Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Communications Networking Privacy

Are There Security Risks When Millions are Suddenly Working from Home? (cnn.com) 95

"The dramatic expansion of teleworking by U.S. schools, businesses and government agencies in response to the coronavirus is raising fresh questions about the capacity and security of the tools many Americans use to connect to vital workplace systems and data," reports CNN: As of last week the Air Force's virtual private networking software could only support 72,000 people at once, according to a federal contractor who was also not authorized to speak on the record, and telework briefing materials viewed by CNN. The Air Force employs over 145,000 in-house civilian workers, and over 130,000 full-time contractors.

As they increasingly log on from home, Americans are having to meld their personal technology with professional tools at unprecedented scale. For employers, the concern isn't just about capacity, but also about workers introducing new potential vulnerabilities into their routine — whether that's weak passwords on personal computers, poorly secured home WiFi routers, or a family member's device passing along a computer virus.

Long-time Slashdot reader Lauren Weinstein also worries about a world where "doctors switch to heavy use of video office visits, and in general more critical information than ever is suddenly being thrust onto the Internet..." For example, the U.S. federal government is suspending key aspects of medical privacy laws to permit use of "telemedicine" via commercial services that have never been certified to be in compliance with the strict security and privacy rules associated with HIPAA (Health Insurance Portability and Accountability Act).

The rush to provide more remote access to medical professionals is understandable, but we must also understand the risks of data breaches that once having occurred can never be reversed.

This discussion has been archived. No new comments can be posted.

Are There Security Risks When Millions are Suddenly Working from Home?

Comments Filter:
  • by nospam007 ( 722110 ) * on Saturday March 21, 2020 @01:34PM (#59857188)

    I don't let anybody into my house who doesn't work here, I know them all personally from the mirror.

    • by Z00L00K ( 682162 ) on Saturday March 21, 2020 @02:04PM (#59857254) Homepage Journal

      And I suspect that the Corona virus is going to be one of the points in history where the way we live and work changes.

      Human life have often changed in leaps even if there's progress in between the leaps.

      The main thing is how well you can adapt to changes that occurs, but the environment you live in must allow for it too.

      • by 93 Escort Wagon ( 326346 ) on Saturday March 21, 2020 @02:45PM (#59857366)

        And I suspect that the Corona virus is going to be one of the points in history where the way we live and work changes.

        Yeah, I've been speculating about this to some of my coworkers. While some jobs are unlikely to change (telehealth in particular always seems like a compromise, excepting perhaps for triage, and normally is implemented strictly for monetary purposes), and the many small-minded managers will continue to fight it as before (my boss's boss comes to mind), I am expecting that millions and millions of people are going to figure out "hey, I really can do my job just as well remotely!" and start demanding the right to do exactly that.

        • by Aristos Mazer ( 181252 ) on Saturday March 21, 2020 @07:21PM (#59857990)
          Or a lot of people are about to realize just how nice it is to not be in the same building all the time, that they really treasure having people around, that meetings are better than endless typing, and that, hey, having a place to do a job where your tools are all in the right place and the space is oriented for doing that job is WAAAAAAY better than being at home.
          • by StormReaver ( 59959 ) on Saturday March 21, 2020 @07:51PM (#59858050)

            Or a lot of people are about to realize just how nice it is to not be in the same building all the time...

            I love my house, where everything I need to live is in one nice, private, large enclosure.

            ...that they really treasure having people around...

            People suck. Period. The less I have to be around them, the better.

            ...that meetings are better than endless typing...

            Having my life constantly interrupted by the very things I'm trying to avoid is not something I find desirable. In the rare case that coworkers have something to offer me that I don't already know, I can email them.

            ...and that, hey, having a place to do a job where your tools are all in the right place and the space is oriented for doing that job is WAAAAAAY better than being at home.

            All of my tools are Open Source, and I have them both at work and at home. At work, I replicated (to the extent possible) the productive environment I have at home. Given workplace legal politics, the work environment is unavoidably more stressful than my home.

            Your post just described the clinical insanity of extroversion. Given that I've never had the same desires as extroverts, I find your arguments to be incomprehensible and unrelatable. For the life of me, I have never understood how people can consider any of your bullet points to be in any way desirable (with the possible exception of workplace tools that are not easily replicatable at home).

            • by Aristos Mazer ( 181252 ) on Saturday March 21, 2020 @10:18PM (#59858292)
              I am a pretty strong introvert. Needing a strong internal life does not mean not wanting people ever or not working well with them.
            • It really depends on what you're doing, and whether you enjoy it, and if you are functional on your own.

              If what you're doing is physical and creative, you may well find that being around a group of others with subtly different tools is a benefit because you can use their tools as well as your own.

