Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen

timothy posted more than 2 years ago | from the those-damn-corporations dept.

Crime 181

An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."

Sorry! There are no comments related to the filter you selected.

if you can't beat them (0)

Anonymous Coward | more than 2 years ago | (#39614999)

secure your servers.

Re:if you can't beat them (5, Interesting)

jellomizer (103300) | more than 2 years ago | (#39615523)

I wish the media will focus on how idiotic Heal Insurance companies are, especially in their IT usage.
I work for a hospital and previously I worked for a start-up that did cutting edge medical technology. And let me tell you the insurance companies IT is just pure insane and stupid.

The government pushed a new electronic Bill form called 5010 which is an upgrade of 4010. These billforms are sent via EDI (Kinda of a Star Deliminator with a Tilda line feed, a throw back to old punch card technology) the difference between 4010 and 5010 are for the most part minor, and these changes were due January 1st. We are now in April. Now most of the insurance companies are compliment but there are other who are not, their test environment and production are very different and the test will allow different rules then production. So when a Hospital goes live after testing and getting clean tests they get rejection after rejection because they are not sending the right rules to the insurance company.
Then they stick to the lie (The electronic format has the same data as the paper form) this is a Lie and absolute Lie! You call them on the lie and they will flat out deny you. Until you send the data and they reject you claims because there is data that isn't on the paper form, and some filds are on the paper from you Cannot fill in the electronic. Their checking system is insane. If they don't need that field you better not send it or your claim will get rejected.

Now lets go over the transmission to the insurance companies...
Method one. The old BBS. Yes thats right the old dial up BBS is still active. when writing scripts to automate connecting to the companies I see those old DOS base BBS's of the olden days, most of them have upgraded to allow ZMODEM transfer. Now the more modern one use Secure FTP. Secure FTP (not to be confused with sftp) as in you data channel is encrypted but not always your command channel. Or worse there are these VPN groups that many insurance companies get on where after you connect to the VPN then you normally FTP to the site... (where a rogue billing company can monitor the ports and see what goes on, because they happen to be in the VPN network)

Everyone worries about HIPAA violations from the Health Care organization. For the most part now health care organizations have fare more modern and secure systems then the Insurance companies do. And if there are going to be a hack it will be in the insurance companies.

Now you are going to say. This hack was with medicaid not a private insurance company. Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work. Because of the big numbers these companies often do it at a discount. However they will also cut corners to give more service to their higher paying premium customers. The reason why Medicaid and Medicare have the lowest percentage for administration costs, is because they are operated so lightly and push the work to the health care organization to do all the administration. Then they will pass the costs to their customers. And it make is that much more expensive because you have a bunch of smaller organization doing advanced administration who cannot do it as optimally as a larger company who can scale the administration costs.

Re:if you can't beat them (5, Informative)

gstrickler (920733) | more than 2 years ago | (#39615701)

You say they are compliant. However, if they're rejecting claims because you're including information that they don't use, they're not compliant with the standard. From the X096/X097/X098 4010 837 transaction set implementation guides:

1.3 Business Use and Definition
...
Trading partners agreements are not allowed to set data specifications that conflict with the HIPAA implementations. Payers are required by law to have the capability to send/receive all HIPAA transactions. For example, a payer who does not pay claims with certain home health information must still be able to electronically accept on their front end an 837 with all the home health data. The payer cannot up-front reject such a claim. However, that does not mean that the payer is required to bring that data into their adjudication system. The payer, acting in accordance with policy and contractual agreements, can ignore data within the 837 data set. In light of this, it is permissible for trading partners to specify a subset of an implementation guide as data they are able to process or act upon most efficiently. A provider who sends the payer in the example above, home health data, has just wasted their resources and the resources of the payer. Thus, it behooves trading partners to be clear about the specific data within the 837 (i.e., a subset of the HIPAA implementation guide data) they require or would prefer to have in order to efficiently adjudicate a claim. The subset implementation guide must not contain any loops, segments, elements or codes that are not included in the HIPAA implementation guide. In addition, the order of data must not be changed. Trading partners cannot up-front, reject a claim based on the standard HIPAA transaction.

I don't have the 5010 guides, but I'm sure you'll find the same or similar language

Re:if you can't beat them (1)

gstrickler (920733) | more than 2 years ago | (#39615731)

Follow-up: On the other hand, if you're sending data that is defined as unused in the HIPAA (as opposed to the payer's) Implementation Guide, then they are correct in rejecting it as your transaction isn't compliant.

Re:if you can't beat them (4, Funny)

Dunbal (464142) | more than 2 years ago | (#39615781)

To be fair, he said they are compliment.

Re:if you can't beat them (1)

Anonymous Coward | more than 2 years ago | (#39616281)

Yep pretty much. We went from them requiring all sorts of random crap and numbers that they were not LEGALLY ALLOWED TO, to them getting pissed if you send extra data... Great and all but their testing has been terrible. I have had so many clients that the testing is either overly sensitive, or lets anything through. Not to mention the fact that I can send the same data to two carriers and get two different results, even two separate rejections. Its all in the name of deny, deny, deny. The longer they don't pay the more money they keep on interest. Or better yet, they just won't pay ever.

