Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LexisNexis and Other Major Data Brokers Hacked By ID Theft Service

Unknown Lamer posted about a year ago | from the someone-forgot-to-install-rkhunter dept.

Security 99

gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."

cancel ×

99 comments

Sorry! There are no comments related to the filter you selected.

This is what IDS/IPS appliances are for... (5, Insightful)

mlts (1038732) | about a year ago | (#44948323)

No real excuse for this. This is exactly what network IDS/IPS programs/appliances are for.

Any data center dealing with sensitive information should have an IDS/IPS installation which should have shut down nbc.exe's access out to the Internet, or at least raised a red flag in Splunk or whatever logging console application in use. Most data centers have a list of authorized IPs that internal sites communicate out to, and if some machine communicates to an IP repeatedly on a sensitive network, it would be investigated, or at the minimum, looked at. Multiple machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect, and IPS offerings designed to cork until someone takes a look at it.

Security isn't rocket science. It is using basic concepts to compartmentalize information and applications to check for known/unknown attacks, and buying/using the tools needed.

Re:This is what IDS/IPS appliances are for... (-1, Troll)

NoImNotNineVolt (832851) | about a year ago | (#44948349)

Not sure what IDS is supposed to be, but how is a nice LCD monitor supposed to be a security tool?

Re:This is what IDS/IPS appliances are for... (0, Informative)

Anonymous Coward | about a year ago | (#44948415)

Re:This is what IDS/IPS appliances are for... (3, Informative)

Anonymous Coward | about a year ago | (#44948645)

http://en.wikipedia.org/wiki/Intrusion_detection_system
http://en.wikipedia.org/wiki/Intrusion_prevention_system

Re:This is what IDS/IPS appliances are for... (2)

sjames (1099) | about a year ago | (#44950803)

IDS is a tool primarily used for extracting large amounts of money from the customer in return for no guarantees of any kind. This is mostly because they would have to not only be AI to be fully effective, but would have to 'think' many times faster than a human just to keep up.

That's not to say they're useless, but they are far from a silver bullet and there's an awful lot of over-promising and under-delivering in that space.

Re:This is what IDS/IPS appliances are for... (1)

Austrian Anarchy (3010653) | about a year ago | (#44948451)

No excuse is right. In what other industry would letting the entire contents of a warehouse of other people's property walk right out the door and the customers accepting the excuse "we didn't see them add an extra door?"* At least something is being said about it here. *Besides banking.

Re:This is what IDS/IPS appliances are for... (5, Interesting)

Anonymous Coward | about a year ago | (#44948479)

This company and every one like it shouldn't even exist.

They collect all this data about us without out our permission. They offer me no service.

Just remember kiddies, things were quite fine without these services. But with the demise of local business, consolidation into massive organizations spread all over the World, these businesses were created for their use, convenience and to lower their costs. It gives then the edge on knowledge about us and how to market shit to us - and it's all shit - especially in financial services.

I had a credit bureau problem. THEIR information was wrong and as a result, I failed the authentication. They gave me a 800 number to call and I got this woman with a heavy accent (Indian?) who asked me a bunch of personal questions.

When I asked her what country she was in, she responded that she couldn't answer because of "Security reasons."

So, MY security means nothing to TransUnion but where their off shored call center is does.

Corporations are the only ones who have a right to privacy and security.

Re:This is what IDS/IPS appliances are for... (2)

Austrian Anarchy (3010653) | about a year ago | (#44948557)

If they were subject to the level of liability that they *should* be subject to, they would have been gone long ago and replaced by those who know what they are doing.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44948693)

If you were calling a credit reporting agency, they most likely are only staffed overseas. There was a recent 60 Minutes story about this.

Re:This is what IDS/IPS appliances are for... (5, Insightful)

DarkOx (621550) | about a year ago | (#44949391)

Right! This is the big problem. We need to be able to look at the laws that are allowing these guys to escape liability both on the accuracy side and the privacy side.

Slapping "information may not be 100% accurate" in light type face on the bottom of a credit report should not protect them from being held responsible for libel. When they leak your PI and you have to change account numbers, etc, they should be held responsible for interference with your other contracts.

If the courts really worked we could bankrupt them in a week; which is what they deserve.

