Monthly Archives: October 2012

South Carolina loses socials and credit cards, Governor still naive

The main stream news (NYTimes, Forbes) has covered the recent data breach in South Carolina’s Department of Revenue without really placing the blame anyone who’s responsible for this mess. It’s so bad, let’s not even call this a mess. Let’s instead call it what it is – a catastrophe for personal data for South Carolina residents.

Current state population 4.6 million. Exposed records 3.6 million.

The scale of the data breach is unbelievable. Governor Nikki Haley stated that they were attacked by an “international hacker”, based upon the IP address in log files. She, as well as various law enforcement officials go on to stress bringing this person to justice, and they collectively sat on this information for roughly two weeks to reach certain benchmarks. This press conference could easily be the scene in any hacker movie from the last couple of decades, with officials bumbling along, making statements that they don’t understand.

Some items that caught my ear and I can’t accept:

  1. Governor Haley stated that all all of the holes have been plugged. Given that you didn’t know anyone in any IT department below the CTO level only a couple of weeks ago, how can you make that claim? Better yet, how can you not encrypt 3.6 million social security numbers in a database? How can 16,000 credit cards not be encrypted? This breaks basic PCI-DSS compliance.
  2. Governor Haley said that she wanted the hacker “slammed against the wall”. I’m guessing that she’s not aware that this will be a 15 year old bored kid in Russia. Good luck with that. The real people that should be slammed against the wall are those who signed off on leaving data unencrypted. Take everyone who’s ever touched that data architecture and fire them immediately. These people are your past, present, and future security holes.
  3. The Governor seemed satisfied that the state is offering identity monitoring. Sorry, the cat’s out of the bag. You can’t get the social security or credit card numbers back. In the case of 3.6 million social security numbers – those won’t change, and residents will have related problems for years to come.

If we as a people continue to let those with the blatant disgard for security and standards to escape without penalty then breaches like this will never slow down. I don’t care if it’s the programmer, database admin, project manager, or the CTO – hold those involved responsible. We all have the duty to stand up for protecting the data of our users.

NASA makes me feel like a kid again

My mind stopped me for a moment this morning and I thought “How cool is this? I’m watching live video from space”. This morning was the scheduled departure of the Dragon capsule (developed by SpaceX) from the International Space Station. In roughly last month we’ve seen the first delivery of supplies to ISS from a private company, a man jumping from the edge of space, and now the return of Dragon capsule.

Sure, growing up as a kid in the 80’s, we thought about all the cool technology that would exist in the far off future of 2012. As we’ve all grown older, it’s easy to forget how fast things change. We have the technology to not only made these events successful, but also the infrastructure to follow along live, worldwide. Kudus to NASA, SpaceX, RedBull, and everyone else who has given us times this month to put things into perspective.

Microsoft drops the the ball on security again – Windows 8 passwords in plain text

It what would be an unbelievable event for other tech heavyweights, Microsoft has a second serious security policy blunder to be discovered in recent weeks. This time the focus is around Windows 8 and passwords being stored in plain text.

The hole involves user accounts that switch to an alternate security method – pictures or pins. When this is selected, the original password remains as plain text data.

For the full story, continue to Softpedia.