that's a limiting factor. For example, "officially" we are not supposed to do more than 49.999% of our work from home since if you work more than 50% of your time from home, your employer is legally required to pay for your home office. I have a hunch that some laws in this area might change soon, though, especially since this was apparently suspended already during the crisis now.
Re: (Score:2)
I just put a biohazard poster on all the doors. This works very well for keeping out the riff-raff.
Re: (Score:1)
so i'm sure there will be sabotage
ISP that force you to user shity gateway / router (Score:2)
ISP that force you to user shity gateway / router is an issue as well.
Some cable co's do this as well.
Re:ISP that force you to user shity gateway / rout (Score:4, Insightful)
If your company laptop can stay safe on a public wireless network in an airport, it will survive your home router. It's called zero trust approach to security, and most IT professionals should be using it. There are other risks when working from home, but insecure routers should be easy to mitigate.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Gonna be a baby boom (Score:3)
... in about 9 months. In 20 years, they'll be called the "Coronials"
Dunno about security risks, but some other things might happen
Re: (Score:2)
Time will tell if the rate goes up or down.
Re: (Score:3)
Down, I imagine. There are so few of us who can maintain a proper personal separation space and still 'get the job done'.
Re: (Score:2)
Hehehe! Priceless. Not surprising that most miss the point ;)
Re:Gonna be a baby boom (Score:5, Funny)
... in about 9 months. In 20 years, they'll be called the "Coronials"
I'm hoping they'll be called "Quaranteens".
Keeping your Windows XP updated (Score:3, Funny)
should keep you pretty safe.
Signs point to yes (Score:5, Insightful)
Are there security risks when [anything]?
VPN? IPv6! (Score:2)
Oh, how much headache would be spared if we moved to IPv6 ....
Re:VPN? IPv6! (Score:4, Informative)
IPv6 was designed to expose all devices directly to the Internet. The NAT setup at least enforces protection from casual scanning, and reduces the risk of household exposed SSH or CIFS sharing.
Re: (Score:2)
IPv6 was designed to expose all devices directly to the Internet. The NAT setup at least enforces protection from casual scanning, and reduces the risk of household exposed SSH or CIFS sharing.
It's 128 bits and 64 of them would typically be yours. So you'd have to scan 2^64 = 1.8446744e+19 addresses to get a reply. The problem is rather the exact opposite, they're likely to assign you an IP and that one's yours forever. No more hiding behind a dynamic IP, everything's linked to your IP forever.
Re: (Score:2)
Well, if they're going to do that, the least they can do is also issue crypto certificates that also provide positive ID, so that we don't accept just an IP and a non-unique identifier as proof of identity like we've done with SSNs.
Re: (Score:2)
Please tell me that you're not suggesting that the size of the IPv6 address space provides security through obscurity? Even if your local network setup uses such large segments of the available space, the IP addresses of any devices that you actually use or that "phone home" for updateas are detectable by packet sniffing upstream, or packet sniffing from locally rootkitted devices on your local network.Worse, the "internal" IP addresses of your local modem or firewall are exposed unless you're cautious abou
Re: (Score:2)
Re: (Score:2)
I'm not suggesting that a well configured firewall is not superior to mere NAT. But every good modern firewall device or software suite _also_ supports NAT, and with that trivial configuration selection reduces the exposure of your household devices to external probing or attack. It's the first step of configuring a home or business firewall, to segregate internal traffic from external traffic.
Re: (Score:2)
If ipv6 were at all palatable we would have migrated already.
"hi this is tech support. what's your ip address?" (Score:1)
... 15 minutes later..
"no no, f, as in fred, .. yeah. sorry. got a case of the mondays. nope. still not... did you say af.. after the second colon? no.. ok, the third colon.. ? "
Re: (Score:2)
Re: (Score:2)
None whatsoever. An IPv6 VPN is only slightly more inefficient than an IPv4 VPN. Notwithstanding that it is more inefficient, there is otherwise no difference in the "headache" level.