Re:This is what IDS/IPS appliances are for... (1)

Jane Q. Public (1010737) | about a year ago | (#44950279)

Mod this one up.

Remember that they were also found to be artificially inflating the ratings of mortgage derivatives, leading to the "crash" of 2008.

I say just get rid of 'em. They work for the international bankers, not us.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44949667)

When I asked her what country she was in, she responded that she couldn't answer because of "Security reasons."

So, MY security means nothing to TransUnion but where their off shored call center is does.

Corporations are the only ones who have a right to privacy and security.

Given the rest of your comment, I am surprised you didn't realize that the security they wish to protect is their security from you.

Re:This is what IDS/IPS appliances are for... (2)

moteyalpha (1228680) | about a year ago | (#44950601)

You are absolutely right. On top of this , in order to access a game, use a convenience, buy a rug, check their email, answer their phone, people always agree to a contract (TOS) they never read which allows them the right to do this. It is a process like spam, xss, hacking, cracking, and many other things that come with a complex anonymous communication network between people that includes sociopaths. People who live in glass fiber shouldn't throw stone packets.
It seems from a technical standpoint there is no real solution to this problem without abandoning the entire structure. It is a runaway technological process and like any chain reactions, it grows exponentially. Who ever knows whether a bot is really controlled by a human anymore, I can see that it is possible to fabricate an evolving system and if it had no centralized requirement, it could become more powerful than any company or nation. It is life imitating art and I know it is a common joke, but saying you welcome your new bot net overlord will not stop the Terminator from infiltrating the SCADA and ordering copies of itself using your credit card.

skimming is good (0)

Anonymous Coward | about a year ago | (#44957527)

The profits gets smaller per unit but bigger trough the aggregation. Process started after first farmer noticed that it can skim cream off of milk and it still had milk but he also had butter. The process get complex and sophisticated - we have now skimmers being corporations controlled by skimmers i.e. CEOs that skim corporations and shareholders alike. It is not all that bad tho - I have now pr0n served from the cloud for free that I would have to spend thousands on if I wanted to purchase the dvds. I see progress there. I just have to resist of requests by hot women from intrantes - come to think of it had Turing had a chance too look at the xxx and dating pages he would probably invent a bit more difficult tests for bots....

Re:This is what IDS/IPS appliances are for... (3, Informative)

cyberpocalypse (2845685) | about a year ago | (#44948595)

Any IDS/IPS is only as good as its signatures. The problem with these devices is that attackers can use a flurry of heuristic tactics to completely bypass these systems as well as DLP. There is a difference had you mentioned SIEM which *may* have worked if there were vigilant analysts looking at logs repeatedly. In order to understand why IDS/IPS' fail, you need to understand attacks. At any point in time, when I perform pentests, I ALWAYS start off sending a barrage of data to generate junk. This is done for a few reasons: 1) it tests responses from DFIR teams and 2) allows me to get in under the radar. Now when you state: "machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect" you're 10000000% wrong. Any IPS/IDS admin doing this is giving themselves a headache. Do you have any idea how many false positives it would generate from employees going to log into say Gmail, their banks, or anything else using SSL.

Re:This is what IDS/IPS appliances are for... (1)

Anonymous Coward | about a year ago | (#44948675)

You let employees check gmail from production database hosts? If my IDS showed this, there likely would be one less person on the IT team.

Re:This is what IDS/IPS appliances are for... (4, Informative)

cyberpocalypse (2845685) | about a year ago | (#44948793)

You're missing the gist of it here. The reality on production server is, most are locked down from egress attacks. This does not stop, minimize, and or deter an attacker from hitting you up with a client side attack on a non-production machine, passing a hash, then to and from trusted sources until it gets out: Attacker --> client side --> workstation workstation --> attack --> production server production server workstation workstation --> via SSL --> attacker. This would fill a wiki page so I will stop there. There was a point to be made without me having to spell things out

Re:This is what IDS/IPS appliances are for... (1)

moteyalpha (1228680) | about a year ago | (#44951085)

You had me at --> client side.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44950941)

Any IDS/IPS is only as good as its signatures

No, that's bullshit. Any IDS/IPS should, at the very least, operate on a whitelist of external addresses which are allowed. Any attempts to open up a connection to unauthorized IP space should be blocked, logged, and flagged for review. This is security 101 stuff, nothing advanced at all.