              For many or even most already computer-related jobs, they are easily done from your sofa with an incredibly inexpensive piece of computing equipment.

              Some people also find motivation in a cooperative routine. I've d

          • This incorrectly assumes that the factors you describe are present in the average office. In truth we have excessive lighting, no control over temperature, shitty cubicles, constant interruptions, and nasty smells. One has to get up at least an hour earlier and lunch prep is at best a filthy shared microwave dripping with nastiness. Plus employment options are limited to whoâ(TM)s where you live.

            No thanks.

        • I am expecting that millions and millions of people are going to figure out "hey, I really can do my job just as well remotely!" and start demanding the right to do exactly that.

          I doubt it. Millions and millions of people already know they can do their jobs remotely, and already want to work from home. The problem is that millions and millions of managers fear for their useless jobs, and refuse to relinquish their psychotic need to control other people's lives.

          What I expect to happen is that productivity, efficiency, and happiness will go up significantly while we're working from home. After the Coronavirus threat passes, 99.9% of all businesses that authorized work-from-home wi

        • by tlhIngan ( 30335 )

          telehealth in particular always seems like a compromise, excepting perhaps for triage, and normally is implemented strictly for monetary purposes

          Telehealth is actually surprisingly effective. But not in the way you imagine - this is not a doctor consulting you through the phone, but doctors consulting each other through carious conferencing means.

          It means with the right hookups and hospital to hospital links (and clinic to hospital, etc) suddenly you have an arsenal of specialists everywhere. So a rural hos

      • by Opportunist ( 166417 ) on Saturday March 21, 2020 @05:20PM (#59857692)

        This is actually pretty likely. Now that remote office capabilities are in place, it's likely that remote working will be a lot more popular. The main thing standing in its way are micro-managing PHBs who fear that it may become obvious that they are generally superfluous and at best not too detrimental to productivity.

        • My coworkers and I suspect that when management sees no real dip in productivity and a big dip in office overhead that they'll start to question why they're spending so much money on a giant, old office building that is energy inefficient and in need of a lot of repairs. Our only concern is if they pick an extreme. We don't want to work there everyday, and we don't want to work from home everyday. But we also don't want to hot-desk. I'm not sure what the happy middle is.

          • My software team is not taking it so well. The poor bandwidth is just one issue. Pair programming is a lot harder when you canâ(TM)t see the other personâ(TM)s facial expressions because the screen is full of code. And the endless typing to spell things out that could have just been said in a brief sentence to the team sitting at our desks. We have all worked from home occasionally, a few days a month, for years. But having the whole team out indefinitely is not the same.
            • Pair programming is a lot harder when you canâ(TM)t see the other personâ(TM)s facial expressions because the screen is full of code.

              Two screens on each end, plus a reasonable video-conferencing tool with the ability to present your screen should address that.

              And the endless typing to spell things out that could have just been said in a brief sentence to the team sitting at our desks.

              Meh. Where I work people tend to type at each other a lot of the time even when they're sitting right next to each other, so as to keep the communications asynchronous and not break into the other's flow. If enough needs to be said that typing is inefficient, standard practice is to message them and ask if they can talk. Only if and when they reply in the affirmative is it manner

          • Over here it's mostly a legal thing that's a limiting factor. For example, "officially" we are not supposed to do more than 49.999% of our work from home since if you work more than 50% of your time from home, your employer is legally required to pay for your home office. I have a hunch that some laws in this area might change soon, though, especially since this was apparently suspended already during the crisis now.

    • I just put a biohazard poster on all the doors. This works very well for keeping out the riff-raff.

    • heh heh, i think the biggest threat is the realization that half that lower management scum wasn't needed after all for all those decades since things work out fine this way ...
      so i'm sure there will be sabotage ...
  • ISP that force you to user shity gateway / router is an issue as well.
    Some cable co's do this as well.

  • by inode_buddha ( 576844 ) on Saturday March 21, 2020 @01:39PM (#59857204) Journal

    ... in about 9 months. In 20 years, they'll be called the "Coronials"
    Dunno about security risks, but some other things might happen

  • by tofleplof ( 2214032 ) on Saturday March 21, 2020 @01:50PM (#59857228)

    should keep you pretty safe.

  • Signs point to yes (Score:5, Insightful)

    by Kohath ( 38547 ) on Saturday March 21, 2020 @02:11PM (#59857270)

    Are there security risks when [anything]?

  • ...virtual private networking software ...

    Oh, how much headache would be spared if we moved to IPv6 ....

