FARK.com: (6516240) How much can bad computer security really cost? How about $13 million. In cash. In one day

If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

		How much can bad computer security really cost? How about $13 million. In cash. In one day (msnbc.msn.com)		58
		More: Scary

• • •

8239 clicks; posted to Geek » on 27 Aug 2011 at 9:50 PM | Favorite | share:

Share this link:

URL:

http://fark.com/go/6516240

Bookmark:

Article Comments close

58 Comments (+0 »)

Archived thread

First | « | 1 | 2 | » | Last | Show all

Toshiro Mifune's Letter Opener		2011-08-27 06:33:18 PM

How much can bad computer security really cost?

Let's ask Norton.

ArkAngel		2011-08-27 06:45:17 PM

I was gonna post something snarky, but I got nothing. So here

granthestonfitness.com

cmunic8r99		2011-08-27 06:47:48 PM

ArkAngel: I was gonna post something snarky, but I got nothing. So here

I was, too.

But I got distracted.

SpikeStrip		2011-08-27 06:54:50 PM

ArkAngel: I was gonna post something snarky, but I got nothing. So here

[granthestonfitness.com image 480x240]
[img122.imageshack.us image 640x355]
[i43.photobucket.com image 355x266]

body double or ass pads plus she has fried egg tits anyway and before you ask my gf's a superdupermodel.

labman		2011-08-27 07:08:17 PM

Sounds like crime pays pretty good if you're good at what you do.

brainiac-dumdum		2011-08-27 07:13:37 PM

Wow, I'm impressed. Seriously

cretinbob		2011-08-27 07:14:55 PM

MeinRS6		2011-08-27 08:03:14 PM

That is much more impressive than just doing it for the lulz.

notmtwain		2011-08-27 08:10:12 PM

They are a public company. Fidelity National Information Services trades as FIS.

They sell banking software. If this report is true, ~~they~~ we are so screwed.

Should liven things up a bit at their Risk Oversight Summit in Washington. They are going to teach banks how to implement risk oversight policies.

What a joke.

vossiewulf		2011-08-27 08:28:26 PM

Chances very high with a processor like that that it was social engineering rather than hacking.

studebaker hoch		2011-08-27 08:31:41 PM

Nice work.

I thougtht ATMs had safeguards on them so if the usage pattern changes past a certain threshold, even if no error is detected, the machine goes "out of order" until a human can look into things.

It should know when it's being emptied out.

doglover		2011-08-27 09:54:32 PM

vossiewulf: social engineering

When I was a kid we just called it "CRIME"

FuturePastNow		2011-08-27 10:10:46 PM

I guess somebody got sick of filing TPS reports and working on Saturdays.

slykens1		2011-08-27 10:17:01 PM

Unless the fraud protection systems were bypassed I'd suggest someone needs to consider detecting whether multiple card present transactions occurring in a short period of time from places 1500+ miles apart is logical.

Deagan Herumor		2011-08-27 10:39:43 PM

cmunic8r99: ArkAngel: I was gonna post something snarky, but I got nothing. So here

I was, too.

But I got distracted.

All I hear is Seth Rogen in 40 Year Old Virgin: "We came here to rescue you, but now I don't give a fark."

Jack Kerouac		2011-08-27 10:44:06 PM

aearra		2011-08-27 10:51:52 PM

Will think of this the next time I am told how secure I am when it comes to paying bills on line.

jayhawk88		2011-08-27 10:56:51 PM

Rant time:

We're currently having political BS problems with our higher-ups at work. Our new Head Cheese is one of these Matlock types who figures computers are evil and out to get him. He literally asks us to set his screen saver password to an hour and 15 minutes, so he doesn't have to enter his password again when he comes back from lunch. Worse, now all these annoying "I know about computers" types are getting a sympathetic ear when they try to go over our heads asking for admin rights they don't need, etc. You know, because we're the bad guys because we won't let a VIP's computer set unprotected, email/file shares open, for over an hour. Head Cheese doesn't want to hear anything about good security practices or limited rights, he just wants the people talking about computers to leave his office through the fastest way possible, which is telling us to "just do it".