Do you have any idea how many false positives it would generate from employees going to log into say Gmail, their banks, or anything else using SSL.

None at all, unless you allow employees to log into your SERVERS in order to check their gmail account. Which would be an incredibly stupid thing to do.

No, IDS/IPS are not perfect systems. But in most cases, the fundamental issue is not a failure of the security mechanisms, but poor policies and practices which render those systems next to useless.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44948659)

This program was crafted to be sneaky, virustotal scanned it and NOBODY detected it. TFA says they encrypt I/O.

It's quite possible the nbc.exe obfuscates network calls using whitelisted windows components like svchost.exe or other time-tested tricks.

The "excuse" should be more along the lines of failure to audit these systems regularly among SEVERAL data brokers.
It's the lazy attitudes towards security given the content as demonstrated by large players in the info-warehousing industry,
that's the issue, not any single misconfiguration or security oversight as an IT issue. It's widespread.

Re:This is what IDS/IPS appliances are for... (2)

PlusFiveTroll (754249) | about a year ago | (#44949069)

Anti-virus is a failure. I can whip up a trojan in pretty short order that will not be (and may possibly never be) detected by A/V. First order of failure is allowing unsigned executables from running. Second order of failure is allowing new executables on the system and nobody hears anything about it. An offline style tripwire type scan should be ran once a week or so on the systems to detect changes in the filesystem. The final failure is unaudited egress traffic to any system. Who cares if the traffic is encrypted, why is it occurring in the first place should be the question.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44949395)

"Who cares if the traffic is encrypted," When it's an obfuscated "trusted" host service being exploited it makes it that much more obfuscated.

"First order of failure is allowing unsigned executables from running" -yes, that's like saying "don't download virii from the net and run it" - of course.

Re:This is what IDS/IPS appliances are for... (1)

PlusFiveTroll (754249) | about a year ago | (#44956223)

>-yes, that's like saying "don't download virii from the net and run it" - of course.

No, it is nothing like that at all. It is saying "Are you on the guest list? No?, then you cannot run at all, and I am going to call security on you."

> When it's an obfuscated "trusted" host service being exploited it makes it that much more obfuscated.

What, are these Windows boxes directly connected to the internet without a firewall or IDS in between them? If my Windows Service Host is trying to contact port 443 at wherethefuckever.x389af389w8.ch that should set off an even bigger alarm bell then the damn web browser doing so.

Re:This is what IDS/IPS appliances are for... (4, Informative)

cyberpocalypse (2845685) | about a year ago | (#44948663)

I believe there is more going on to this than you would understand. For example, the Zeus/Qakbot strain always downloads a file. Most times it will be randomized. For arguments sake, lets say it was named nbc.exe. What Zeus/Qakbot did was communicate out via IE. Even though the nbc.exe was the application responsible for running the show, the communications portion was done via good ole GET and POST via HTTPS. At issue with detecting nbc.exe where Zeus/Qakbot was/is concerned, is the fact that the operators of the malware were/are changing the executable N amount of hours. So most AV systems wouldn't even detect it. So no... IPS/IDS here means nothing. Blacklisting *may* have worked to stop the communication, but even then a fast flux would have trumped that.

Re:This is what IDS/IPS appliances are for... (3, Insightful)

Archangel Michael (180766) | about a year ago | (#44948797)

A good IDS/IPS isn't signature based, it is activity based. It looks for, and flags suspicious activity. A sudden increase in random hosts connecting to a server via Outbound HTTP(S) traffic is suspicious. HTTP server getting a ton of hits on non-standard (ie used) ports is suspicious.

In short, there is someone asleep at the wheel, and they need to step up and get trained on how to do their job right, or hire someone else. It isn't like any of this is new.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44950467)

Yeah, but I refused to even go through the interview process for LexisNexis because they demanded that I supply my SSN to the recruiter to them before they even offered to talk to me. I told that asshole to take a hike.

Re:This is what IDS/IPS appliances are for... (0)

Anonymous Coward | about a year ago | (#44951101)

Malware using iexplore.exe has been around for at least five years now. Same with malware that uploads data using bogus GET url statements. This is stuff that an IDS/IPS is meant to get (pun not intended), signature or no.