Re:if you can't beat them (4, Funny)

Anonymous Coward | more than 2 years ago | (#39615775)

"Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work."

But private business always does things better than government agencies. The Republicans told me so!

Re:if you can't beat them (4, Interesting)

jamstar7 (694492) | more than 2 years ago | (#39615867)

Actually, insurance companies want the uploads to fail. If they don't fail, then they actually have to pay money on a claim. They'd rather not do that, it goes against the bottom line.

Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor. No way you'll be able to identity theft up a Gold Card with that info. If they weren't so broke they couldn't pay attention, they couldn't get Medicaid.

Re:if you can't beat them (1)

MichaelSmith (789609) | more than 2 years ago | (#39615955)

Yeah its like when I worked for our road authority we had a B2B link to pass road service jobs to a contractor. To test the link we put test in every field and the contractor still dispatched the job and billed us. They want to get paid, duh.

Re:if you can't beat them (0)

Anonymous Coward | more than 2 years ago | (#39616267)

Yes. I work for a company that supports the software for small doctors offices. This change over has been a fuster cluck. The best part is that all the insurance companies require you to transmit via SFTP, but MEDICARE, still goes over good old phone lines. Nothing more secure than plain text over a phone line eh?

One more reason against Obama-care (-1, Flamebait)

c0lo (1497653) | more than 2 years ago | (#39615005)

... if the tea-bagers would ever need one more.

(ducks)

Re:One more reason against Obama-care (0)

Charliemopps (1157495) | more than 2 years ago | (#39615051)

I didn't even know they drank tea in Azerbaijan.

Re:One more reason against Obama-care (0)

Anonymous Coward | more than 2 years ago | (#39615099)

I didn't even know they drank tea in Azerbaijan.

I didn't even know Uzbekistan is in Europe :)

Re:One more reason against Obama-care (0)

Anonymous Coward | more than 2 years ago | (#39615369)

What part of America is Europe in?

Re:One more reason against Obama-care (1)

c0lo (1497653) | more than 2 years ago | (#39615587)

What part of America is Europe in?

Why, that's obvious! You know that Europeans speak French, don't you? Therefore it must be a parish somewhere in Louisiana. Failing that, it's sure in Canada.

Re:One more reason against Obama-care (0)

Sniper98G (1078397) | more than 2 years ago | (#39615125)

Because without "Obama-care" government agencies would not have your social security number?

Re:One more reason against Obama-care (0)

Anonymous Coward | more than 2 years ago | (#39615169)

No, it's because they want to bring us back to the time before computers.

Re:One more reason against Obama-care (1)

smitty_one_each (243267) | more than 2 years ago | (#39615597)

Isn't that the whole point of the noble savage [wikipedia.org] myth?

Re:One more reason against Obama-care (-1)

Anonymous Coward | more than 2 years ago | (#39615279)

"... if the tea-bagers would ever need one more.
(ducks)"

You don't need to duck, we have compassion for idiots like you here.

But you should consider refraining from commenting, because you
are a stupid shit.

Re:One more reason against Obama-care (-1)

Anonymous Coward | more than 2 years ago | (#39615331)

But you should consider refraining from commenting, because you are a stupid shit.

Com'on buddy, that's all yea've got? Pray do tell what comes after "or else".

Re:One more reason against Obama-care (0)

Anonymous Coward | more than 2 years ago | (#39615761)

How about both of you trying acting like adults?

Re:One more reason against Obama-care (0)

c0lo (1497653) | more than 2 years ago | (#39615837)

How about both of you trying acting like adults?

Ooooh muuum... but it is him that started first!

(ducks - mod me offtopic, but I couldn't resist)

It is kind of weird (0, Troll)

geoffrobinson (109879) | more than 2 years ago | (#39615439)

You have a ton of liberals claiming there is a right to privacy which guarantees a right to an abortion... but we have to have a single payer health insurer that knows practically everything about us.

Re:It is kind of weird (0)

Anonymous Coward | more than 2 years ago | (#39615553)

You have a ton of liberals claiming there is a right to privacy which guarantees a right to an abortion... but we have to have a single payer health insurer that knows practically everything about us.

Ehh... such a lukewarm attitude... that's not a clear direction a grass root movement can follow. Let me help:
This cannot continue... what we need is multiple health insurers knowing practically everything about us and corporations can help. Bring them on - but no before destroying the first one! (if possible, in a war... it is known to have solved slavery, the Nazis, communism and PMS)

Re:One more reason against Obama-care (1)

jellomizer (103300) | more than 2 years ago | (#39615529)

You could bring up many states farm out medicare and medicaid to private companies.

Re:One more reason against Obama-care (0)

Anonymous Coward | more than 2 years ago | (#39615737)

You could bring up many states farm out medicare and medicaid to private companies.