    • Re:VPN? IPv6! (Score:4, Informative)

      by Antique Geekmeister ( 740220 ) on Saturday March 21, 2020 @03:06PM (#59857424)

      IPv6 was designed to expose all devices directly to the Internet. The NAT setup at least enforces protection from casual scanning, and reduces the risk of household exposed SSH or CIFS sharing.

      • by Kjella ( 173770 )

        IPv6 was designed to expose all devices directly to the Internet. The NAT setup at least enforces protection from casual scanning, and reduces the risk of household exposed SSH or CIFS sharing.

        It's 128 bits and 64 of them would typically be yours. So you'd have to scan 2^64 = 1.8446744e+19 addresses to get a reply. The problem is rather the exact opposite, they're likely to assign you an IP and that one's yours forever. No more hiding behind a dynamic IP, everything's linked to your IP forever.

        • Well, if they're going to do that, the least they can do is also issue crypto certificates that also provide positive ID, so that we don't accept just an IP and a non-unique identifier as proof of identity like we've done with SSNs.

        • Please tell me that you're not suggesting that the size of the IPv6 address space provides security through obscurity? Even if your local network setup uses such large segments of the available space, the IP addresses of any devices that you actually use or that "phone home" for updateas are detectable by packet sniffing upstream, or packet sniffing from locally rootkitted devices on your local network.Worse, the "internal" IP addresses of your local modem or firewall are exposed unless you're cautious abou

          • by Bengie ( 1121981 )
            Most NAT provides less protection than a firewall. Most NAT implementations on customer grade routers is misconfigured or is some really old version with bugs that allow bi-directional natting. Where an external device can NAT into your LAN and pretend to be a local device. NAT can many times be used to by-pass firewalls. NAT is mostly just security theatre.
            • I'm not suggesting that a well configured firewall is not superior to mere NAT. But every good modern firewall device or software suite _also_ supports NAT, and with that trivial configuration selection reduces the exposure of your household devices to external probing or attack. It's the first step of configuring a home or business firewall, to segregate internal traffic from external traffic.

    • If ipv6 were at all palatable we would have migrated already.

    • ... 15 minutes later..

      "no no, f, as in fred, .. yeah. sorry. got a case of the mondays. nope. still not... did you say af.. after the second colon? no.. ok, the third colon.. ? "

      • by rastos1 ( 601318 )
        If only there was some naming system that would translate the numbers to a easy-to-pronounce name ...
    • None whatsoever. An IPv6 VPN is only slightly more inefficient than an IPv4 VPN. Notwithstanding that it is more inefficient, there is otherwise no difference in the "headache" level.

    • If anything, it would increase the security headaches. But I'm very willing to hear your argument.

  • Export of IP is a risk. Using personal devices introduces more risk too when standard baselines of security are not enforced.
    • Actually, that depends on the security posture of the "personal device" as compared to the "standard baselines of security" for corporate devices.

      I will not permit and would not permit, the attachment of corporate devices with their "standard baselines of security" to be directly attached to my personal home network which has much greater "standard baselines for security". (I have a separate network for the filthy guests to attach to). Nor would I permit any of *my* personal devices, which also adhere to

  • Yes, there is

  • by DontBeAMoran ( 4843879 ) on Saturday March 21, 2020 @02:25PM (#59857308)

    Are there security risks when millions are suddenly working from home?

    Yes, absolutely. You even have an example in your summary!

    "As of last week the Air Force's virtual private networking software could only support 72,000 people at once, according to a federal contractor who was not authorized to speak on the record."

    There's four types of security: physical, hardware, software and people. You can do your best to secure the first three but you'll never fix the fourth.

    • Your interpretation is incorrect. A computer system is 100% secure when turned off, and 100% unsecure when turned on. So if you only permit 72,000 people out of 175,000 people to connect to your system, it is 58% secure. If the VPN were "broken" and no one could connect then it would be 100% secure.

  • The current situation needs to be assessed comprehensively. Many people are in packs that they can be left without a job and without income. Everyone has families and running costs, loans, etc. What people massively go to work online is compensation for fear. Some people may be depressed. Dissatisfaction in life can lead to the use of alcohol and other stimulant drugs. It could be drugs. If you or someone you know has experienced this problem and you need help you can turn to drug and alcohol hotlines http [addictionresource.com]
    • What people massively go to work online is compensation for fear. Some people may be depressed.

      Are you kidding? This is my wet dream come true, you spammy sack of shit.

  • Also expect increased divorce rate soon, more child abuse cases, and the coming Corona Babies due this winter.
  • The problem is poor risk management and vulnerability detection/patching. Most corporate VPN's I've used give you unfettered access to the entire network without even checking you're a legitimate client. Just have anyone's login/password and you're in with any network that you want to route through your device.