This isn't Stuxnet that had boots on the ground as a military operation. These are remote attacks which there are defenses for. Signatures are useful, but most IDS platforms are made to run on heuristics because if signatures were useful, the enterprise A/V system would have mopped up the mess already.

So (IMHO, of course), saying that an attack is something new shouldn't be an immediate way to get off the hook. New attacks surface hourly.

Re:This is what IDS/IPS appliances are for... (-1)

Anonymous Coward | about a year ago | (#44948817)

this is a fucking advert. Fuck you, Dice.

Re:This is what IDS/IPS appliances are for... (-1, Flamebait)

X.25 (255792) | about a year ago | (#44948921)

No real excuse for this. This is exactly what network IDS/IPS programs/appliances are for.

Any data center dealing with sensitive information should have an IDS/IPS installation which should have shut down nbc.exe's access out to the Internet, or at least raised a red flag in Splunk or whatever logging console application in use. Most data centers have a list of authorized IPs that internal sites communicate out to, and if some machine communicates to an IP repeatedly on a sensitive network, it would be investigated, or at the minimum, looked at. Multiple machines communicating encrypted data to site out on the Internet is something that IDS applications are designed to detect, and IPS offerings designed to cork until someone takes a look at it.

Security isn't rocket science. It is using basic concepts to compartmentalize information and applications to check for known/unknown attacks, and buying/using the tools needed.

I understand that you are all excited because you drew your first diagram or passed first exam of .

However, this is not how real world works.

You are welcome.

Been getting Dun and Bradstreet spam for months (0)

Anonymous Coward | about a year ago | (#44948417)

Why do people trust these jokers again?

why should the NSA have all the fun? (1)

themushroom (197365) | about a year ago | (#44948443)

Why should the likes of Dun & Bradstreet or LexusNexus have any fun at all?

nbc.exe (5, Funny)

Anonymous Coward | about a year ago | (#44948489)

Dot exe. I think I see the problem.

Wish I had mod points. Windows makes a nice deskto (0)

raymorris (2726007) | about a year ago | (#44948747)

This is true. Windows makes a fine desktop. Microsoft's IDE is quite nice.
Windows is not a server operating system, and printing "server" on the box doesn't make it one.

Re:nbc.exe (0)

Anonymous Coward | about a year ago | (#44948957)

Dot exe. I think I see the problem.

Mod parent up.

Re:nbc.exe (2)

radarskiy (2874255) | about a year ago | (#44949701)

Why do you hate VMS?

Good? (5, Insightful)

AmiMoJo (196126) | about a year ago | (#44948507)

This might be a good thing. Once we have a major "privacy apocalypse" and millions of people get screwed over something might be done about it. Otherwise there will just be endless "minor" breeches where a few hundred thousand people get ripped off and no-one really cares.

Re:Good? (3, Insightful)

Austrian Anarchy (3010653) | about a year ago | (#44948649)

In a "privacy apocalypse" the "right people" will be bailed out with everybody else's wealth and the accompanying "nothing to see here, move along" warning.

Re:Good? (1)

erroneus (253617) | about a year ago | (#44948855)

The new word is "bailed in."

The whole thing where they started taking people's private assets to manage the financial crisis in Cypress was just the test bed to see how well people would accept this. Since the whole story died down, they are now preparing to do that asset seizure in Canada and in several European countries as well. They would do it in the US too, but we have too many guns and the government doesn't yet have enough bullets.

Re:Good? (1)

Loughla (2531696) | about a year ago | (#44949059)

Define "they" please.

Re:Good? (1)

Austrian Anarchy (3010653) | about a year ago | (#44950369)

"They" started long before that Cypress deal. FDIC and Transcontinental Railroad are but two US examples.

Re:Good? (0)

Anonymous Coward | about a year ago | (#44948699)

I have an IPS monitor, it is sweet.

Re:Good? (1)

SirGarlon (845873) | about a year ago | (#44948707)

If Snowden's revelations do not count as a privacy apocalypse, I don't know what does.

Re:Good? (0)

Anonymous Coward | about a year ago | (#44948807)

Not until white women steals Obama's identity and successfully convinces everyone that she is President Obama, and that that black dude is really a homeless woman.