Yes! This should be a good reason to trash them both. Hang on... except:

1. profit is not a dirty word [slashdot.org] even when used in health case context...
2. ... coupled with your insightful and coolheaded analysis on minority and profitability... [slashdot.org]

... suggests you wouldn't see farming out medicare and medicaid as necessary a bad thing, would you now? Or: is this a bad idea only because it is conducted by the states?

Re:One more reason against Obama-care (4, Insightful)

WaywardGeek (1480513) | more than 2 years ago | (#39615915)

What's the "Most religious state?" [thenewamerican.com] What's the most Republican state? [gallup.com] What state can't host the Olympics [wikipedia.org] without embarrassing the USA with their corruption? What state lost $2.5M [sltrib.com] to stupid Nigerian "You have been selected to win $100M dollars!" scams? What state bans effective sex-ed? [rawstory.com] Banning D&D in public schools... polygamy... and these people are too innocent to know that the religious right GOP crowd they want to join knows for sure that every Mormon will burn in Hell.

And after yet another epic f--kup, I have to listen to posts like this... on an article about how Utah can't keep track of their Medicare records, and this somehow is an opportunity to blame Obamacare? Give me a break.

Too bad for the crooks that the people are poor. (3, Interesting)

gmanterry (1141623) | more than 2 years ago | (#39615011)

Medicaid is for poor people. stealing their identity won't gain them access to much money. However the SS numbers might be useful for illegal alien ID cards.

Re:Too bad for the crooks that the people are poor (-1, Flamebait)

Charliemopps (1157495) | more than 2 years ago | (#39615037)

You're a fucking retard. Steal $100 from 181000 people and how much did you just get?

Re:Too bad for the crooks that the people are poor (3, Funny)

GmExtremacy (2579091) | more than 2 years ago | (#39615063)

It's too hard. I give up! What's the answer?

Re:Too bad for the crooks that the people are poor (0)

Anonymous Coward | more than 2 years ago | (#39615295)

Oust! Go make a new account shill :-)

Re:Too bad for the crooks that the people are poor (0)

Anonymous Coward | more than 2 years ago | (#39615067)

You're a fucking retard. Steal $100 from 181000 people and how much did you just get?

You're sitting here calculating a 100% success rate for the criminals, and yet you've got the nerve to call someone else a fucking retard...

Re:Too bad for the crooks that the people are poor (0)

Anonymous Coward | more than 2 years ago | (#39615077)

How is this stealing from them?

It'll be misusing their identity but actual theft from them? No.

Re:Too bad for the crooks that the people are poor (2, Insightful)

c0lo (1497653) | more than 2 years ago | (#39615091)

Medicaid is for poor people.

TFA quotes:

25,096 appear had their Social Security numbers (SSNs) compromised

... many of them feel violated

“But we also hope they understand we are doing everything we can to protect them from further harm.”

Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future.
However... are the East European hackers the primary cause of their situation?

Re:Too bad for the crooks that the people are poor (0)

Anonymous Coward | more than 2 years ago | (#39615651)

Medicaid is for poor people.

TFA quotes:

25,096 appear had their Social Security numbers (SSNs) compromised

... many of them feel violated

“But we also hope they understand we are doing everything we can to protect them from further harm.”

Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future. However... are the East European hackers the primary cause of their situation?

That's a rhetorical question and you know it. It would be better for you to answer it yourself.

See it clearly and a certain virtuosity presents itself that you didn't know you had.

Re:Too bad for the crooks that the people are poor (1)

c0lo (1497653) | more than 2 years ago | (#39615795)

Medicaid is for poor people.

TFA quotes:

25,096 appear had their Social Security numbers (SSNs) compromised

... many of them feel violated

“But we also hope they understand we are doing everything we can to protect them from further harm.”

Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future. However... are the East European hackers the primary cause of their situation?

That's a rhetorical question and you know it. It would be better for you to answer it yourself.

Somebody raised the question [slashdot.org] in a non-rhetorical manner. A suggestion of my position in this matter [slashdot.org] . If you'd like, let's close this thread and continue the discussion on the other one.

Re:Too bad for the crooks that the people are poor (1, Insightful)

SnarfQuest (469614) | more than 2 years ago | (#39616211)

... many of them feel violated

Welcome to the TSA plus Obamacare? Bringing the air traffic experience to medicine.

And who will be held responsible? (5, Insightful)

Eightbitgnosis (1571875) | more than 2 years ago | (#39615023)

Survey says..............

No one!

Re:And who will be held responsible? (5, Insightful)

Kawahee (901497) | more than 2 years ago | (#39615027)

The cynic in me says the hackers will be held responsible.

Re:And who will be held responsible? (0)

Anonymous Coward | more than 2 years ago | (#39615043)

The cynic in me says the hackers will be held responsible.

If your cynic has heard it once, it has heard it 1,000 times...

Good luck with that shit.