Re: (Score:2)
Re: (Score:2)
If anything, it would increase the security headaches. But I'm very willing to hear your argument.
There's always risk (Score:1)
Re: (Score:2)
Actually, that depends on the security posture of the "personal device" as compared to the "standard baselines of security" for corporate devices.
I will not permit and would not permit, the attachment of corporate devices with their "standard baselines of security" to be directly attached to my personal home network which has much greater "standard baselines for security". (I have a separate network for the filthy guests to attach to). Nor would I permit any of *my* personal devices, which also adhere to
The answer... (Score:2)
Yes, there is
Are there security risks? (Score:5, Insightful)
Yes, absolutely. You even have an example in your summary!
"As of last week the Air Force's virtual private networking software could only support 72,000 people at once, according to a federal contractor who was not authorized to speak on the record."
There's four types of security: physical, hardware, software and people. You can do your best to secure the first three but you'll never fix the fourth.
Re: (Score:1)
Your interpretation is incorrect. A computer system is 100% secure when turned off, and 100% unsecure when turned on. So if you only permit 72,000 people out of 175,000 people to connect to your system, it is 58% secure. If the VPN were "broken" and no one could connect then it would be 100% secure.
The current situation needs to be assessed compreh (Score:2)
Re: (Score:3)
What people massively go to work online is compensation for fear. Some people may be depressed.
Are you kidding? This is my wet dream come true, you spammy sack of shit.
Re: (Score:2)
Sorry, sir, wrong door. This is sensible discussion, paranoid conspiracy is 3 doors down the corridor. You can't miss it, it's labeled "Reddit".
Re: (Score:2)
https://www.engadget.com/2020-03-25-cybersecurity-firm-warns-chinese-spying.html
"This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," says FireEye.
Re: (Score:1)
Good on China. Maybe we should ALL have our lives visible under the microscope. I am if you are.
Without IP no one starting to manufacture ventilators would get sued. And don't for a minute believe that all progress will screech to a halt if patents go away. People will be as greedy as the government allows. All we know is that PLANNED economies don't work. That's not the same as wealth-limiting ones.
Expect home robbery to drop (Score:2)
Re: (Score:1)
The USAF expected site security to be security no matter what... until its not.
Time to phone the contractors again and buy some more computer network support.
Risks can be managed (Score:2)
The problem is poor risk management and vulnerability detection/patching. Most corporate VPN's I've used give you unfettered access to the entire network without even checking you're a legitimate client. Just have anyone's login/password and you're in with any network that you want to route through your device.
medical privacy (Score:5, Interesting)
Re:medical privacy (Score:4, Interesting)
It may be nice for you, but as a "person who may be contacted by a clinician" I do not permit FaceTime, Skype, or many other shoddy crap on my network. If you wish to contact me via one of these technologies you are free to provide the devices and network connections on which you intend to provide your services, you shall not be permitted under any circumstance, to use my facilities. Even more than in "normal times" in this "new normal" I cannot afford to have them be infected at your whim.
You may however call on the voice-only telephone using the Public Switched Telephone Network. Provided of course that you do not falsify the "Advertizing ID" (known by the proletariat as Caller ID, even though it has nothing to do with identification of the Caller).
Re: medical privacy (Score:3)
Re: (Score:2)
You seem to have some odd notion that physicians go about forcing medical care on people. That has never been my experience. I think you will find that if you don't contact a physician they won't attempt to diagnose you using software you don't like. If a physician does attempt to offer you their services and you decline, they've got plenty of other people who they can attend to instead.
The notion that they want so badly to treat you that they'll provide you with "devices and network connections" is so absu
Re: (Score:3)
people who have been working in an office for 15 years, and are given a few simple guidelines and regular audits, should be able to take a machine home from work and connect just fine without major security problems. if you dont like home wifi, give them a cellular modem.