Re:Good? (0)

Anonymous Coward | about a year ago | (#44948711)

Privacy Apocalypse won't do jack as long as it only affects the poor and middle class, you need it to screw over a whole bunch of the rich and politicians before you will see any kind of movement. Trust me 10 million of us normal people getting our IDs hacked would do little, but if they screwed over even just 40% of the Congress, action would be so swift we the people wouldn't believe it actually happened.

Re:Good? (0)

Anonymous Coward | about a year ago | (#44948731)

Once we have a major "privacy apocalypse" and millions of people get screwed over something might be done about it.

So the big furore over the NSA, GCHQ et al collecting mass data on everyone possible and skirting the law with a combination of "they're not (insert country here) citizens, so they have no protection under our law" and 'intelligence sharing agreements' didn't count, then?

Re:Good? (0)

Anonymous Coward | about a year ago | (#44948733)

Minor beeches - are the pants (trousers) for children?

Re:Good? (0)

Anonymous Coward | about a year ago | (#44948915)

No, minor beeches are just short females that complain too much.
See also, naggers.

Re:Good? (1)

houghi (78078) | about a year ago | (#44948803)

and millions of people get screwed over something might be done about it

Oh, you mean like how the banks are now regulated and nothing like what happened before can happen again?

Re:Good? (1)

Anonymous Coward | about a year ago | (#44948895)

Something won't get done about it until a bunch of "The 1%" log in one day and find all their accounts drained to the point where they're now in "The 99%".

"Egads, Buffy! We're impoverished!"
"Broke? Screw that. I'm outta here Warren."

Re:Good? (1)

MickyTheIdiot (1032226) | about a year ago | (#44949083)

They'll immediately ask for welfare. We keep treating them as a society as principled people, but they are anything but.

Re:Good? (1)

MickyTheIdiot (1032226) | about a year ago | (#44949095)

Most people care more about Honey Boo Boo right now. A privacy apocalypse will happen without their notice.

Re:Good? -- NSA (0)

Anonymous Coward | about a year ago | (#44950187)

The NSA has left a serious hole called Microcode in all our CPU's. The NSA has demanded and caused to be built deterministic methods of cracking our encryptions such as PGP and Eliptical Curve. The worm isn't the criminals who steal us. They are merely using the holes that the US Government under the NSA demanded be built into our security frameworks. When will they be tried for being accomplice to the crimes!?

Re:Good? (0)

Anonymous Coward | about a year ago | (#44951419)

I wouldn't say it would be a good thing. I am willing to bet an "Andy Warhol" attack would be responded to by lawmaking. However, will it be privacy and data retention laws? Doubt it. I'd probably say the laws would be items like mandatory DRM stacks, must have LEO taps and key escrow (think Clipper), increased surveillance responsibilities on ISPs and even tier 1 providers, mandatory watermarking of media, etc. If we did get a law, it would be like ACTA, CETA, or SOPA.

IMHO, the only body in the world that can actually put a stop to the privacy issues would be the EU. Nobody else has the power, nor the inclination to do so.

It's worse than that... (5, Informative)

Anonymous Coward | about a year ago | (#44948551)

Lexis Nexis has a database of all united states citizens compete with full address history, SSN, DOB, associations such as relatives and neighbors, and you can cross reference and search the different relationships. They purchase the info from the government and then banks use them to verify information on credit applications by paying for the service and simply accessing a web interface via ssl over the public internet. I know this because I used to work for a large bank doing just that.

Re:It's worse than that... (1)

Austrian Anarchy (3010653) | about a year ago | (#44948597)

Good heads up! I guess I am an old fart thinking L/N was just a legal and news archive. Did not know they had crossed over, apparently quite some time ago.

Re:It's worse than that... (0)

Anonymous Coward | about a year ago | (#44948901)

It's also used as a tool for collection efforts by banks. If you move, change phone numbers, etc, all they have to do us check Lexis Nexis and your new info will be there. Unless you live entirely off the grid, it truly is a central database of all american citizens over the age of 18.

Re:It's worse than that... (1)

Anonymous Coward | about a year ago | (#44949447)

OP here... forgot to mention it also lists info related to the address such as whether the resident is a probable renter or owner, how much the property is worth, how much neighboring property is worth, death certificate information if the person is deceased, and so on...literally everything there is to know about a person's life "on the grid." Everything is shown on a single screen and the info can be brought up by search of address, phone number, SSN, or broader google-like searches such as names, zip code, etc. There are entry level employees (think $9/hr) in large numbers at banks working with this info, all over the world.

