Oopsies: House Democrats Fail Badly At Information Security

Democrats often put getting Trump ahead of all else, including competence at rather basic things.

Things like information security  and identities of people with Top Secret clearances working for Democrats open to the web for exposure and manipulation.

Wired: Hundreds of People With ‘Top Secret’ Clearance Exposed by House Democrats’ Website 

THE SENSITIVE PERSONAL details of more than 450 people holding “top secret” US government security clearances were left exposed online, new research seen by WIRED shows. The people’s details were included in a database of more than 7,000 individuals who have applied for jobs over the last two years with Democrats in the United States House of Representatives.

What could possibly go wrong? 

Democrats and websites really don't go well together.  Obamacare's failed roll-out; FAFSA's failed roll-out; and now their own job recruitment site. 

What does Borepatch often say?  "Security wasn't an afterthought; it wasn't thought of at all."

Scammers Take Their Toll

Gotten texts saying you owe a toll?  It's almost 100% going to be a scam. I've gotten quite a few such texts, allegedly from states that I have never even driven through.  Yes, not only is the cake a lie, but the text is a scam.

Especially so if they claim you owe for a toll in Michigan.

That's because Michigan doesn't have any toll roads.  As in none, zero, nada.

The Detroit News: Scammers run toll scheme with imposter government website, MDOT says

Government agencies are not going to send you a text saying you owe a toll.   

Nor do governments want payments in gift cards, crypto, or wire transfers.

Your best course of action is to not click on any links in the text, and immediately delete the message and mark it as junk when you do so.

Update:  Talk about timing! A few hours after I posted this I got the following text:

Yes, it is very, very fake.

Chase Theft Update

Chase just made a "temporary credit deposit" to my accounts restoring the money that was stolen.  Temporary, as they're still investigating and reserve the right to pull it all back out pending their determination and decision on the matter, which is not happy-making and leading to more grey hairs.

Police are also investigating, and I made the appropriate report to the Bar Association re the matter.

New checks for the new account numbers should be arriving today.

Currently watching all accounts like a hawk on a more than daily basis.

I have created a savings account to sequester some operating account funds and Chase allows up to six transfers from savings back to Operating without a charge, so it will take some care and planning.  I've been assured there cannot be an ACH pull from the savings account but, well, it's Chase, so I may get a different answer from another rep.  

Unfortunately, I can't do that to the IOLTA account as there is no such thing as an IOLTA savings account, nor does Chase offer the ability to block ACH withdrawals from an IOTA account even though they have the technical ability to do so but will not offer that service to this account. This is unfortunate as I'd prefer to safeguard my client's money even more strictly than my own.  I relayed that to the Bar and the Bar Rep is going to be contacting Chase to ask why IOLTA accounts don't get that kind of protection, as apparently the number one method of theft from IOLTA accounts is now via ACH. On top of that, the number one serious attorney violation with IOLTA accounts is now some attorneys with gambling problems using ACH at Casinos to drain IOLTA accounts to feed their habit - that should not be allowed to happen.

So, after over 20 hours of calls, meetings, completing and submitting forms and doing more forms, and emails with Chase, the Police, the Bar, etc it seems to be stabilizing. 

Assuming Chase doesn't make a sudden reversal and yank the funds and induce a heart attack, I should be good to go from here on out.  Also I'm checking into other banks/credit unions to see if they are rated for IOLTA accounts and can offer higher security and less visibility compared to Chase.

Most importantly, I'd like to extend my gratitude to those of my friends/readers who on reading of the attack immediately contacted me to offer loans to tide us over while this was being sorted out. 

I didn't need them as our personal funds in a different institution were still intact, and we had reserve emergency funds so I could skip a paycheck, and still cover what was coming out while getting this fixed.   But, you folks - and you know who you are - immediately jumped in to offer help, and I'm extremely grateful to you for doing so. Thank you.

That's One Heckuva Security Hole In The Banking System

According to at least one person at Chase security, the ACH pulls were not a result of a breach in my online banking. Now since I;m still not getting a straight answer as to what exactly happened, I’m taking this with a big grain of salt.

Instead, apparently all it takes to pull money from your account via an ACH or online bill pay pull is someone knowing your routing and account and perhaos the name on the account and that's all it takes.

This seems rather nuts that someone can drain your account with just that information and without any authorization from the account itself. As you might imagine, I had no idea this was even possible.

Even better, I try to arrange for an ACH block on withdrawals from the IOLTA account to ensure such a thing never happens again. After all, funds never should leave an IOLTA by ACH - it's either payment for services and thus moved to the operating account once earned, or returned to the client via a check when the representation is over so every cent in that account can be tracked.

