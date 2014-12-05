 Skip to content
(Twitter)   The sk1ll3d h8x0rs took down Colonial Pipeline by accessing a single authentication VPN, using an old password passed around the dark web, from a former employee who used that password for everything, and Colonial never deactivated the login   (twitter.com) divider line
‘’ 1 hour ago  
Original Tweet:
 
UberDave [TotalFark] [OhFark]
‘’ 1 hour ago  
Fark user imageView Full Size
 
Private_Citizen
‘’ 1 hour ago  
Corporations don't like to invest in security - that's prevention. They can skip it, book the savings, and when TSHTF they get a government bailout.
 
Keyser_Soze_Death
‘’ 1 hour ago  
memegenerator.netView Full Size
 
lolmao500
‘’ 1 hour ago  
Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.
 
emersonbiggins
‘’ 1 hour ago  

Private_Citizen: Corporations don't like to invest in security - that's prevention. They can skip it, book the savings, and when TSHTF they get a government bailout.


It's why there is still an Equifax
 
madgonad [OhFark]
‘’ 1 hour ago  
It is hard to imagine corporations even allowing untimed single credential VPNs to exist anymore. The CTO should be out on his/her ass and never work again. It isn't even because of the damage. How could someone be so stupid? That had to be on every SoC that has been done.
 
emersonbiggins
‘’ 1 hour ago  
i.redd.itView Full Size
 
Denjiro
‘’ 1 hour ago  
Not surprising. I worked for a couple large supposedly tech companies. They always referred to the IT, InfoSec, and Support departments as 'loss leaders'. Usually as justification to limit their budgets. However, for something like marketing or the sales department, the sky's the limit.
 
groppet [TotalFark]
‘’ 1 hour ago  
Well guess I will be getting online to get me some passwords tonight, maybe to a bank and get me a big wire transfer.
 
TwoHead [TotalFark]
‘’ 1 hour ago  
I know I said I'd never sell my precious time to those bastards again, but if corporate america were to offer me a few baskets of cash I think my outdated skills might be just what they need to save themselves from themselves. Those kids from the schools that advertise on TV during morning cartoons don't seem to be up to the task.
 
ryebread [TotalFark] [OhFark]
‘’ 1 hour ago  
Willful negligence like this should carry a corporate death penalty, especially for companies operating critical infrastructure. Seize their assets.
 
Ivo Shandor [TotalFark] [OhFark]
‘’ 1 hour ago  
Fark user imageView Full Size
 
TwoHead [TotalFark]
‘’ 1 hour ago  

lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.


The last time I had a job my account was deactivated while I was on the phone with the CEO who called to tell me I was being screwed. Mind you, this call was on an IP phone connected via VPN to the home office. That should answer any questions about why I might be so bitter that I swore to never work for any of the bastards again.
 
AbuHashish
‘’ 1 hour ago  
They were still running XP as well.
 
Al!
‘’ 1 hour ago  

Private_Citizen: Corporations don't like to invest in security - that's prevention. They can skip it, book the savings, and when TSHTF they get a government bailout.


This. The vulnerability was documented in at least 2 previous audits. The owner of the firm that did the 2018 audit said, and I quote, "I mean an eighth-grader could have hacked into that system." And every time these companies get in to trouble because of their poor business practices, the anti-socialism bloc of the federal government hops on the socialism train and delivers a giant pile of tax dollars to their door at below market rates. Meanwhile, more than 1 in 7 US adults lives in poverty.
 
Jgok [OhFark]
‘’ 1 hour ago  
I'm not surprised, because this is the truth behind 99.9999999999999999999% of all reported "hacks".
 
Benevolent Misanthrope [TotalFark] [OhFark]
‘’ 1 hour ago  

lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.


Even in the libraries I've run, passwords are deactivated literally the moment they leave.  Once I have keys and cards, I call IT and it's done.  That just seems basic to me.
 
Vlad_the_Inaner
‘’ 1 hour ago  

lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.


You tried it?  Sounds legally risky

There were layoffs at one place I worked, and my email password didn't work at start of day, before anything.  I thought  to myself ,'Well, that's not very auspicious.'
 
EBN-OZN
‘’ 1 hour ago  
content.spiceworksstatic.comView Full Size
 
gonegirl [TotalFark]
‘’ 1 hour ago  
I worked as a technical writer for a medical insurance company for a while, and we were trying to get a government contract (something to do with Medicare, I no longer remember the details). My job was documenting the security procedures we had in place and, if necessary, making the IT guys create security procedures that we didn't have for some insane reason. The feds have some pretty strict guidelines for anyone they work with, and you'd think HIPAA would mean we did, too, but no.

Don, I know you have just been depressed as fark for the last year after your wife died, but I really need you to put a password on the NetScaler Gateway that isn't the default one, okay?
 