  • medical privacy (Score:5, Interesting)

    by jds91md ( 2439128 ) on Saturday March 21, 2020 @04:50PM (#59857642)
    I'm a physician. The temporary suspension of HIPAA confidentiality requirements is a godsend. Now clinicians can use FaceTime, Skype, or whatever to reach patients in their homes so much more effectively than telephone, and let's face it, with similar security risks. I'd prefer not to use my personal iPhone to reach patients, but if it enables me to see a sick child's chest to assess breathing, or see a rash, or see body language and expressions as I counsel someone on a plan, or it if lets the psychotherapists we employ continue psychotherapy with patients in need now more than ever, I'm all for it.
    • Re:medical privacy (Score:4, Interesting)

      by Retired ICS ( 6159680 ) on Saturday March 21, 2020 @05:27PM (#59857706)

      It may be nice for you, but as a "person who may be contacted by a clinician" I do not permit FaceTime, Skype, or many other shoddy crap on my network. If you wish to contact me via one of these technologies you are free to provide the devices and network connections on which you intend to provide your services, you shall not be permitted under any circumstance, to use my facilities. Even more than in "normal times" in this "new normal" I cannot afford to have them be infected at your whim.

      You may however call on the voice-only telephone using the Public Switched Telephone Network. Provided of course that you do not falsify the "Advertizing ID" (known by the proletariat as Caller ID, even though it has nothing to do with identification of the Caller).

      • You seem to have some odd notion that physicians go about forcing medical care on people. That has never been my experience. I think you will find that if you don't contact a physician they won't attempt to diagnose you using software you don't like. If a physician does attempt to offer you their services and you decline, they've got plenty of other people who they can attend to instead.

        The notion that they want so badly to treat you that they'll provide you with "devices and network connections" is so absu

  • Short answer, yes (Score:5, Interesting)

    by Opportunist ( 166417 ) on Saturday March 21, 2020 @05:33PM (#59857718)

    Long answer "Gee, you think?"

    I currently get to see this first hand, and we're generally a VERY security conscious company, with a very security conscious staff and a lot of security training for our personnel. I can only imagine what it's like in a company where "it's for security" isn't the keyword to get any kind of expense approved.

    You're dealing with a LOT of people who never worked from home or at the very least have very limited experience with it. So the first thing that gets overwhelmed is your support trying to get these people online. This also means that your support will take any shortcut available to get people moving. With no remorse because, well, fuck security, productivity is at stake! You're also dealing with people who have little security training trying to get online, are waiting for support and try to tinker with their setup, enabling this or that or something else (unfortunately disallowing this is harder than you would think in a lot of VPN software packages) and eventually somehow getting some of the access they want, not knowing what else they opened up in the process.

    And I'm still talking about company-issued hard- and software. If they have to get online with their private systems in a BYOD setup, this opens a completely different can of worms on top of that.

    Then there's the unfamiliarity and a lot of "this is your IT department speaking" mails that try to get people to compromise their passwords, and this is a time when they would actually respond to this, especially when for some reason they can't get online, which, as aforementioned, is quite possible, with unfamiliar and untested setups and remote access being overwhelmed by the amount of connections.

    In other words, did anyone really believe that this is NOT going to be a security hell?

    • I spent my career in gov't IT; some of it in support. And I'm the first to admit that some of my clients weren't the sharpest knives in the drawer. But then again, I'd like to see motorist licensing with the same stringency as pilot licensing. But it isn't go to happen. We do the best we can without it.

    • Depends on your organization.

      In mine, over the last 9 months we moved pretty much everyone to laptops, punt a bunch of shit in cloud services, moved phones to Microsoft Teams, and put everything else behind a VPN. And I'm pretty impressed how seamless IT has made that work. They were smart and started with a bunch of us who travel a bit and are at least somewhat tech savvy, and worked out some of the bugs there. On dodgy conference hotel wifi when my network shares were available, I was pretty blown away. F

  • Comment removed based on user account deletion
  • Many people were already occasionally working from home before. Anybody sane was set-up to ramp this up as standard BCM measure. After all, you could have a building-fire or something else that prevents people from working on-site anyways.

  • Let's see, where did I put that picture of a bear in the woods...

  • Yes, there are many security issues from working from home but the biggest is a phishing link that steals your password or installs malicious software. On top of that there is also the risk of employee data breach or data leakage. We have been using xsurflog which works for us as we use alot of cloud services: https://xsurflog.com/web_security.php [xsurflog.com] BTW Asking employees to "Not click on bad links" doesn't work based on our experience and the statistics of people clicking on bad links.

MS-DOS must die!

Working...