Meanwhile Lulz and Anonymous are tearing a hole through half the internet, every day another company is announcing another multiple-thousand loss of SSN or cc#'s, and these people treat these events like they're sci-fi. No, that doesn't really happen to anyone, wait why is my bank cancelling my debit card again? Vendors asking you to open up 1433 to your internal SQL server containing PHI to the entire outside world, users replying with their passwords to any old email they get that asks, and all you get is static for every damn problem you try to fix. We've had black-hats setup full mock-ups (good ones, too) of our Central Authentication page in an attempt harvest passwords and still these farks just wave away our concerns like we're Chicken Little.

You really have to wonder how bad it has to get before companies start taking this shiat seriously.

whatshisname		2011-08-27 10:59:57 PM

The problem with this stuff is we all pay for it. It's built into the cost of the services. I had $7,000 charged up to 3 different credit cards in one hour when I lost my wallet a few months ago. The cops couldn't have cared less and the credit card companies just wrote it off. This sort of fraud seems to be a lesser crime than smoking a joint.

davynelson		2011-08-27 11:01:17 PM

must. read. book.

HelloMyNameIs		2011-08-27 11:04:51 PM

ArkAngel: I was gonna post something snarky, but I got nothing. So here

[granthestonfitness.com image 480x240]
[img122.imageshack.us image 640x355]
[i43.photobucket.com image 355x266]

I read the headline and came in here investigate. But you, sir, are a scholar and a gentleman.

/what's her number?

davynelson		2011-08-27 11:05:47 PM

"Greatest. Techno-thriller. Period. Experts have long feared the Internet doomsday scenario. Daemon is arguably more terrifying."

- Billy O'Brien, Director of Cybersecurity and Communications Policy at the White House

aspAddict		2011-08-27 11:19:25 PM

cmunic8r99		2011-08-27 11:48:10 PM

The Flexecutioner		2011-08-27 11:49:19 PM

~~WORK?!!~~ HACK!?!?

naz-drala		2011-08-27 11:58:40 PM

cmunic8r99: jayhawk88: Rant time:

We're currently having political BS problems with our higher-ups at work. Our new Head Cheese is one of these Matlock types who figures computers are evil and out to get him. He literally asks us to set his screen saver password to an hour and 15 minutes, so he doesn't have to enter his password again when he comes back from lunch. Worse, now all these annoying "I know about computers" types are getting a sympathetic ear when they try to go over our heads asking for admin rights they don't need, etc. You know, because we're the bad guys because we won't let a VIP's computer set unprotected, email/file shares open, for over an hour. Head Cheese doesn't want to hear anything about good security practices or limited rights, he just wants the people talking about computers to leave his office through the fastest way possible, which is telling us to "just do it".

Meanwhile Lulz and Anonymous are tearing a hole through half the internet, every day another company is announcing another multiple-thousand loss of SSN or cc#'s, and these people treat these events like they're sci-fi. No, that doesn't really happen to anyone, wait why is my bank cancelling my debit card again? Vendors asking you to open up 1433 to your internal SQL server containing PHI to the entire outside world, users replying with their passwords to any old email they get that asks, and all you get is static for every damn problem you try to fix. We've had black-hats setup full mock-ups (good ones, too) of our Central Authentication page in an attempt harvest passwords and still these farks just wave away our concerns like we're Chicken Little.

You really have to wonder how bad it has to get before companies start taking this shiat seriously.

It will change only when it costs them money. Until then, you are farked.

When it does cost them money, you are still farked because it was your job to stop it.

End_Of_Line		2011-08-28 12:04:33 AM

naz-drala: cmunic8r99: jayhawk88: Rant time:

We're currently having political BS problems with our higher-ups at work. Our new Head Cheese is one of these Matlock types who figures computers are evil and out to get him. He literally asks us to set his screen saver password to an hour and 15 minutes, so he doesn't have to enter his password again when he comes back from lunch. Worse, now all these annoying "I know about computers" types are getting a sympathetic ear when they try to go over our heads asking for admin rights they don't need, etc. You know, because we're the bad guys because we won't let a VIP's computer set unprotected, email/file shares open, for over an hour. Head Cheese doesn't want to hear anything about good security practices or limited rights, he just wants the people talking about computers to leave his office through the fastest way possible, which is telling us to "just do it".