Re:It's worse than that... (0)

Anonymous Coward | about a year ago | (#44950085)

Sure, but to they know the name of my first pet?

Re:It's worse than that... (1)

I'm New Around Here (1154723) | about a year ago | (#44951785)

Spot.

But everyone knows that.

Motive opportunity means (0)

Anonymous Coward | about a year ago | (#44948619)

Face it, NSA has zero day exploits from the vendors, has a $10 billion budget for hacking and both them and GCHQ using their tools have form on hacking. (See Belgacom and the Belgium foreign minister, oh and Brazil and every network on planet earth....)

If it was April, it was probably NSA.

Remember Stuxnet? The wakeup call from Russian hackers.... except it turned out to be NSA and Israel?

Re:Motive opportunity means (1)

PlusFiveTroll (754249) | about a year ago | (#44949093)

It's far more likely that they would spread wide open goatse.cx style for the NSA without having to be hacked for a stipend. Probably some other gov'ts trojan.

Re:Motive opportunity means (0)

Anonymous Coward | about a year ago | (#44951089)

Remember Stuxnet? The wakeup call from Russian hackers.... except it turned out to be NSA and Israel?

I've seen absolutely nothing at all which makes me think that the Russians could not have been involved. Sure, the NSA and Israel got fingered, but I still fully believe there were more State actors involved than anyone revealed. The GCHQ was almost certainly aware, if not actively involved, and I would not put it past the Russians to have been involved as well. They've long been masters at "playing both ends against the middle" and have a lot of good reasons to see the nuke program fucked around with.

It was probably the NSA (0)

Anonymous Coward | about a year ago | (#44948703)

You know I'm right!

Opt-out? (3, Interesting)

jerpyro (926071) | about a year ago | (#44948787)

So how do I opt-out? Where do I get away from companies releasing my information to third parties that track my identity or other things to allow other corporations to peruse at their leisure? Not only do you not get to tell companies where they can and can't store your personal information, you also can't dispute that information when someone uses it for the wrong reasons or enters things that you're not allowed to know about.

For example, let's say LexisNexis had an entry that said I caused a major auto accident involving 15 cars, because an insurance clerk pressed the wrong button that said I was at fault rather than being involved in the accident? How do I correct that data? How do I dispute that entry? How do I even find out about that information?

And how do I get them to delete my personal data rather than allowing their poor network security policies to expose my life to risk? Answer: I can't. I have no agreement with them to host my personal data. I'm not just upset about the breach, I'm upset about the lack of ownership and consequence of such regarding my own life.

Re:Opt-out? (0)

Anonymous Coward | about a year ago | (#44948849)

Welcome to America, where corporate profits are more important than your rights.

Fix that and you stand a chance. Otherwise you get exactly what the Republicans and Tea Party want -- a nation ran by companies.

Honest question. (0)

Anonymous Coward | about a year ago | (#44950983)

If you were making a hiring decision or evaluating a stranger for some other sort of relationship that might make you financially, legally or physically vulnerable to their misbehavior, would you pass up credit reports and other background checks, flawed as they are?

ID theft mitigation (2)

sl4shd0rk (755837) | about a year ago | (#44948809)

Seems like the only way to combat identity theft now is just "loose" your credit card every few months and get a new number. I don't see any other way to mitigate identity theft as long as places like Heartland Payment Systems and LexisNexis are going to just give away the keys to the kingdom through gross negligence, apathy or ignorance.

Re:ID theft mitigation (1)

davidannis (939047) | about a year ago | (#44948945)

Losing your credit card and getting a new number won't solve the problem because the ID thieves can just open an account or take out a loan in your name since they have your name, social security number, date of birth and all the other information a bank uses to confirm that the person opening the account is you.

Re:ID theft mitigation (0)

Anonymous Coward | about a year ago | (#44952007)

social security number

It's sad that the primary key of a retirement database is the secret key to our identities.

Re:ID theft mitigation (0)

Anonymous Coward | about a year ago | (#44957543)

Could this be that identity theft is not such a big issue in continental Europe? If so what would be the reason?

Re:ID theft mitigation (3, Informative)

Jason Levine (196982) | about a year ago | (#44949549)

Freeze your credit.