This makes no sense. Where I work (or did work) we had remote access to the network via company owned equipment for the last 25 years. That company did not have custom APNs (cellular network) that I am aware of during all that time, and as far as I am aware still does not, in any of the 140 countries in which the company and its affiliates operate. You solution for "not like WiFi" (aka "Childrens Band") is idiotic. The solution is to issue Ethernet Cables.
the modern office is already full of unsecured network devices - thats what cellphones are. yes there is a risk to having them... but banning everyone from having one is generally not done, because nobody would work for you.
Modern Offices which allow cellphones to connect
Re: (Score:2)
Hey, just so you know, there are kids on your lawn. Might want to go have a yell at them.
Re: (Score:2)
What kind of idiot are you? The Internet, since 1994, is a shared entertainment system. It is not and has not since that time been intended for "serious" use.
You're nuts. The Internet is used for every purpose under the sun, including a great deal of "serious" use. I WFH full time, with all of my work meetings, correspondence and work product moved over the Internet, day in and day out. I don't even use a VPN, because those are outmoded [beyondcorp.com] and because the notion that you can actually secure the corporate network from penetration is a pipe dream. The Tao of Network Security is to accept that you cannot secure the network, so you must secure all of the endpoints
Re: (Score:1)
working from home is the whole reason we built the internet in the first place.
Looking at what we ended up with, you'd think it was done for distributing porn
Re: what is the security risk of people dying? (Score:2)
Short answer, yes (Score:5, Interesting)
Long answer "Gee, you think?"
I currently get to see this first hand, and we're generally a VERY security conscious company, with a very security conscious staff and a lot of security training for our personnel. I can only imagine what it's like in a company where "it's for security" isn't the keyword to get any kind of expense approved.
You're dealing with a LOT of people who never worked from home or at the very least have very limited experience with it. So the first thing that gets overwhelmed is your support trying to get these people online. This also means that your support will take any shortcut available to get people moving. With no remorse because, well, fuck security, productivity is at stake! You're also dealing with people who have little security training trying to get online, are waiting for support and try to tinker with their setup, enabling this or that or something else (unfortunately disallowing this is harder than you would think in a lot of VPN software packages) and eventually somehow getting some of the access they want, not knowing what else they opened up in the process.
And I'm still talking about company-issued hard- and software. If they have to get online with their private systems in a BYOD setup, this opens a completely different can of worms on top of that.
Then there's the unfamiliarity and a lot of "this is your IT department speaking" mails that try to get people to compromise their passwords, and this is a time when they would actually respond to this, especially when for some reason they can't get online, which, as aforementioned, is quite possible, with unfamiliar and untested setups and remote access being overwhelmed by the amount of connections.
In other words, did anyone really believe that this is NOT going to be a security hell?
Re: (Score:1)
I spent my career in gov't IT; some of it in support. And I'm the first to admit that some of my clients weren't the sharpest knives in the drawer. But then again, I'd like to see motorist licensing with the same stringency as pilot licensing. But it isn't go to happen. We do the best we can without it.
Re: Short answer, yes (Score:2)
Re: (Score:2)
Depends on your organization.
In mine, over the last 9 months we moved pretty much everyone to laptops, punt a bunch of shit in cloud services, moved phones to Microsoft Teams, and put everything else behind a VPN. And I'm pretty impressed how seamless IT has made that work. They were smart and started with a bunch of us who travel a bit and are at least somewhat tech savvy, and worked out some of the bugs there. On dodgy conference hotel wifi when my network shares were available, I was pretty blown away. F
Re: (Score:2)
Re: (Score:3)
Both terms were coined in 1973 by Jack Nilles: https://en.wikipedia.org/wiki/... [wikipedia.org]
Not that bad (Score:2)
Many people were already occasionally working from home before. Anybody sane was set-up to ramp this up as standard BCM measure. After all, you could have a building-fire or something else that prevents people from working on-site anyways.
Are there security risks... (Score:2)
Let's see, where did I put that picture of a bear in the woods...
Don't click that bad link (Score:1)