GreenSun
‘’ 1 hour ago  
Seems like no matter the advancement in technology, if you're a hacker, your golden key will always be a stupid employee.
 
wejash [TotalFark]
‘’ 1 hour ago  
What's great is that their federal regulator takes the position that security audits done by the regulator are pretty much voluntary and Colonial had scheduled one....but then rescheduled it because it wasn't convenient with Covid and all.

So our interstate energy supplier security are regulated by someone who says, "Meh, if you need any help, just give us a call.  But it's all up to you.  We trust you.  Would you like to play some golf next week?"

I expect companies anywhere near Oil & Gas to be completely worthless at their security just as they are worthless at basic governance concepts to protect their shareholders from self-dealing weasels in management.  That's why they are regulated in the first place.
 
Fireproof [OhFark]
‘’ 1 hour ago  

lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.


I worked at a medium-sized TV station and my logins and email were automatically deleted at midnight the night after I quit.

That said, they didn't take my building entry keycards, and they had more than one incident of unwanted in-person guests during my time there.

/Lucky for them I destroyed them on my own.
 
weddingsinger [TotalFark]
‘’ 1 hour ago  
A reminder that they didn't even shutdown the pipeline.  The company shut it down because they didn't know whether they would be able to accurately bill customers.
 
optikeye [TotalFark]
‘’ 1 hour ago  
The "Delivery System" was never hacked. It was perfectly functional.

The attack was against the accounting/billing system.

The owners SHUT IT DOWN ...not because of problems with the pipeline, or delivery system...it was because problems with billing customers.
 
Moroning [TotalFark] [OhFark]
‘’ 1 hour ago  
Fark user imageView Full Size
 
Kit Fister [TotalFark]
‘’ 1 hour ago  

Vlad_the_Inaner: lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.

You tried it?  Sounds legally risky

There were layoffs at one place I worked, and my email password didn't work at start of day, before anything.  I thought  to myself ,'Well, that's not very auspicious.'


Had that happen to me once. The recruiter for the contracting firm nearly got fired for not bothering to call and tell me that my contract had not been re-upped.

...after I showed up to work, and got through all of the security, and only found out because my email password wasn't working.
 
mongbiohazard
‘’ 1 hour ago  
It's pretty galling that our society is held hostage by the kind of folks responsible for running their company that way.

The East Coast gas shortage - and associated price hikes - were not caused because hackers caused any actual problems with the pipeline. There was no damage to the equipment, there was no loss of control, no actual reason that the flow of goods to the society would have problems being delivered. It was caused because the billing system got hacked.

That just strikes me as farked up. How do I put it in to words? It's like there wasn't an actual problem, capitalism was the one with the problem. The petro could have continued to flow uninterrupted, just like it did the day before.
 
Ivo Shandor [TotalFark] [OhFark]
‘’ 1 hour ago  

ryebread: Willful negligence like this should carry a corporate death penalty, especially for companies operating critical infrastructure. Seize their assets.


The hack was against their billing system. The infrastructure was delivering the gas just fine, but they couldn't charge customers for it. So of course it had to be shut down.
 
ShavedOrangutan [TotalFark]
‘’ 1 hour ago  

Private_Citizen: Corporations don't like to invest in security - that's prevention. They can skip it, book the savings, and when TSHTF they get a government bailout.


"Jason Spaltro, then executive director of information security at Sony Pictures, called it a "valid business decision to accept the risk of a security breach"  in a 2007 interview with CIO Magazine, adding he would not invest "$10 million to avoid a possible $1 million loss.""
 
Bowen [TotalFark]
‘’ 1 hour ago  

Private_Citizen: Corporations don't like to invest in security - that's prevention. They can skip it, book the savings, and when TSHTF they get a government bailout.


Easy peasy.
 
JustMatt
‘’ 1 hour ago  

Ivo Shandor: [Fark user image image 425x237]


Fark user imageView Full Size
 
jayphat
‘’ 1 hour ago  
I told my buddy this who is an IT admin who's exact response to me was "lol, classic."
 
Purple_Urkle
‘’ 1 hour ago  
40 years of the media calling all cybercriminals "hackers" has prevented low information people from ever learning what hackers are.

If you think hacker = criminal, then you're promoting the problems.
 
casual disregard
‘’ 1 hour ago  
Why....why do we even do cybersecurity training. It's rather clear the folks with the keys ain't learning the lesson.
 
fragMasterFlash [TotalFark] [OhFark]
‘’ 54 minutes ago  
Time to switch from using Hunter2 to Hunter3? That'll stop 'em dead in their tracks, yes?
 
NotThatGuyAgain [TotalFark]
‘’ 54 minutes ago  

emersonbiggins: Private_Citizen: Corporations don't like to invest in security - that's prevention. They can skip it, book the savings, and when TSHTF they get a government bailout.


Government?  Pffft, 2014 OPM breach courtesy of the Chinese.  "Information about everybody who has worked for, tried to work for, or works for the United States government. "  Including me, due to applying for a clearance for some work project that never happened.  They don't even know what data they got, they may well have scans of my ogddam fingerprints.

