Has the war started here?

ST1100Y · Jun 26, 2024

Mellow said:
Just another lack in security... I worked for a small company a couple years ago and 1st thing I said was "that's all you have to do to get into the servers?" They were confident security was fine, has been for years... 3 months later - ransomeware attach and they were very lucky the source code was backed up offline but 3 terabytes of historical data and the setup files to create an executable version of the software were zapped.

The amount of ignorance and greenness paired with a massive resistant to advice within corporate floors is always amazing...
All it takes is someone plugging an not-screened thumb-drive into an office PC, clicking on a dubious link/attachment in a SPAM mail...
(and then there those folks laughing at me over running security software on my smart TV and the phone...)

And what actually hits the headlines is barely the tip of the iceberg...

rwthomas1 · Jun 26, 2024

ST Gui said:
Better than inflicting the death penalty is holding CEOs etc responsible for not using adequate security measures for protecting their and our data. There have been tons of data breaches and we find out about them months or more likely years later.

Hacking for data and ransomeware won't just go away on their own. There's a data breach and when we're finally notified we get a year of credit monitoring for free. There is no accountability. Corporations amass data and become targets for hacking or ransomeware. Suddenly no one but the criminal has any culpability. I'm "victim" blaming and rightly so. Failure to implement countermeasures should come at a price.

Who decides what "adequate" security is? The company my wife used to work for was hit for millions. What do they do? Customer Service and Billing Software! Wife was a project manager and was very connected to the IT people. They were amazed that it happened as their security was thought to be the very best they could get.

Your solution is penalizing the victim. Someone broke into your house? It was locked? Well, why didn't you have a deadbolt? Or two deadbolts? Your locked car was broken into? Why wasn't it parked in a locked garage? Where does that end?

Larry Fine · Jun 26, 2024

"So, why didn't you hire armed guards?"

"Oh, so you did hire armed guards?!"

"We'll sue you for hiring armed guards!"

Mellow · Jun 26, 2024

rwthomas1 said:
Who decides what "adequate" security is? The company my wife used to work for was hit for millions. What do they do? Customer Service and Billing Software! Wife was a project manager and was very connected to the IT people. They were amazed that it happened as their security was thought to be the very best they could get.

Your solution is penalizing the victim. Someone broke into your house? It was locked? Well, why didn't you have a deadbolt? Or two deadbolts? Your locked car was broken into? Why wasn't it parked in a locked garage? Where does that end?

Well, we could all leave our doors unlocked if everyone was honest and had integrity... THAT's the problem and it always has been since the beginning of time... best you can do is try to protect yourself, but it's not perfect.

rwthomas1 · Jun 26, 2024

Mellow said:
Well, we could all leave our doors unlocked if everyone was honest and had integrity... THAT's the problem and it always has been since the beginning of time... best you can do is try to protect yourself, but it's not perfect.

And that's the point, is it not? What or who determines how much "enough" security is adequate? I am lucky enough to live in a place where I could leave my house unlocked, keys in cars, etc. break-ins are unheard of. I don't tempt fate however with the direction the world seems to be going.

Mellow · Jun 26, 2024

rwthomas1 said:
And that's the point, is it not? What or who determines how much "enough" security is adequate? I am lucky enough to live in a place where I could leave my house unlocked, keys in cars, etc. break-ins are unheard of. I don't tempt fate however with the direction the world seems to be going.

Moving target... when enough is enough, a hacker figures our how to get past it, then enough needs to be updated.. so why your phone/computer gets constant updates along with your virus software.

ReSTored · Jun 26, 2024

Not to sound paranoid, but there are dishonest people everywhere looking for an opportunity to steal from you. Sad, but true.

A purse left unguarded in a supermarket, an unlocked door on your car, an open garage, an elderly person on a sidewalk, a swarm at a jewelery store. Every profession has its share of crooks, and why would IT be any different. In particular, internet access means the thief can steal from unsuspecting and careless victimes from half a world away and the risk of capture is virtually nil.

Over and above regular crooks, nation states are involved and they have the time and funding to hire the best hackers and deploy enormous resources to disrupt western businesses as well as to generate revenue.

I think hackers have a number of ways to infiltrate business systems and most exploit systems running older software, software not updated on a regular basis, poorly designed or utilized firewalls and sloppy users who take shortcuts with their passwords.

As individuals all we can do is to use a password manager to generate relatively tough to crack passwords, keep our OS updated, use antivirus software, stay away from dodgy web pages and never click on files or URL links in emails unless you are dead certain the source is safe.