Re:And who will be held responsible? (3, Funny)

c0lo (1497653) | more than 2 years ago | (#39615465)

The cynic in me says the hackers will be held responsible.

Seconded.

FTFA adjusted with a link

Director Michael Hales said in a statement. “But we also hope they understand we are doing everything we can [despair.com] to protect them from further harm.”

As they should be (5, Interesting)

Sycraft-fu (314770) | more than 2 years ago | (#39615507)

You should not hack in to systems you don't have permission to access. It is illegal, for the same reason it is illegal to break in to a house you don't have permission to access. It doesn't matter if you are capable of doing it, you shouldn't do it. Thus if you do, expect to be held criminally accountable.

This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.

Thing is, I'd be very able. Your physical security is shit, as is everyone's. Individuals never bother with good security. You'll have a regular lock that is vulnerable to bumping, ice picking, and so on. That aside a shotgun with door breaching rounds will take it off the hinges no problem since you have no reinforcement on them. Your walls are probably made of drywall, wood framing and stucco, so a Sawzall can easily take care of that.

You don't choose to spend the time money or effort to secure your house further... Nor should you have to. Yet you think that if people don't have perfect computer security, well someone should be allowed in.

Also this is funny because show me this perfect security. Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.

Re:As they should be (2)

Kawahee (901497) | more than 2 years ago | (#39615581)

I am not sure that it's illegal to "hack in to systems you don't have permission to access" in all parts of the world. For this reason, I think the onus falls to the implementer to make sure that any system they develop and make available on the public internet is secure.

Re:As they should be (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39615623)

"Your physical security is shit, as is everyone's. "

No one is arguing that hackers who hack into a system and subsequently either damage the system or leak confidential information from the system out onto the rest of the Internet (or communicate that information to people other than employees of the company to report it to them to fix it) shouldn't be held accountable. They absolutely should.

But there is a huge difference between a residential house (my computer with my info on it) and a bank (a service provider). When I go to a bank, I don't see them leaving unguarded money out in the open for anyone to easily grab. No, they have safes, they have bullet proof glass, they have cameras, they have security guards, they have security switches to alert cops of a robber, they have all sorts of security. Even liquor stores are careful with money, having those huge armored vehicles transporting money from place to place. We expect and require them to take measures to ensure your money is safe.

A service provider is like a bank of information, they should also hold some responsibility and accountability if they store your personal information in such a way that it can easily get hacked into.

and corporations are part of the problem as well. Historically, white hat hackers used to report security vulnerabilities to corporations long before leaking them on the Internet. A while back I remember someone reported a 2wire vulnerability to 2Wire and they did absolutely nothing about it for six whole months before the person who discovered the vulnerability communicated it over the Internet and 2wire finally fixed it with a firmware upgrade (due to public pressure). Many times when people communicate vulnerabilities to corporations privately they simply ignore them. Or they sue. So now people no longer put up with that and they simply leak the information onto the Internet. Which, in some ways, is even better than allowing this information to be kept secret and discovered by black hat hackers who will buy and sell it in the black market and use it nefariously against unsuspecting victims. because by the time a white hat hacker who doesn't profit as much from discovering the vulnerabilities discovers them, chances are black hat hackers who stand to profit (and are hence far more determined to discover these vulnerabilities) already have. Black hat hackers who know very well how to get away with what they do. So in some ways it's better that the vulnerabilities and potential victims be made aware of the vulnerabilities early so they can respond before something happens.

IIRC, Google will even pay a white hat hacker to privately report a vulnerability in its system so they can fix it. That's how security should work. We're not just criticizing that these corporations make mistakes and allow vulnerabilities to exist in their systems. We're also criticizing their response when a vulnerability is privately reported. That needs to change.

Re:As they should be (0)

Anonymous Coward | more than 2 years ago | (#39615873)

(and black hat hackers who are also likely considerably more experienced at finding these vulnerabilities than white hat hackers and so they are better at it).

Re:As they should be (2)

c0lo (1497653) | more than 2 years ago | (#39615997)

(and black hat hackers who are also likely considerably more experienced at finding these vulnerabilities than white hat hackers and so they are better at it).

Did they extend the black belt ranking to hats as well?

Yeah! And the same with banks! (1)

khasim (1285) | more than 2 years ago | (#39615647)

Banks don't need security once we get over this "blame the victim" mentality.

After all, I'm sure we all store thousands of social security numbers at home.

Re:As they should be (4, Informative)

arth1 (260657) | more than 2 years ago | (#39615847)

This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid.

I don't see this much. I see a lot of blaming the criminals and those who made it easy for the criminals.
That B is responsible too doesn't take any blame away from A. Just like if your handyman forgets to lock the door, it doesn't make the burglar any less responsible; it only adds blame to the handyman.

Remember, the victim here isn't the Utah Department of Health, it's the users of the services. The Utah Department of Health gets some blame too, not instead.
If any of the victims are to blame for anything, it's voting for a system that puts everything to the lowest bidder, making shit like this common occurrence and impossible to safeguard against.