It's why there is still an Equifax

They are now paying a ton of attention to security.  About time, of course.  10+ years ago I asked a friend there if they had any security jobs open.  he said, and i quote, "You don't want to work here.  The last thing they think about is security."  I was on a call a few weeks ago where one of their security guys had a great and open discussion on what happened to them, as well as some of the things they implemented.

I'm not surprised that they got hacked by our friends in China as well.  In all honesty, better them than a group that would sell the data to ID thieves.   I've been through full blown ID theft and it suuuuuucks.  They even got a reissued copy of my drivers license.

/My company is large and they are tightening security to levels people have never seen there before.  Good.
 
Ivo Shandor [TotalFark] [OhFark]
‘’ 52 minutes ago  

Fireproof: lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.

I worked at a medium-sized TV station and my logins and email were automatically deleted at midnight the night after I quit.

That said, they didn't take my building entry keycards, and they had more than one incident of unwanted in-person guests during my time there.

/Lucky for them I destroyed them on my own.


My corporate accounts were deactivated while I was on the phone with the guy telling me I was gone (from home, during COVID). I was still able to access my files on the laptop for a couple of days until it automatically wiped itself back to factory defaults. I mailed my ID badge and the key card for the parking garage back to them. They let me keep the laptop.
 
dustman81
‘’ 52 minutes ago  

Benevolent Misanthrope: lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.

Even in the libraries I've run, passwords are deactivated literally the moment they leave.  Once I have keys and cards, I call IT and it's done.  That just seems basic to me.


It should be part of any organizations off-boarding procedure. Even if they don't return the physical item, at least shut off the access.

Keys ✅
Corporate credit card ✅
ID cards ✅
Laptop ✅
Phone ✅
Network credentials ✅
 
ImOscar [TotalFark]
‘’ 52 minutes ago  
Fark user imageView Full Size



The Password - The Office US
Youtube 8GxqvnQyaxs
 
Ivo Shandor [TotalFark] [OhFark]
‘’ 51 minutes ago  

JustMatt: Ivo Shandor: [Fark user image image 425x237]

[Fark user image image 370x267]


What what?
 
akya [TotalFark] [OhFark]
‘’ 51 minutes ago  

lolmao500: Thats some shiatty security.

Last time I had a job at a high security place, my login/password was deactivated like an hour after I quit.


My last job didn't even wait that long.  I went out for my lunch break on my last day, came back and I couldn't unlock my computer.

/Their loss, still got paid for the whole day.
//Had, what turned out to be, a much better job lined up.
 
ryebread [TotalFark] [OhFark]
‘’ 50 minutes ago  

Ivo Shandor: ryebread: Willful negligence like this should carry a corporate death penalty, especially for companies operating critical infrastructure. Seize their assets.

The hack was against their billing system. The infrastructure was delivering the gas just fine, but they couldn't charge customers for it. So of course it had to be shut down.


There's a few details missing from the story about just how close they got to the OT network. I have a hunch the only thing that kept things on the corporate network was self-restraint on the part of the attackers.

I imagine finding a jump box into the OT network wouldn't be a big challenge once you were in, and you'd probably scoop up credentials for it along the way.
 
Carter Pewterschmidt [TotalFark]
‘’ 50 minutes ago  
I once worked for a huge company, one I guarantee everyone of you has heard of, in a medium sized branch with a bunch of departments. The department I started in had a PC in an open area that everyone used to access the system. from managers to warehouse workers to people passing through. The password was a user name and a very simple password. I asked who the user was and was told "Oh he used to work in this department but now he works in another department." But his login still worked and was used every day by dozens of people. I think it was posted on the notice board.
Then a year later he retired.
His login still worked.
It too another whole year for his login to stop working.
 
GodComplex
‘’ 49 minutes ago  

casual disregard: Why....why do we even do cybersecurity training. It's rather clear the folks with the keys ain't learning the lesson.


Because someone at the top said that security was important but they didn't want recurring costs.

It's my firm understanding of organizational structure if that something seems stupid and pointless, it's because someone made an impossible request. And rather than get fired for daring to question said stupidity, their subordinates tried to accommodate the impossible request as best they could.
 
Smelly Pirate Hooker
‘’ 49 minutes ago  
How very unsurprising.
 
Stibium
‘’ 46 minutes ago  

NotThatGuyAgain: Including me, due to applying for a clearance for some work project that never happened. They don't even know what data they got, they may well have scans of my ogddam fingerprints.


As someone who was a federal employee at the time, they definitely have our fingerprints.
 
MythDragon
‘’ 46 minutes ago  

Ivo Shandor: [Fark user image image 425x237]


Archer - Mole Hunt - Hacking scene
Youtube UduILWi2p6s
 
Stibium
‘’ 45 minutes ago  

Stibium: NotThatGuyAgain: Including me, due to applying for a clearance for some work project that never happened. They don't even know what data they got, they may well have scans of my ogddam fingerprints.

As someone who was a federal employee at the time, they definitely have our fingerprints.


And Social Security number...
 