Businesses have to do the same degree of due diligence and make certain backups of the OS, applications and data are done regularily and kept offsite and offline.

Oldbikefixr · Jun 26, 2024

Weaselinsuit said:
One of the insurers I did work for got held for ransom last year, cost them a pretty penny I understand. You would think a sophisticated company would have adequate safeguards. Not sure if it was lack of adequate security as per Mellow's example, or if the hackers were just that good. Neither is a palatable option.

Unfortunately, criminal behavior and lack of preventative actions feed $$$$$ to only one group. Penalties for both groups are terribly inadequate.

Daboo · Jun 26, 2024

There were a couple mentions about completing surveys, and using thumb drives. They open our personal data up far more easily than a hacker bringing down a company's servers. Here's something that has bothered me for months.

I own a BMW XR. There's a "Connected App" built into each bike. As far as motorcycle eye candy goes that whole TFT and its software are top notch. But there's this one little niggling thing that bothers me. It wants to know my location.

Well your first response is, that's great! One of the screens is for Navigation. I can get a map of my route on my smartphone and textual directions on the screen that change as you get closer to your next turn. But it wants that access all the time. Not just when you're using the app, but all the time. At 2:30 in the morning, it is asking my phone where I am. That means when I go to Ace Hardware in my car, it knows where and when I go. When I go to Freddie's for grocery shopping, it knows where and when I went. And if it could still get a signal inside the store, it would know which departments I shopped in. Even though my XR is miles away in the garage, not running, and the Connected app is supposedly not running on my phone.

But if I bring it up on that BMW XR community, the responses are like "what are you worrying about?". Staying out of the politics on this, Bank of America freely gave all the info they had on their credit card purchases on the days around January 6th to the DOJ. No subpoena needed. And the info BoA had was extensive enough that the DOJ used that to determine if you were in the area.

Another, and unlikely situation to anticipate. I'm losing my hearing enough that I tried some OTC Costco hearing aids. The brand is Lexie. Anyway, the app to control the hearing aids won't connect to hearing aids unless you activate location. Huh?! Why do you need to know that I'm watching TV at night. Or out mowing my grass?

Luckily, I can turn the permissions for location tracking off on both the BMW app and the Lexie app. With the BMW app, it just doesn't give me Navigation. With the Lexie app, you can still control volume without the app. So when the situation passes where I need the apps, I turn them off. But how many will do this?

There was a time when I didn't worry about these things. About the time I didn't worry about leaving my doors unlocked and going away for the weekend. But there is big money involved in your data -- enough that moral and ethical questions get tossed out the door, and the conversation is more about how they can use this...in some cases against you.

Chris

Sadlsor · Jun 26, 2024

I agree with all that, Chris.
Reminds me of this gem:

The answer is, ...money.
Now, what was the question?

Why is it that Google offers so much, and so many services ..."for free"? Because Google wants information about all of us.

Estimates are, that Google has approximately 70 Million data points about the average American. (And it could be it was "billion", I'm not sure, so I rounded down.)

Nashcat · Jun 26, 2024

If they can schedule a bankruptcy auction to sell Graceland out from under Elvis’ grand-daughter, then they can hack almost anything. When the perp was located (overseas) he admitted that he stole from estates, as his livelihood.

John

Larry Fine · Jun 26, 2024

Daboo said:
Another, and unlikely situation to anticipate. I'm losing my hearing enough that I tried some OTC Costco hearing aids. The brand is Lexie. Anyway, the app to control the hearing aids won't connect to hearing aids unless you activate location. Huh?! Why do you need to know that I'm watching TV at night. Or out mowing my grass?

My Oticon Companion app has a locate feature if I lose or leave one or both of them somewhere.

I can control whether location is on all the time, only when the app is active, or off all the time.

Of course, the locate feature only works when location is on, and I don't always keep the app on.

milq · Jun 26, 2024

I'm on my second round of free Credit monitoring services.... First time was the DoD data breach in the 20-teens, this time a parent company of a pharmaceutical company I used to get an Rx from.

Around 2015 I got a call from Chase Bank telling me about some odd activity on my card, which was very odd since I didn't have a Chase card. They informed me that I applied for and received one less than 15 days prior...of course I didn't apply at all. I called the credit monitoring people and they set a couple of things in motion but I still had to do a LOT of leg work.

