Who the hell are they hiring?
Who the hell are they, and all the others who have been hacked in the last few years, hiring to do their security work? I know A+ techs who could do a better job!
The US Postal Service has called in the FBI after hackers apparently grabbed names, addresses, social security numbers and other sensitive records from its staff database. It's feared miscreants got into USPS corporate servers, and swiped data that will be a lucrative haul for identity thieves and other fraudsters. USPS …
+1 on that. I can't see any good reason for the US Postal Service to attach its Human Resources database to the public Internet. I'm sure that some users would like to be able to log into it from home, or whatever, but their use case does not trump the necessary security. Hacking an air gap is quite hard.
I can't see any good reason for the US Postal Service to attach its Human Resources database to the public Internet.
Subsequent events suggest that their VPN was compromised, so it's a typical escalation: public Internet to VPN to sensitive resources. USPS is a very large organization that's forced by its mission to be geographically distributed, and is in an eternal budget crisis (thanks to Congress regularly stealing from it). They have no choice but to use a VPN and make a lot of their sensitive systems accessible over it.
And VPNs are vulnerable, if systems outside the corporate firewall are allowed to connect to them (as opposed to just using the VPN to route among corporate networks). Subvert a home user's PC, install a keylogger and remote-control software, grab creds, and now you're on the VPN too.
From there, yes, you should still need other exploits to get to sensitive systems - except for the ones your victim already has access too.
According to the news today, they've eliminated all home access to the VPN. That's a pretty serious response.
Thing is, all anyone offers is free credit check for a year. Yeah, that's what your personal info is worth. "We fucked up, its up to you to fix it if anyone steals your identity." And if they do steal your identity, how can you prove it was because of company Xs incompetence? So register, how about an article on this?
... after all, the Post Office is only complying with currently recommended standards. A number of, um, 'authorities' have recently proclaimed from the very roof-tops that implementing effective encryption and security just plays into the hands of 'terrists, pedalo-philes and the like (though I've never quite got how those liking a little jaunt in those little swans and boats are bringing about the End of the World).
Funny how prescient THAT was.
Was it? I must have missed all the hackers with their VR gear flying around virtual firewalls and avoiding the IDSes that can remotely electrocute them.
Gibson's stuff may be pleasant fantasy (personally, it leaves me cold), but accurate it is not. Nor was his vision of an eternal struggle over computer access particularly ahead of its time; Neuromancer was published in 1984, when "hacking" in the computer-security-breaching sense was already well-known. Hell, Wargames came out the year before.
Gotta say this too, the same government that runs this thing is the one that is more worried about snooping on its citizens. "Hey, don't worry about us, what are YOU doing there with your phone? A terrorist maybe?"
Lewis Black nailed it, we don't need original comedy, the government is providing plenty of jokes.
Comrade colonel, I can report the first battalion of the people's cyber warfare regiment have penetrated to the heart of the hated capitalist paper tiger of western imperialism.
Congratulations - the Whitehouse, the NSA, the milk marketing board?
No comrade colonel, we now have names and social security numbers of the feared postal employees!
You stupid boy Zhang...
It's tin foil hat time. The NYP (New York Post) ran an article on the incoming Senate Committee Chairman on Homeland Defense and Governmental Affairs, which puts him in charge of the committee in charge of the federal workforce. He's a radical tea party deficit hawk who wants to privatize the post office and force it into bankruptcy, like Detroit. Now mind you, until they forced the USPS to fund it's retirement out to 75 years into the future, this was the only self-funding branch of the government that I'm aware of.
The very same day this gets published, we hear the news the computer system at the USPS was hacked and data on all 800K of its employees stolen. Not customers. Just the employees. But it has to be China! And Obama just so happens to be visiting there the same day! But oh, they've known about this for awhile. It's just that stopping it too soon might have stopped the discovery process of just who it was behind the breach.