I was the victim of identity theft. Someone got access to my name, address, SSN, and DOB and used it to open up a credit card account in my name. (Thank you, Capital One, for not caring that the Mother's Maiden name was wrong! And for stonewalling both me and the police every step of the way in the name of YOUR liability.)

The credit agencies will recommend fraud alerts but these have two major flaws: 1) They are optional. Credit Card Company A *should* check for a fraud alert before issuing a credit card in your name, but doesn't *have* to. (You can bet that the ID thieves know which companies check and which don't.) 2) They expire after 90 days. Your information isn't going to magically disappear from the ID thieves after three months. It's out there for good now. So why should the check against ID theft expire?

If you freeze your credit then nobody (you or anyone else) can open a new line of credit on the account. If you actually do want to open a new line of credit (or get a loan or have a background check performed), you thaw your credit report for a set period of time. The downsides are that you have to pay for each thaw and you can't sign up for credit on the spot. (We actually consider the latter to be a perk. "Would you like to save 10% by getting our store card?" "No thanks. Credit frozen thanks to ID theft.")

Of course, the credit agencies HATE credit freezes because they make money by offering your credit file to anyone and everyone to send you offers for credit cards and the like. A frozen credit card file takes away that income opportunity.

Come to think of it, that's another bonus to freezing your credit file.

This site has some good information on Credit Freezes including links/phone numbers to freeze your credit file: http://www.clarkhoward.com/news/clark-howard/personal-finance-credit/credit-freeze-and-thaw-guide/nFbL/ [clarkhoward.com]

Should have been easy to catch this (2)

onyxruby (118189) | about a year ago | (#44948815)

This should have been easy to catch with their IPS. Why is their an encrypted data stream going from a server to a server outside the organization? Even without using an SSL decryption device to look at the contents of the stream, the mere fact that an encrypted stream of data was going to an unauthorized destination should have set off alarm bells by it's own right.

I've seen any number of environments that simply blocked encrypted data sessions until they had been white-listed. It's something that ought to be in your change management system along with all of your other firewall rules. The fact that a major credit agency got owned by this tells me that they probably outsourced their security to India along with the rest of their staff.

Easy?!?!?! (0)

Anonymous Coward | about a year ago | (#44949017)

How would it be easy to identify a single SSL stream coming form a server with hundreds/thousands/millions or other SSL streams flowing in and out.

Just because you operate in a walled garden with 10 users doesn't mean the rest of us do. The few external servers presently active on my screen are showing 3,124 active SSL connections. How easily could you tell me which one is bad? Those external servers in turn connect to myriad internal systems. Being careful and thorough in your security is not easy! It's especially difficult for national or multinational companies with tens of thousands of employees and remote workers, servers, workstations, hundreds/thousands of partners, millions of customers, hundreds of points of presence...

Easy? My ass!

Re:Easy?!?!?! (1)

onyxruby (118189) | about a year ago | (#44949231)

My experience is pretty much entirely large enterprise, which means working in environments such as you describe. As you said you 3124 active SSL connections. Start by filtering out which ones are going to sites you know are legitimate. That should filter a fair amount right there, than you start filtering out those connections that are external.

Once you have filtered out the destination ranges for the known good sessions you have a far smaller set of SSL connections to investigate. Look at the source and destination IP addresses of those that remain and start finding out who they belong to and start building a white list.

There may be a very legitimate reason to have an SSL session setup with Estonia (I've seen some great programmers work from there) or not. The point is that you treat SSL connections just like you would firewall ports. What's your destination, source and what are you using it for? The entire idea is to look for SSL connections from servers that you don't already know about. You don't want to investigate all of them, just the new ones that pop that aren't on the change management white-list.

I don't mean to make this sound trivial, it's not, but the process itself is fairly easy. Your working for a large enterprise by the sounds of it, chances are your on a team with a number of security people available and enterprise class resources. It's really just a matter of doing the legwork to run things down. Now if you don't have any kind of change management in place and have to chase down all 3124 connections to find out who's doing what it's no longer easy, but that is an entirely different story.

Re:Easy?!?!?! (0)

Anonymous Coward | about a year ago | (#44952051)

That is why you have backend analytic tools (pick one. I don't want to be accused of shilling, so naming one is beside the point). A log parsing utility can find your one oddball needle in the haystack of streams, or at least get you a fistful of straw that contains the needle that you can run subsearches on.