Chase has an ACH withdrawal blocking ability, but, well, apparently the IOLTA account isn't one of the preferred types of accounts eligible for such an ACH blocking service. No kidding. One would think a trust account holding other people's money would be given the highest level of security. Not so much. I think finding and then switching to a bank that offers such a service - as a default no less- would be the prudent way to go.

So in short, your bank accounts are just one check away from some neer-do -well (that's putting it politely) taking one of your checks and using the routing and account info on it to illegally pull money form your accounts without your permission.

That seems like one hellacious security hole big enough to drive a wheelbarrow of money through. Oh wait, yes it is indeed one hellacious security hole big enough to drive a wheelbarrow of money through. Dammit.

As Borepatch often says: "Security isn't an afterthought; it isn't thought of at all."

How Very Not Good

Apparently, every happy event must be matched with a not-so-happy event.

Well, my business accounts at Chase got hacked at around 5:30 last night and they had a lot of money taken out via ACH and no one at Chase is telling me how it happened. Good thing I happened to check the account as In was finishing work at 6 and saw it - aside from the heart attack from seeing it that is.

Apparently it was not a password breach as my password and even the username for the business have been changed before this occurred, shared with no one, I do regular weekly anti-virus and malware scans are done on my computer, I don't go to strange sites on this computer, and they're not saying there was any suspicious sign-ons at all, so it's likely they got in some other way - but Chase is not saying.

The scumbags somehow managed to do online transfers to take money out of my account and send it to Discover and to Voyager (apparently some kind of crypto-currency thing) incredibly quickly and without so much as a by your leave.

Chase security last night was decidedly unhelpful.  It appears their call center is off-shore and while they were a bit hard to understand and times it seemed they didn't understand much either.  You would think the security division would be a bit more competent.  Over three hours on the phone and I ended up feeling worse rather than better and now believe the bank's security for its customers  from such acts is somewhere from inadequate to non-existent.

The person on the phone stated that if someone has the routing number and account number they can wire money out of the account no problem.  Since that information is on every check that's rather worrisome and there better be better safeguards.  The criminal made to minor deposits of a few cents each and then immediately pulled out a lot of money from the account in two big pulls which is rather bad as that's got me in a bad spot.

The person on the phone then stated it was ok and she would do the dispute claims contesting it for me but I should go into a branch to change the account numbers when they open this morning.

Welp, wouldn't you know the person on the phone did not actually do a dispute claim for the monies that were taken out.  Oh, no  - she did it only for the two tiny deposits put into the account!   Both I and the Branch Manager looked at each other in disbelief when we found that out.

So  I'm rather hosed as it will be at least 15 days to process the claim and return the money at  the earliest.  My account numbers , and username and password have all been changed so I have no checks to pay the bills that are coming up and need to order new ones and it's a rather problematic mess having to change all sorts of things including everything that is linked to those accounts.

Not From The Onion: Hillary Clinton To Keynote Cyber Defense Summit

No, this is not a joke. It's apparently 100% tone-deafly, headshakingly, very, very real.

Well, she can, I suppose, relate a cautionary tale of how not to run an insecure email server and then how to run Bleachbit on the same server when you're caught to try and cover your tracks.

The Latest Hack Attempt Of The Democrats Was By . . . . The Democrats Themselves

The latest hack attempt of the Democrat National Committee data was this week. It led to an outburst of claims of Russian collusion, etc, but now turns out not to have been by the Russians at all, nor of any outside party for that matter.

Instead, it was the work of the Democrats themselves.

The attempt was actually penetration testing by the Michigan Democratic Party to test security of the DNC's files. Apparently they forgot to tell the DNC they were doing it, which led to a wee bit of embarrassment as the DNC quickly cried "Russkie Wolf!".

The Detroit Free Press: Democratic data hack: Here's who was apparently behind it

Michigan Democratic Party Chairman Brandon Dillon acknowledged in a statement that the state organization's efforts to improve cybersecurity led to mistakes though he didn't elaborate.

. . .

CNN first reported the attempted back on Tuesday after the DNC told the FBI someone was trying to hack its voter database two years after successful Russian efforts to infiltrate its computer systems and release thousands of emails online, embarrassing the party during the 2016 presidential campaign.

An Uber Uber Fail

Uber, beloved transportation alternative has seriously pooched a security breach - in October 2016, but you haven't heard about it until now.

After having the data of 57 Million customers and drivers stolen, Uber kept the news of the data breach quiet for over a year and failed to disclose the breach until this week.

They also paid the hackers $100,000 to delete the info (any guesses as to how effective that was?) and to keep the breach quiet, and quiet it was kept, until now.

