Saturday, October 27, 2012

South Carolina Government Cracked -- SSN's and Credit Cards Stolen

This type of thing is becoming all too common: some entity (whether it be corporate or government) does a lousy job of securing its machines, ends up getting cracked, and then complains about how unfair it all is.  This is what is happening now in South Carolina after it was discovered earlier this week that a state agency was hacked.  It turns out that millions of South Carolina's residents have had their SSN's and credit card numbers stolen.

Governor Nikki Haley held a press conference to discuss the breach.  She said:
"This is not a good day for South Carolina," said Governor Nikki Haley. "South Carolina has come under attack by an international hacker." 
Notice how she makes sure to mention that it was an "international hacker."  No, it could never be some bored kid in Ohio who pulled off this "masterful" hack.  Such a person could never bounce the attack off of half a dozen proxies around the world in order to cover his tracks.  Nah.  Never happens.  It must have been the Chinese or the Russians -- you know they are very interested in South Carolina's secrets.

The article continues:

State officials revealed Friday that someone in a foreign country gained access to the South Carolina Department of Revenue's website and a server was breached for the first time in late August.387,000 credit and debit card numbers and 3.6 million social security numbers, all unencrypted, have been exposed. 

All unencrypted, eh?  Why is that surprising?  I expected more from South Carolina's crack cyber-security team.

Haley continues talking tough:
Haley said she knows where the attack came from, but would not reveal the location of the hacker so the investigation would not be put in jeopardy. "I want this person slammed against the wall," said Haley. "I want that man just brutalized."
How does she know a man was responsible?  IP addresses do not have a gender.  She is a female governor, so I would assume she is not implying that women are incapable of such "sophisticated" attacks?  There is no glass ceiling in computer crime!

And suggesting the hacker (if caught) be "brutalized" doesn't sound like rhetoric one expects from a leader in her position. The last I checked, this isn't Saudi Arabia.  In this country, we try suspected criminals in front of a jury of his/her peers and, if convicted, send them to prison.  We don't "brutalize" them (no matter what Nancy Grace wants).

Instead of taking her anger out on the criminal, perhaps she could direct some of it towards the lousy job the state of South Carolina is doing with cyber-security.  Financially motivated cyber-attacks are usually crimes of opportunity; they are going to happen as long as there are insecure networked computers storing sensitive financial information.  If you leave a Mercedes unlocked in the middle of L.A., you can bet the stereo (if not the car itself) will be stolen before sundown. So, why should we expect cyber-crime to be any less opportunistic?  If this were 1995 I might understand such security ignorance and complacency, but in 2012 it's hard to fathom.

Having unencrypted SSN's and debit card numbers on machines connected to the Internet is inexcusable.  Indeed, I would argue that having any sensitive information on networked computers is irresponsible, but I realize air-gaping such machines is not always plausible due to entities like the state of South Carolina needing to take Internet payments.  Nonetheless, where possible, sensitive machines should be air-gaped.

Haley said that all South Carolina residents affected will be given a free year of credit monitoring protection.  Besides not being very effective, this idea is going to be expensive (but will gladly be covered by the tax-payers, of course).  That's sort of like having your home burglarized and having the alarm company tell you "No worries, we have you covered -- just give us an extra $100 and we will go search the local pawn shops for your stuff."

At the very least, perhaps this incident will send a message to the government and private businesses that handle consumer information -- stop fucking around and secure your swiss cheese Windows boxes.

It might turn out that the breach really was perpetrated by someone from abroad.  These people realize that the chances of apprehension and prosecution are pretty slim, so they can act with a sense of impunity.  The answer is not to waste time with law enforcement resources, but to put most of the money and effort in prevention.  It only takes an ounce of it, but it seems like the state of South Carolina didn't even give their residents a gram.

1 comment:

  1. Government needs to take serious steps for these security breaches as they are getting increase. Sad for the people of south carolina