The toughest thing was getting a police report. I live in a rural area with a small Sheriff's dept. and the (chief) deputy I was put in contact with said "I don't know you and don't know if you just had a big weekend and now regret it or what". I provided a contact number for Chase Bank and he responded with "This could be your buddy who is waiting on my call", so I provided the web link for their fraud dept. and he responded with "this could be a site you've set up"....never tried the number or checked the site. It took almost a month to finally catch the Sheriff in his office and he rolled his eyes about that deputy, apologized, and wrote me a report.

What really annoyed me was that Chase wouldn't reveal the address where the card had been sent. I asked if it was local to me, they wouldn't answer. I'm 99% sure it was my sister and/or her husband but I have no proof. (She has a history, trust me)

The most valuable thing I did after sorting it all out (which took around 8 months) was to freeze my credit. I stopped receiving a LOT of junk mail, including pre-screened credit card offers and so on. If I wanted to borrow money, I have a 10 digit pin and other info for each credit bureau that has to be used before I can successfully apply and I don't intend to use those pins.

Daboo · Jun 26, 2024

Freezing your credit is one of the most important things to do. I signed the papers on my new XR yesterday and the credit bureau wouldn't give a credit score till I released the freeze. No credit report, no puchase.

Doctor offices say they must have your SSAN. Not just the last four digits, but the whole thing. I tell them no, and life goes on just fine. One less source for my data to be stolen.

I can't do much about the big corporations getting broken into, but I can try to limit my own personal bad habits that make stealing my identity easy.

Chris

MerlF · Jun 27, 2024

ReSTored said:
Not to sound paranoid, but there are dishonest people everywhere looking for an opportunity to steal from you. Sad, but true.

A purse left unguarded in a supermarket, an unlocked door on your car, an open garage, an elderly person on a sidewalk, a swarm at a jewelery store. Every profession has its share of crooks, and why would IT be any different. In particular, internet access means the thief can steal from unsuspecting and careless victimes from half a world away and the risk of capture is virtually nil.

Over and above regular crooks, nation states are involved and they have the time and funding to hire the best hackers and deploy enormous resources to disrupt western businesses as well as to generate revenue.

I think hackers have a number of ways to infiltrate business systems and most exploit systems running older software, software not updated on a regular basis, poorly designed or utilized firewalls and sloppy users who take shortcuts with their passwords.

As individuals all we can do is to use a password manager to generate relatively tough to crack passwords, keep our OS updated, use antivirus software, stay away from dodgy web pages and never click on files or URL links in emails unless you are dead certain the source is safe.

Businesses have to do the same degree of due diligence and make certain backups of the OS, applications and data are done regularily and kept offsite and offline.

Problem with password managers is, if the manager is hacked with the master password, they have everything.

milq · Jun 27, 2024

A YubiKey can be added to a password manager for best results. The physical key must be plugged in before the password manager can be accessed with the master password....it's not perfect but it's the best solution I know of right now unless you tote around a physical notebook. Between work and home I have somewhere around 150 accounts and passwords so I use a manager and a YubiKey.

Daboo · Jun 27, 2024

A very simple method is an app like Password Manager for Android. The benefit here, is it can't be accessed online or by the computer you're using. Put in the master password and go to the entry for the website you're looking for.

Lose your phone, and the passwords are still safe without that master password.

Chris

rwthomas1 · Jun 27, 2024

Im old fashioned. I have a master password list, written down, at home. I only access financial stuff through ONE computer, and only twice a month. I minimize how many time I use any electronic login for anything financial. I never use a debit card. Zero social media. Etc. Etc.

Sadlsor · Jun 27, 2024

rwthomas1 said:
Zero social media. Etc. Etc.

...but you're here, aren't you?

ReSTored · Jun 27, 2024

MerlF said:
Problem with password managers is, if the manager is hacked with the master password, they have everything.

True, but I safeguard against that by having a strong p/w for the p/w manager + I use 2 factor authentication for critical sites, like my online bank account.

An individual can only do so much. Like most theft deterrents (locks, grates, vicious dogs etc....) a very determined thief will prevail, but most will move on to easier targets as there are plenty around.

Has the war started here?

ST1100Y

rwthomas1

Larry Fine

Mellow

Joe

rwthomas1

Mellow

Joe

ReSTored

Oldbikefixr

Daboo

Sadlsor

Nashcat

Larry Fine

milq

Daboo

MerlF

Chuck Welsh

milq

Daboo

rwthomas1

Sadlsor

ReSTored