Meanwhile Lulz and Anonymous are tearing a hole through half the internet, every day another company is announcing another multiple-thousand loss of SSN or cc#'s, and these people treat these events like they're sci-fi. No, that doesn't really happen to anyone, wait why is my bank cancelling my debit card again? Vendors asking you to open up 1433 to your internal SQL server containing PHI to the entire outside world, users replying with their passwords to any old email they get that asks, and all you get is static for every damn problem you try to fix. We've had black-hats setup full mock-ups (good ones, too) of our Central Authentication page in an attempt harvest passwords and still these farks just wave away our concerns like we're Chicken Little.

You really have to wonder how bad it has to get before companies start taking this shiat seriously.

It will change only when it costs them money. Until then, you are farked.

When it does cost them money, you are still farked because it was your job to stop it.

Yes, the only thing that will change is that you (and your staff) will be out of work. And why? Because ACTUAL security is too HARD for them! For crap's sake, you should hear the crying when it comes time to change passwords where I work.
"But I have always used my pet's/kid's/spouse's name and then the month we are in! Why do I need to add a special character? I will never remember that!"

Cue the Farnsworth meme about not wanting to live on this planet any more, please.

jayhawk88		2011-08-28 12:22:07 AM

End_Of_Line: Yes, the only thing that will change is that you (and your staff) will be out of work. And why? Because ACTUAL security is too HARD for them! For crap's sake, you should hear the crying when it comes time to change passwords where I work.
"But I have always used my pet's/kid's/spouse's name and then the month we are in! Why do I need to add a special character? I will never remember that!"

Cue the Farnsworth meme about not wanting to live on this planet any more, please.

We recently changed ours to a years expiration, and still they biatch. It's unbelievable. You should hear some of these assholes call in and read us the riot act because we require them to fax us a photo ID before we'll reset their password for them over the phone. It's sad. Things are getting worse and worse when it comes to keeping things secure, the stakes are getting higher and higher, but still we are forced to loosen things up, not tighten.

Hell, just a couple weeks ago I got my XBox Live hacked. When I signed up, I used my work email to register, which I had used years ago to sign up for MSDN, and thus already had a Windows Live/Passport account associated with the address. XBox Live just slid right in there, and when I neglected to change my poor password on the Live account, boom, headshot. They bought $150 worth of points and transferred them to another account. Microsoft still hasn't gotten back to me on that.

TyrantII		2011-08-28 12:39:20 AM

Big problem too is businesses fight tooth and nail to save a buck and not update their computers, security systems and encryption. Sony got fraked because they were running servers with known exploits. Then there's the social engineering problem.

Keyfobs can make password stealing much harder, but then people lose them like idiots. Plus good luck getting all of your companies services and legacy software running on them.

It all comes down to the bottom dollar. Most companies seem happier with collecting insurance damages and letting their customers data go where it may. It's not their problem after all, beyond a issue good PR can fix.

Quantumbunny		2011-08-28 12:40:15 AM

End_Of_Line: naz-drala: cmunic8r99: jayhawk88: Rant time:

We're currently having political BS problems with our higher-ups at work. Our new Head Cheese is one of these Matlock types who figures computers are evil and out to get him. He literally asks us to set his screen saver password to an hour and 15 minutes, so he doesn't have to enter his password again when he comes back from lunch. Worse, now all these annoying "I know about computers" types are getting a sympathetic ear when they try to go over our heads asking for admin rights they don't need, etc. You know, because we're the bad guys because we won't let a VIP's computer set unprotected, email/file shares open, for over an hour. Head Cheese doesn't want to hear anything about good security practices or limited rights, he just wants the people talking about computers to leave his office through the fastest way possible, which is telling us to "just do it".