Re:As they should be (1)

betterunixthanunix (980855) | more than 2 years ago | (#39615885)

This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.

"Waahh waahhh I left my front door unlocked and someone stole my valuables!"

Thing is, I'd be very able. Your physical security is shit, as is everyone's

If I kept enough information to hijack hundres of thousans of identities in my home, I would beef up my security.

Also this is funny because show me this perfect security

Who said anything about perfect security? The problem is that most attacks exploit the same security problems that have been exploited over and over and which people have been warned about over and over again. The fact that techniques for securing information exist and go unused is the problem here; there are criminals in the world, and law enorcement agencies cannot preempt those criminals.

Well said I must admit (adding fuel 2 a fire) (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#39615913)

"Also this is funny because show me this perfect security." - by Sycraft-fu (314770) on Sunday April 08, @09:29PM (#39615507)

"Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.." - by Sycraft-fu (314770) on Sunday April 08, @09:29PM (#39615507)

Let me add to your list, with details & verifying/backing reputable sources:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (very bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins: (lol)

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com [netcraft.com]

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org] , & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS: (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers [slashdot.org]

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach: (lol)

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl [netcraft.com]

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811 [threatpost.com]

---

The Stratfor SECURITY hack: (can't blame it on poor setup, this IS a security firm that uses Linux)

http://yro.slashdot.org/story/11/12/28/1743201/data-exposed-in-stratfor-compromise-analyzed [slashdot.org]

What's that domain run? Yes kids - you guessed it: LINUX -> http://uptime.netcraft.com/up/graph?site=www.stratfor.com [netcraft.com]

---

Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

PERTINENT QUOTE/EXCERPT:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

* You get the picture...

APK

P.S.=> Linux Security Blunders DOMINATE in 2011, despite all /. "FUD" for years saying "Linux = SECURE" (what a crock of shit that's turning out to be, especially on ANDROID where it can't hide by "security-by-obscurity" anymore & is in the hands of non-tech users galore - & EXPLOITS ARE EXPLODING ON ANDROID, nearly daily)

... apk

I didn't mention this though in my last reply... (-1)

Anonymous Coward | more than 2 years ago | (#39616039)

"Also this is funny because show me this perfect security." - by Sycraft-fu (314770) on Sunday April 08, @09:29PM (#39615507)

For Windows 2000/XP/Server 2003/VISTA/7/Server 2008R2 setup as the default 'stand-alone' single system workstation connected to the internet?

Sure - Yes, I can by doing what's in any of these search results to-the-letter:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH [bing.com]

After all, in principle via "layered security"/"defense-in-depth" practices for computing security in Windows is even made EASY!

(So, if you use Windows &/or Linux/Solaris (*NIX), get a copy of CIS Tool & see. It's actually almost fun, like a security benchmark test & it's massively multi-platform (a security testbenchmark, as opposed to say, ScienceMark 2.0 which is a geek CPU/Memory Performance-Oriented testing benchmark that's both 32/64-bit))

It, imo @ least, is more fun to use + run than anything anyone else puts out including MS Baseline Security Advisor which is a baseline only, keyword there.

CIS Tool gets way, Way, WAY into the nitty gritty stuff for Windows security @ the registry level & permissions levels + far more, & actually makes it fun to do. Time-consuming, but fun & you only have to do it, once.

It works on the technique of "you can't get ill from something you never were exposed to & damaged/attacked by" is why: Simplest principal there is really. "You can't get burned if you didn't go into the fire" in the first place.

There's more to it than that though, by far, as to other tools, tips/tricks/techniques that one already has with any BSD based IP stack & antivirus-antispyware tools + removal tools (std. stuff) & more, far more. If you do it yourself, I don't have to elucidate in detail, you KNOW where I am coming from.

Then, educating a user on how to make judicious decisions or exceptions for sites you need scripting on, what to download OR how to research if it's clean, & to make smart sensible surfing once learned, do the rest. Cutting off indiscriminate use of "javascript everywhere" does the rest (NoScript or Opera's options for it are examples).

* It really works, but 1/2 of it is telling people what makes them get malware infested in the 1st place so they realize what to keep away from too... "an ounce of prevention > a POUND of 'cure'".

APK

P.S.=> You asked, lol... & that was the part I omitted in my last reply to you (quoted it, but hit submit too fast) -> http://news.slashdot.org/comments.pl?sid=2773441&cid=39615913 [slashdot.org] & I like to offer complete information... apk

Re:And who will be held responsible? (1)

jamstar7 (694492) | more than 2 years ago | (#39615905)

Yes, the hackers will be held responsible. But will they be caught? Track record says 'no'. Unless they do something seriously stupid.

We must stop pretending SSNs are secret! (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39615053)

We have to stop pretending that the SSN is something only the owner knows. It cannot be an identifier and a password at the same time. It's because of our retarded system that SSNs are such a juicy theft target. Other countries have similar personal identification numbers and no rampant "identity theft" problems like we have here in the US.