Cyberbreaches are bad enough. The failure to disclose is the kicker on this one that elevates the level of fail to an Uber level indeed.

Bloomberg: Uber Paid Hackers to Delete Stolen Data on 57 Million People

One Would Think That Would Be Important To Know . . .

The Wall Street Journal: Equifax CEO to Congress: Not Sure We Are Encrypting Data

"Not sure" is possibly dissimulation for "No, we're not encrypting data", or "Don't tell the boss we're not encrypting data".

After one of the largest and most publicized data breaches in history, for Equifax not to be 100% positive that all pertinent consumer data in their possession is encrypted as an additional line of defense should be considered nothing short of a criminal failure.

A Good Check To Run On Your Home Router

Wordfence offers a free scan utility for you to check if your home router has a vulnerable port open that could expose your network and allow the router to be hacked and used for attacks on other sites.

It's worth running the scan to be on the safe side, and its rather nice of Wordfence to provide it for free and get some awareness of the issue out there.

Heckuva Job There, Archuleta!

As blogged on Instapundit by Ed Driscoll, the head of the Office of Personnel Management, the location of the greatest data breach to occur against the US Government so far, is an Obama appointee. it turns out she was appointed for political reasons rather than competence as she had no background in the realm of stuff that OPM does but was rather qualified for being a stalwart Democrat community organizer.

It's a pity she didn't organize some Information Security at OPM.

Her reaction to an earlier breech by the Chinese in July 2014 was that there was nothing to fix, this while the OPM inspector General was pointing out serious security deficiencies as far back as 2007.

In other words, a breach of this nature wasnot on out of the blue attack but was instead predictable to occur based on past performance (or lack thereof). With her expressed "Remain calm, all is well" kind of attitude, its no wonder that cyber-security there was weak and that this breach has the incredible scope and implications that we're learning that it has.

As Borepatch blogged many a time regarding cyber-security: It wasn't an afterthought, it wasn't a thought at all.

So Make An Unauthorized Database Of Americans' Personally Identifiable Information. What's The Worst That Could Hppen?

Borepatch notes that even Law Enforcement Surveillance software is vulnerable to being compromised.

But worry not, the Feds, namely the The Federal Housing Finance Agency (FHFA) and Consumer Financial Protection Bureau (CFPB), are rolling out what is quite arguably, at least by Republicans as the Democrats don't seem to care, unauthorized expansion of their authority to create a mortgage database that will potentially contain all borrowers' personal identifying information including social security numbers, race, address, mortgage payment history, all credit lines including student loans and credit cards, employment status, education and religion.

It would cover these details on every home purchased with a mortgage since 1998. It may have full data and persoanl identifying information to match against other datasets or just samples with the personal infor removed for further data analysis.

Categories of individuals covered by the system is blithely described in the regulation notice is "Individuals who have records in one or more credit bureaus or consumer reporting agencies."

In the modern USA, that's just about everybody.

A one-stop identity theft database, where you can bet security may get as much as an afterthought or not even a thought at all.

It is not quite fully explained as to why the the FHFA and CFPB want this expansion and what they will do with it, and the effect on consumer privacy that it will have on Americans for these government agencies to have this data at their fingertips is not discussed. On top of that, the potential for far too much havoc if the database is compromised certainly makes it worth worrying about, and for this expansion to be stopped until both its unintended and intended consequences are fully understood.

The Hill: Federal mortgage database draws privacy concerns from GOP

DRM Frustration and Fail

DRM being Digital Rights Management. The various methods for content providers pissing their end-users off to all heck and gone.

So my local library, in addition to books, DVDs, CD, MP3 on CD and such is also offering e-books and e-audio books.

Makes sense right? Good for the library as no worries about shelf space, damaged discs or vandalized books. In the case of audio CDs, considering as how they get scratched as fast as being looked at, it makes sens to keep it electronic.

In addition, this kind of content is cheap as hell for a content provider - no repeat production, printing or stamping costs as each item is a digital file and if it gets corrupt you can upload another one. Nice, convenient and accessible with no worries about someone else checking it out - what's not to like?

Should be easy right, for them maybe, for a user not so much.

To listen to an audio book, as I planned to do on my iPhone and plug it into my car and listen to it to and from work would have been great.

Not so fast.

First I had to download Overdrive Media Console, which then wanted Windows Media player to be upgraded with some sort of DRM update.

The problem being, it would not update.

After multiple tries with the online help, it wouldn't work. After 2 hours of messing around with it, I finally figured out that it will not update if you try it through Firefox - you must do it through Internet Explorer - note that the help files do not mention this in any way, shape or form.