Meanwhile Lulz and Anonymous are tearing a hole through half the internet, every day another company is announcing another multiple-thousand loss of SSN or cc#'s, and these people treat these events like they're sci-fi. No, that doesn't really happen to anyone, wait why is my bank cancelling my debit card again? Vendors asking you to open up 1433 to your internal SQL server containing PHI to the entire outside world, users replying with their passwords to any old email they get that asks, and all you get is static for every damn problem you try to fix. We've had black-hats setup full mock-ups (good ones, too) of our Central Authentication page in an attempt harvest passwords and still these farks just wave away our concerns like we're Chicken Little.

You really have to wonder how bad it has to get before companies start taking this shiat seriously.

It will change only when it costs them money. Until then, you are farked.

When it does cost them money, you are still farked because it was your job to stop it.

Yes, the only thing that will change is that you (and your staff) will be out of work. And why? Because ACTUAL security is too HARD for them! For crap's sake, you should hear the crying when it comes time to change passwords where I work.
"But I have always used my pet's/kid's/spouse's name and then the month we are in! Why do I need to add a special character? I will never remember that!"

Cue the Farnsworth meme about not wanting to live on this planet any more, please.

Sentences are easily better passwords than 8 characters of anything, regardless of you forcing upper and lower, and making us have numbers and special characters. A good sentence like: "Little Johnny went to the fair last Tuesday" will take thousands of years to crack, unlike "H4u&1kMi" which would be cracked in a few hours of a good GPU based cracking program.

wingnut396		2011-08-28 12:42:46 AM

The problem is that IT, and IT Security especially, is no win.

If you do everything right, people don't even notice it is there. They assume their data will always available, safe, accessible and ready for their use. Just like power or water. If you do your job right, you make it look easy. So before long, you are being biatched at for being useless overhead and see funds for doing things right cut back. You provide all the metrics, slides, presentations, industry documents, and what not, and it won't farking matter until something finally breaks.

Then you get the riot act because you didn't do everything right. Sure you can provide the documentation saying you have been denied funds to prevent the specific problem that occurred. You can point out the policies and the all the exceptions you were forced to take for political expediency, and the warnings you issued for those exemptions.

None of that matters. It is your fault. Oh, and you are overhead, and this failure just proves that it is the fault of antoher worthless overhead department that needs to be eliminated. I hear the cloud is nice.

ghost_who_walks		2011-08-28 12:44:12 AM

cmunic8r99: jayhawk88:
You really have to wonder how bad it has to get before companies start taking this shiat seriously.

It will change only when it costs them money. Until then, you are farked.

Yes. And in my experience, sometimes not even a fatal blow (to the company) will be enough. I recommend that you, jayhawk88, have a backup plan of your very own. Not for company data, but for your own job... a parachute that you can wear in the event of disaster.

Sad but true.

/Standing around saying "I told you so", while satisfying in and of itself, is not enough to put bread on the table
//Generally, it's better to say "I told you so" from the comfort of your nice new job

Talon		2011-08-28 12:54:50 AM

You probably aren't helping security in any capacity to make them change their passwords every X period of time with all sorts of retarded character requirements - the passwords are still easily brute-force-able and so hard to remember they just write it down on a post-it-note and stick it to their monitor. Just sayin'.

ghost_who_walks		2011-08-28 01:02:18 AM

wingnut396: Then you get the riot act because you didn't do everything right. Sure you can provide the documentation saying you have been denied funds to prevent the specific problem that occurred. You can point out the policies and the all the exceptions you were forced to take for political expediency, and the warnings you issued for those exemptions.

None of that matters. It is your fault. Oh, and you are overhead, and this failure just proves that it is the fault of antoher worthless overhead department that needs to be eliminated. I hear the cloud is nice.

Oh sweet jebus. Are you one of my co-workers? This sounds awfully familiar.

/actually, have heard it almost everywhere I go
//and I know everyone else has too

tankjr		2011-08-28 01:15:11 AM

ghost_who_walks: wingnut396: Then you get the riot act because you didn't do everything right. Sure you can provide the documentation saying you have been denied funds to prevent the specific problem that occurred. You can point out the policies and the all the exceptions you were forced to take for political expediency, and the warnings you issued for those exemptions.