Simply put, someone should not be able to pretend they are you just by knowing your SSN and name and date of birth. All should be public info and not security questions. Someone can't go in and get a loan just because they found my name in the phone book, it should be the same with the SSN. Leave it be an identifier and only an identifier. The cat's out of the bag with the secret part.

Re:We must stop pretending SSNs are secret! (1)

erroneus (253617) | more than 2 years ago | (#39615151)

By owner, do you mean "government"? As the person identified by such a number, I am powerless to determine the use of that number and meanwhile, to live a "normal life" that doesn't involve putting everything I can carry into a shopping cart and sleeping on park benches, I have to surrender this "secret" to every business and government agency everywhere. And we were "told" the social security number was just for tracking your social security account. Instead it's also your Tax ID (yeah, I know you can request a Tax ID...) and is the number someone who is NOT government has decided will be used to track your credit-worthyness and has the protection of law saying that if I falsify my credit informaiton that I have committed fraud.

Who is the "owner"?

Re:We must stop pretending SSNs are secret! (1)

Anonymous Coward | more than 2 years ago | (#39615221)

Of the card or of you?

Re:We must stop pretending SSNs are secret! (5, Insightful)

kqs (1038910) | more than 2 years ago | (#39615263)

I have no idea what you mean by "owner".

The government assigns them. Each number is supposed to uniquely identify a citizen and is used mostly for SS (and a few other governmental uses). So far so good; the government assigns them and (apparently) uses them appropriately as a unique ID number.

Now we have dozens of private businesses using them as a password. Fine, I guess it's a free country. But somehow, if someone finds out my number and uses it to open a loan in my name, *I'm* liable for the loan. It's my phone that rings with creditors and my credit score which is damaged. It seems to me that the problem is these corporations which use these numbers as passwords but disclaim liability for fraud. Make it clear that financial institutions have the liability for bad loans they originate, that bad credit reports MUST be cleared unless the financial institution can prove they are true, and that there are very strict penalties for companies which abuse these rules, and the "identity theft" problem will vanish very quickly.

Re:We must stop pretending SSNs are secret! (1)

c0lo (1497653) | more than 2 years ago | (#39615413)

I have no idea what you mean by "owner".

1. However can sell or donate it.

2. Or, not exactly owning, but here's a quote from the "future history":

He who can destroy a thing, controls a thing

Following the first definition: whatever entity you used your SSN number with... (employers, tax office, your local pharmacy and possible big-pharma, the Utah Department of Health).
Following the second definition: hackers in East Europe, no-such-agency's data center in Utah, men-in-black, etc

Re:We must stop pretending SSNs are secret! roxy (1)

Anonymous Coward | more than 2 years ago | (#39615441)

I agree! If a bank or company gives someone a loan based on a name, birthday, and SSN, then it is the bank's fault. Because they did not take steps to properly verify who they gave money to, it is the bank's fault. I was not involved in anyway. Any damage to my credit rating and the time I spent cleaning things up, the bank must reimburse me for.

I have been notified twice that my info was stolen from university servers, so they gave me one year free credit monitoring each time. The info is still valid after one year, dumbazzes. If someone gives out a loan based on my info, I will contact a lawyer and have them send a letter to that bank and demand that they cover all costs related to cleaning up after their error. No one should give out a loan without seeing the person face to face and take a photograph, and fingerprints when it exceeds $1000 or something. I am so sick of everyone being allowed to push it off to the innocent party.

Re:We must stop pretending SSNs are secret! (0)

Anonymous Coward | more than 2 years ago | (#39615481)

Just goes to show you that making promises to accommodate the superstitious and paranoid among us is more costly than dealing with them in an appropriate manner.

But seriously, you want impunity for falsification of a document?

This is why we would be better off with an effective Identity System and screwing the Revelation reading nincompoops.

Re:We must stop pretending SSNs are secret! (1)

swalve (1980968) | more than 2 years ago | (#39615517)

Just use a tax ID number for business purposes.

Re:We must stop pretending SSNs are secret! (0)

Anonymous Coward | more than 2 years ago | (#39615233)

You said Utah? isn't there where the NSA has his data center? It's probably them on initial tests for information gathering. No worries. ;-)

Re:We must stop pretending SSNs are secret! (1)

Mongo T. Oaf (2600419) | more than 2 years ago | (#39615241)

You are correct. How far I they gonna get without a picture ID.

That's retarded businesses and government's fault. (0)

Anonymous Coward | more than 2 years ago | (#39615447)

If businesses weren't so stupid as to just require those things to identify someone, then it would be a problem - for individuals.

When someone's identity is stolen, the victim is the one who goes through hell for a very long time dealing with collectors, lawyers suing and in some cases actually being arrested by someone posing as them. The moronic bank, credit card company, or whoever just write it off and passes the costs on to everyone else.

There ought to be a security certification (2)

Beeftopia (1846720) | more than 2 years ago | (#39615071)

There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.

Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.

