yeah, well
Feb. 7th, 2014 01:27 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
twoelevenTarget data breach put down to access details stolen from contractor lazy, incompetent network administration
i've used secure networks before, so it can be done. one was isolated from the rest of the world by an air gap (didn't connect to the net); hack that, dude. the other had elaborate defense in depth from layers of clever routers, firewalls, DMZs, and so on from the usual well-known arsenal; it was theoretically vulnerable, but given the number of mk. 1 eyeballs that watched its log digests all the time, practical attacks would be challenging. (SOP for that one was fail safe, too; i'd heard that people had pulled the plug even on vague suspicions.)
so, target and the rest could manage if they care. it just takes work.
but OTOH, i don't think we need new federal law though. i think existing liability law would work just fine, with one clarification: let those who hold confidential information bear all the losses if they lose it. i know there are instances in liability law like that for bailments; that's why car repair shops (et al) take precautions with other people's stuff.
if one guesses that the average value of the information the hackers made off with from the target job was ~$100/person, target would be looking at a ~$7 billion liability. their insurers wouldn't put up with their cluelessness. the owners of the elaborately-defended network had certain legal obligations that "whoopsie!" didn't get them out of; they didn't build those defenses because their geeks thought it would be cool. i suspect retailers would feel the same way in the same situation.
WASHINGTON, Feb. 6 (UPI) -- Failure to properly segregate systems handling payment card data in its network led to the massive data breach at Target last month, a U.S. researcher says.a few days ago, the folks who run the big store chains whined that hackers have the upper hand, but the reality is more prosaic: they're lazy and inept (both articles lack specifics, but i'm too tired to dig the details out of the testimony).
Hackers who broke into the retailer's network did so by using login credentials stolen from [Fazio Mechanical Services,] a heating, ventilation and air conditioning company that does work for Target at a number of locations, security blogger Brian Krebs reported Wednesday.
...
Target had apparently granted Fazio access rights to its network so it could remotely monitor energy consumption and temperatures at various stores.
...
i've used secure networks before, so it can be done. one was isolated from the rest of the world by an air gap (didn't connect to the net); hack that, dude. the other had elaborate defense in depth from layers of clever routers, firewalls, DMZs, and so on from the usual well-known arsenal; it was theoretically vulnerable, but given the number of mk. 1 eyeballs that watched its log digests all the time, practical attacks would be challenging. (SOP for that one was fail safe, too; i'd heard that people had pulled the plug even on vague suspicions.)
so, target and the rest could manage if they care. it just takes work.
but OTOH, i don't think we need new federal law though. i think existing liability law would work just fine, with one clarification: let those who hold confidential information bear all the losses if they lose it. i know there are instances in liability law like that for bailments; that's why car repair shops (et al) take precautions with other people's stuff.
if one guesses that the average value of the information the hackers made off with from the target job was ~$100/person, target would be looking at a ~$7 billion liability. their insurers wouldn't put up with their cluelessness. the owners of the elaborately-defended network had certain legal obligations that "whoopsie!" didn't get them out of; they didn't build those defenses because their geeks thought it would be cool. i suspect retailers would feel the same way in the same situation.