None of that matters. It is your fault. Oh, and you are overhead, and this failure just proves that it is the fault of antoher worthless overhead department that needs to be eliminated. I hear the cloud is nice.

Oh sweet jebus. Are you one of my co-workers? This sounds awfully familiar.

/actually, have heard it almost everywhere I go
//and I know everyone else has too

It's a common thread. Back in the 90s I actually had a GM call my IT budget "Black Bag"

rel-yo		2011-08-28 01:56:06 AM

I can't wait for the movie about this. Starring Jason Statham and Charlize Theron.

WayToBlue		2011-08-28 02:17:41 AM

jayhawk88: Rant time:

We're currently having political BS problems with our higher-ups at work. Our new Head Cheese is one of these Matlock types who figures computers are evil and out to get him. He literally asks us to set his screen saver password to an hour and 15 minutes, so he doesn't have to enter his password again when he comes back from lunch. Worse, now all these annoying "I know about computers" types are getting a sympathetic ear when they try to go over our heads asking for admin rights they don't need, etc. You know, because we're the bad guys because we won't let a VIP's computer set unprotected, email/file shares open, for over an hour. Head Cheese doesn't want to hear anything about good security practices or limited rights, he just wants the people talking about computers to leave his office through the fastest way possible, which is telling us to "just do it".

Meanwhile Lulz and Anonymous are tearing a hole through half the internet, every day another company is announcing another multiple-thousand loss of SSN or cc#'s, and these people treat these events like they're sci-fi. No, that doesn't really happen to anyone, wait why is my bank cancelling my debit card again? Vendors asking you to open up 1433 to your internal SQL server containing PHI to the entire outside world, users replying with their passwords to any old email they get that asks, and all you get is static for every damn problem you try to fix. We've had black-hats setup full mock-ups (good ones, too) of our Central Authentication page in an attempt harvest passwords and still these farks just wave away our concerns like we're Chicken Little.

You really have to wonder how bad it has to get before companies start taking this shiat seriously.

Find a new job, seriously. Security cannot be successful without top-down management support and from what you're saying that isn't going to happen.

You can try to convince him with a well constructed presentation putting the risks in terms of monetary losses, regulatory violations, deviations from best practices, your practices in comparison to industry peers, etc... it may also be given more creedence if it comes from a trusted consulting company (silly how this works but it's true), but it really sounds like you'd be yelling at clouds.

Depending on how much you are concerned about the safety of the data, your best bet is to find a new job and then write the board of directors (assuming your company has one) outlining your concerns. You could try this while still at the company but it's a dangerous road.

If you decide to try to stick around and convince people, remember to not just tell them all the problems, you need to give them the answers too.

generallyso		2011-08-28 02:36:47 AM

Talon: You probably aren't helping security in any capacity to make them change their passwords every X period of time with all sorts of retarded character requirements - the passwords are still easily brute-force-able and so hard to remember they just write it down on a post-it-note and stick it to their monitor. Just sayin'.

If the system allows brute-forcing you have bigger problems than password length.

PDXBishop		2011-08-28 02:41:09 AM

ArkAngel: I was gonna post something snarky, but I got nothing. So here

[granthestonfitness.com image 480x240]
[img122.imageshack.us image 640x355]
[i43.photobucket.com image 355x266]

Catherine Zeta-Jooooones, she dips beneath the lasers, whoa-oohhh-ohh.
She has entrapped meeee, and Sean Connery, whoa-oohhh-ohh.

Fail in Human Form		2011-08-28 02:47:21 AM

davynelson: [thedaemon.com image 224x281]

must. read. book.

Great book but the sequel was so-so.

/He had a good universe built in the first book and I wish he would have made a series out of them

cardex		2011-08-28 02:54:45 AM

Talon: they just write it down on a post-it-note and stick it to their monitor. Just sayin'.

have you been to my office today ?