Re:There ought to be a security certification (1)

Anonymous Coward | more than 2 years ago | (#39615157)

There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.

Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.

There is. FISMA.

Effective technology (2)

bdabautcb (1040566) | more than 2 years ago | (#39615085)

This brings up an interesting question as to whether the advantages of storing massive amounts of personal data on public facing servers (or any server at all, res cent reports have me convinced that if anybody including governments, foreign hackers, or anyone else that wants the data bad enough will be able to find a way to get it) creates large enough benefits to balance the damages caused by breaches like this.

Headlines? (5, Insightful)

Shoten (260439) | more than 2 years ago | (#39615145)

Okay, Slashdot seems to be getting worse and worse about distorting things in the titles of the topics. "Medicaid Hacked" is NOT what happened here. Not even close. And when the first line of the topic's body is "The Utah Department of Health has been hacked," then you can't even excuse the poster as having been a little confused; it's flagrant tabloid-like sensationalism. Cut it out, already.

Re:Headlines? (2)

JSG (82708) | more than 2 years ago | (#39615183)

Note the name of the submitter of the article and then ignore in future. You'll find /. much more fun then.

Re:Headlines? (1)

the eric conspiracy (20178) | more than 2 years ago | (#39615203)

An anonymous reader?

Better yet note the name of the poster.

Re:Headlines? (1)

blackraven14250 (902843) | more than 2 years ago | (#39615505)

As Medicaid is a program wholly managed by the states, it's not unreasonable to say that Medicaid was hacked. It's a subset of the whole Medicaid program, sure, but it's also the largest meaningful subunit of Medicaid that can be hacked.

Where was the US Cyber Command? (0)

Anonymous Coward | more than 2 years ago | (#39615161)

I've seen the fancy commercials. From what I learned, they are supposed to be preventing this crap. Oh, you mean it doesn't really work that way?

Re:Where was the US Cyber Command? (0)

HBI (604924) | more than 2 years ago | (#39615305)

It's another government boondoggle. The government lacks a capability, remember? Sure, they spend a ton on salaries and office space, but in terms of actually accomplishing anything? Nothing.

Re:Where was the US Cyber Command? (1)

c0lo (1497653) | more than 2 years ago | (#39615429)

It's another government boondoggle [despair.com] .

FTFY by including the proper citation (and attribution).

Make money (-1)

Anonymous Coward | more than 2 years ago | (#39615269)

my best friend's aunt earned $16323 a month ago. she is working on the computer and got a $339800 house. All she did was get fortunate and put in action the steps revealed on this site (Click on menu Home more information) http://goo.gl/3zhtk

Good job all! (0)

Anonymous Coward | more than 2 years ago | (#39615297)

Lets fuck the poor even more!

Hoorayyy!

another example of (-1)

Anonymous Coward | more than 2 years ago | (#39615341)

your tax dollars at work! keep smokin' that entitlement ganja!

SSN should not need be secret (2)

zr (19885) | more than 2 years ago | (#39615351)

Because de-facto its not. So we shouldnt assume that its secret and never use it as means of authentication. About as secret as your zip code.

In other words, if a bank gives out a load based on SSN alone, let _them_ hold the bag on it.

How long do you think SSN theft will remain profitable after we do that?

Re:SSN should not need be secret (0)

Anonymous Coward | more than 2 years ago | (#39615495)

Amazingly, gas stations use your zip code as a second factor authentication.

Re:SSN should not need be secret (2)

swalve (1980968) | more than 2 years ago | (#39615545)

But multiple factors increase the entropy greatly. If someone guesses my number and burns a card with it, or steals my card, they have to know my zip code to be able to use it. If they got my wallet, it's probably easy. (Not in my case, as my CC stuff is billed to a different zip code, but I digress.) But it adds a level of complication to the transaction.

Utah IT pro (1)

eclectro (227083) | more than 2 years ago | (#39615357)

Password: Admin

Online records "hindenburg moment?" (4, Insightful)

GameboyRMH (1153867) | more than 2 years ago | (#39615363)

I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.

Re:Online records "hindenburg moment?" (1)

Anonymous Coward | more than 2 years ago | (#39615921)

"Oh the humanity" -- what happened with the Hindenberg was /not/ that airships were fixed, but that they were abandoned.

Let's try for a different kind of moment, perhaps? Although I do like the poetry of an acrobat leaping from the inferno.