So I finally get the fisking thing downloaded and it issues the audio book files in protected WMA format - I try to load it up in iTunes to transfer to the iPhone and nope, it doesn't work with an error message that its protected. Of course.

Nor can I get the Overdrive to transfer it to the iPhone as per the Overdrive site: "OverDrive Download Station is not able to transfer to iPhones." Wonderful. So it looks like I've got the capability of sitting in front of my computer and listening to an eAudioBook - wow, that's really handy and useful.

However all is not lost: The program allows you to burn then to a CD and transfer the files in CD Audio format.

Good grief.

After all the fisking time wasted to comply with their stupid DRM model, the end result is a file that has no DRM protection whatsoever and once on the CD could be transferred, ripped back into mp3 and loaded on an iPhone, or given away to the entire universe I suppose.

You are supposed to destroy your CDs when the loan period is up. How many people do that, I have no idea.

I'm personally toying with the idea of mailing them, postage collect, to the publisher with a cover letter detailing how messed up their whole DRM concept is.

Epic Failure from a security standpoint and from a usability standpoint.

All that nonsense to protect content that ends up unprotected once you waste hours making the software behave and then about a half hour burning a few discs.

SANS to Lawyers: Watch your data

As if the legal profession doesn't have enough on its plate, Lawyers needs to be on the lookout for hackers: SANS NewsBites Vol. 11 Num. 91 : Hackers now targeting law firms to get secret corporate negotiating information

Interesting story in the Washington Post this morning by Lolita Baldor of the Associate Press on an FBI announcement that attackers are now targeting law firms with the same advanced techniques they are using against government and defense contractors.
http://www.washingtonpost.com/wp-dyn/content/article/2009/11/17/AR2009111701074.html
An almost identical announcement was made in a private letter to the
heads of the 300 largest companies in the United Kingdom, from the head
of MI5. The UK announcement was made two years ago.

The SANS Institute is a great cyber security resource and Lawyers need to keep their IT people on their toes and their servers secure to protect their clients' data.

Thanks to Scott of Providentia for the tip.

Yet again what happens on Facebook doesn't stay on Facebook

Facebook, other data help researcher crack Social Security codes

Washington -- For all the concern about identity theft, researchers say there's a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans' Social Security numbers.

"It's good that we found it before the bad guys," said Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh.

Acquisti and Ralph Gross report in today's edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 -- when the government began issuing numbers at birth -- the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

Oops. The article notes that the use of real names and their providing the town they were born in along with their date of birth made it possible to find their Social Security Number by a statistical formula.

This points out two distinct issues:
1. Don't leave so much of your personal date out where anyone can find it on sites such as Facebook.

2. The Social Security Agency needs to badly revamp how it issues Social Security numbers and stop using the current geographic and sequential system by which it is currently doling out the numbers.

From the Department of Security Leaks

From Jolly Olde England, where we thought they knew better:

Wife exposes chief spy's personal life on Facebook

It is always a case of some considerable concern when a lady reveals too much on Facebook. The site has standards, after all.

The lady in question this time is Lady Shelley Sawers, the wife of Sir John Sawers, the new head of British spy agency MI6.

According to reports in the Mail and numerous other media outlets, the fair lady may not have been quite aware that Facebook can be seen by a rather large number of people if you don't specify that you want to keep your information vaguely private.

Lady Sawers saw fit to wander onto the site and reveal where their London apartment is located and where their children are. This might not appear to be the wisest course of social action if your children happen to be the offspring of the head of an international spying network.

One would think that MI-6 would have given the wife of the head of MI-6 a little information security briefing or something.

Then again, this is the agency that had a Soviet agent running their anti-Soviet Intelligence section.

Yet another reminder that what goes on Facebook doesn't stay on Facebook.

Obama's Cyber-Czar to push for Key-Escrow?

The HITECH Act, passed as part of the stimulus bill, demands that medical computers are both made to be secure and be able to interchange information.

Now with his plan to name a Cyber-Czar, will Obama go back to the defeated Clinton proposal of key escrow for encryption?

Key escrow, basically having the government have the "keys" to crack encryption would almost be required should the twin demands of the HITECH Act, security and interchangeability be enforced. Otherwise how are systems going to be able to securly transmit data and share it amongst different medical practice groups. The other issue, that of audits of the encrypted information, as well as disposiiton of medical records from doctros that leave practice will also demand the passwords and keys to those records cna be retrieved.

My prediction is this new Cyber-Czar, Cyber-Czarina or Cyber-Czardine will propose a uniform encryption scheme along with key escrow, at first in computers covered under HITECH Act and later to push to include far more.

I think this calls for a traditional Jewish blessing for the Cyber-Czar:

"May God bless and keep the Cyber-Czar -- far away from us!"