30 programs each one has to have a password that has to change every 30-90 days cant use the same password for any other program can not use a password used on any program for the last 360 days can not have more then 3 characters in the same place as any of the other password or any password used in the last year, must be at least 12 characters long with numbers punctuation and cap letters but can not have the same amount of caps and numbers as any of the passwords in the last 12 months. its such a pain in the ass everyone just put all them in a spread sheet prints it out and tapes it under the keyboard.

/had to spend the first 45 min of my day making a new password for the program i use to view my direct deposit stub Friday
// i dont care if i had the 7 & and p in the same places on a password used on a different program in February
/// stop telling me that i cant use 1 and 2 next to each other because consecutive numbers are easy to guess
//// if i ever find the person that made the security rules i will beat them to death with my stapler

rogue49		2011-08-28 04:02:28 AM

I was Database Manager at a company that created and processed credit cards.
It was my job to lock down "beyond parameter" security, anything in the databases.

I had to prove to Director of Information Security that I couldn't get into the secured data owned by the databases.
(of course, he didn't have the technical knowledge to do so...I did. Ironic.)

Same company decided it was brilliant to not replace him when he decided to leave.
(because they made his job too difficult, no other staff to assist managing two continents of factories)

Same company decided in the 2008 panic to lay me off and staff, and just keep my intern.
Managing same two continents of factory databases by himself. (North and South America, not managed)
(btw...they got rid of intern after 2 yrs, never promoted him...didn't replace him...everything is "troubleshot" from France, as needed...i.e. ignored)

And you wonder why there are security breaches???

/and yes, I know one of the first rules of security is not acknowledge where said security is...but its years ago, and not my care anymore.
//Me? I'm fine, database SMEs are in demand...and some place do not ignore security.

sarah_t_s		2011-08-28 06:44:17 AM

cmunic8r99:
It will change only when it costs them money. Until then, you are farked.

No. It will change when they run out of low cost countries to ship IT off too, they ALL get burned and it costs them money they can't recoup by ditching staff and/or outsourcing.

So until the company is a few managers in the US/UK telling a corporation of outsourced workers what to do and they get slammed nothing will change.

sarah_t_s		2011-08-28 06:49:14 AM

Unobtanium		2011-08-28 06:53:31 AM

cardex 30 programs each one has to have a password that has to change every 30-90 days cant use the same password for any other program...

So much this. Plus you have to use special characters, but not THAT special character on this site, but on this other site managed by the same people in the same server rack you cannot use THOSE special characters. Plus we keep taking down the new single sign-in gateway site for maintenance and security patches, but you can still access the sites directly using your old (now long since expired) logins.

Oh, and for your personal business, use different passwords for every website and change them at least every 6 months.

I know, the IT folks are merely responding to the latest OMG! PANIC! from the non-IT management, and from regulatory and legal requirements outside of anyone's control.

Chaotic_June		2011-08-28 07:44:42 AM

cmunic8r99: jayhawk88:

You really have to wonder how bad it has to get before companies start taking this shiat seriously.

It will change only when it costs them money. Until then, you are farked.

And don't forget, it'll be your fault when it finally does cost them money. (Plan ahead, document requests for needed security, etc. etc.)

The wonderful travels of a turd		2011-08-28 08:19:58 AM

Mister Peejay		2011-08-28 09:13:56 AM

vossiewulf: Chances very high with a processor like that that it was social engineering rather than hacking.

That's what most cracking has traditionally been. People dumpster-driving to get printouts, people calling up receptionists pretending to be somebody else, etc.

Benni K Rok		2011-08-28 09:36:01 AM

I really do feel sorry for you IT guys. I thought about doing it, but then again, I don't like being the red headed step child. Of course, I don't think I could do management either, but maybe I could be that sadistic HR guy.

MrPenny		2011-08-28 10:11:13 AM

I'm currently teaching a network security class and I have hammered home the mantra "don't tell anyone your passwords!! Ever!" So today, I'm sending a mass email to the class asking them for their passwords for an activity next week. This should be hilarious.

Displayed 50 of 58 comments

First | « | 1 | 2 | » | Last | Show all

Redisplay/refresh comments

This thread is closed to new comments.