Re:Online records "hindenburg moment?" (0)

Anonymous Coward | more than 2 years ago | (#39616195)

In Utah ocal news stations reported shortly after the hack that the data was stolen from "development machines" that were not behind the same security firewalls as the production servers. Hmmm, seems like the developers downloaded live data, probably for testing, onto their work machines and just didn't bother with necessary security. I suspect there may be some changes made.

hermes bags (-1)

Anonymous Coward | more than 2 years ago | (#39615483)

http://hermesoutletforcheap.com/

if only (0)

Anonymous Coward | more than 2 years ago | (#39615509)

they stored the data in that super secret nsa data center out there.

http://hermesoutletforcheap.com/ (-1)

Anonymous Coward | more than 2 years ago | (#39615511)

Hermes bags [hermesoutletforcheap.com]

These hacks wouldn't matter... (5, Interesting)

justcauseisjustthat (1150803) | more than 2 years ago | (#39615555)

These hacks and all hacks that steal information but no money, etc would be made pointless if the banking system and credit bureaus, had better validation requirements!!! But instead they want to defraud their customers and by selling credit and identity protection.

welcome to luxury outlet factory .lower price! (-1)

Anonymous Coward | more than 2 years ago | (#39615577)

Hermes bags [hermesoutletforcheap.com]
Louis Vuitton Bags [louisvuitt...tprice.com]

Air-Gapped secret computers mmkay? (0)

Anonymous Coward | more than 2 years ago | (#39615609)

Then the bad guys have to social engineer or use force to steal the secrets such computers contain.

CAPTCHA: blackout (lol! :D )

So? (2)

s0nicfreak (615390) | more than 2 years ago | (#39615667)

What exactly are they going to do with these? Identity theft? I'd be willing to bet that these people don't have good enough credit, assets, etc. to make it worthwhile.

Re:So? (1)

AHuxley (892839) | more than 2 years ago | (#39616029)

The digital worlds version of subprime? You roll a lot of "new" data into a big file and sell it in bulk as a US identity pack.
Its then used, sorted, sold on by persons or groups interested in unique or state wide data.

noobs got pwned (1)

laserdog (2500192) | more than 2 years ago | (#39615705)

get better intrent security mesasures or something if u cant stand the heat try to wear gloves and hope you dont get burned

Payback time already? (1)

yanyan (302849) | more than 2 years ago | (#39615739)

http://yro.slashdot.org/story/12/04/08/1850249/innocent-or-not-the-nsa-is-watching-you [slashdot.org]

Could be related, considering they're in the same state. Maybe the attackers wanted to hit home and hit hard.

Re:Payback time already? (1)

laserdog (2500192) | more than 2 years ago | (#39615887)

tottaly what i thought dog tottaly

Not About US Health Insurance (0)

Anonymous Coward | more than 2 years ago | (#39615801)

Utah is the home of the NSA's new "Data Center"; http://yro.slashdot.org/story/12/04/08/1850249/innocent-or-not-the-nsa-is-watching-you.

The US Medicaid server in Utah, like all US Medicaid servers utilizes firewall and encryption from the NSA.

Ah Ha! [Score: Insight Upgraded 200 pts]

The hack of the US Medicaid server could have been a proof-of-concept experiment to verify that NSA's encryption is broken.

Easy thing to spoof yourself to look like you are in Europe when in actuallity you are 5 km from Fort Meade, Maryland, the home of the NSA.

LoL XD

#irc4.trolltalk.com (-1)

Anonymous Coward | more than 2 years ago | (#39615821)

be onf a wrong

In other news... (1)

maverick41 (574379) | more than 2 years ago | (#39615891)

...there has been a run on illicit payday loans! Investigators believe there may be a link to the Medicaid breach.

Big Deal (1)

Murdoch5 (1563847) | more than 2 years ago | (#39615949)

Why do I say Big Deal, medical records aren't safe in any kind of form or capacity. I've have 5 different entire sets of medical results lost, misplaced and never found. I've had medical records lost in shipment from one doctor to another. So whats the big deal? The medical industry doesn't give a rats ass to keeping your data safe, losing one medical result is bad enough, losing two is unacceptable and losing 5 is just beyond insane. If doctors, hospitals and front desk personal really cared what happened to your medical documents they would guard them with there life and they don't.

I would like to add that over the last 15 years NONE of the missing results have been found or even traces of the documents, London general even admitted they were sorry after the first time they lost the documents, they didn't give a shit after losing the second and Grand River Hospital in Kitchener Ontario has never once stood up and told me it's there fault for losing the other 3 documents. If you want a great insecure place to put documents and personal information then the medical association is the place for you!

More diversion? (0)

Anonymous Coward | more than 2 years ago | (#39615951)

The paranoia in me is wondering if the governments are staging these attacks so that the SOPA, ACTA, and various other copy cat bills can be pushed through the legislative process with little resistance on the grounds of treachery. Again, the paranoid person in me, but there have been an awful lot of attacks so close together in the last 6 months or so(especially with a focus on sensitive data being stolen), all during the heated SOPA debates and the pressure of the MPAA and the RIAA trying to push it through. It almost makes me wonder since they had such a hard time getting it through on the momentum of IP piracy, they may feel they have a better chance with personal data being compromised. We're seeing different versions of the same bill popping up rapidly as well, and flying under the radar for some part. Just a thought. Call me a conspiracy theorist. I don't care. Just sayin' is all.

So... (0)

Anonymous Coward | more than 2 years ago | (#39616073)

When will anonymous claim this as the next great blow against the %1?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?