This way, I can start by factoring out the usual sites people go to, then factor out legit users on their workstations. Drilling down eventually ends me up with a data set of oddball connections (say a bunch of production machines that have no users logged on connecting to one IP in Elbonia at all hours of the day.)

Identity cannot be stolen (4, Insightful)

erroneus (253617) | about a year ago | (#44948821)

Let's stop calling it that. These numbers we call our identity is not our identity. The whole notion of doing things like this were an invention of mega-business interests who wanted to expand their business range without having to employ a whole bunch of people. You see, long ago, people were given credit by a process which involved references... actual people who could vouch for your reputation. But this is too much of a hassle and involves the use of people and people, of course, are very expensive. So much better to track a whole bunch of people with a computer system where they are tagged with a unique number -- say a social security number which we were promised would never ever ever be used for anything but social security account tracking. Several legal filings surrounded the controversy long ago but the serfs of the USA lost out and here we are.

Stop feeding the machine. Stop being in debt. Stop relying on credit and build a savings instead. It's harder to get started if you're already accustomed to the debt financing game, but it's the difference between LIFO and FIFO where your money is concerned. Stop spending money you don't have. Of course, this message goes out to people who aren't reading this... everyone here has "good reasons" for using credit instead of cash.

Re:Identity cannot be stolen (3, Insightful)

sl4shd0rk (755837) | about a year ago | (#44949007)

Stop feeding the machine. Stop being in debt. Stop relying on credit and build a savings instead.

That's a great way to keep from getting digitally bum rolled, but society will never go back to 1970 now that so much business is done over the internet.

Many people pay off their CC debt every month and the ones who have a problem are the same people who cannot balance a checkbook or go an entire payday without blowing the whole thing in on frivolous purchases. Self control and good money management skills do not come easy for everyone and the problem with credit for those people is simply an extension of an existing dysfunction.

Re:Identity cannot be stolen (1)

DarkOx (621550) | about a year ago | (#44949113)

I don't know if you are being sarchasitic or not but there are good reasons to use credit instead of cash even for the typical individual not running a business.

The first big one is you can dispute charges. Pay someone with a CC to do a job and they don't do it or don't do it in the fashion you'd agreed to have it done you can reverse the changes. You pay them in cash and they don't want to make good on it you are looking at either taking the loss or potentially lengthy court process.

The next one is ofter those rewards programs are a pretty good deal if you use them smart:
Which folks reading "here" have the computer skills to do. Lots of them have a "free" introductory period and then shift to an annual fee if you don't cancel; they know most people will forget and they can probably get the fee from them at least once. Some scheduled reminders on your computer can "fix" that easily. The rest come from swipe fees; which we know really come from higher prices, effectively transferring the margin from the cash customers to the credit customers. Either way you are paying; so you might as well put yourself on the collecting side of it if you can. Sure there is the privacy issue and sometimes I do use cash for that reason but by and large I run everything across whatever card I have is giving me the best rewards at the time; EVERYTHING even if its a $2 cup of coffee. Obviously you have to have a credit limit high enough to support doing most of your purchases that way every month.

Lastly track at the purchases, hold on the receipts at least until you punch'em into your fiance package. If you know what is really outstanding (not what's posted) at all times, its trivial to know what your in for at the end of the month and not get surprised. If you make sure to never carry a balance CCs are a good deal for most consumers.

Re:Identity cannot be stolen (3)

cellocgw (617879) | about a year ago | (#44949563)

hold on the receipts at least until you punch'em into your fiance package

that's gotta be one of the better unintentional misspellings I've seen in a while.

Re:Identity cannot be stolen (1)

Urza9814 (883915) | about a year ago | (#44952847)

These are benefits of using a plastic card, not benefits of using credit. I get all of these with my debit card too, and I've never had a dime of debt, not even for a week.

Re:Identity cannot be stolen (2)

slashmydots (2189826) | about a year ago | (#44949115)

Yeeeeah, we're not all as rich as you. I got a very crappy paying part time head IT manager job (wooo $19.5K/yr USD with no benefits) 2 years ago because it was the only job I could get during the crap economy. My last car I got 5 or so years ago I paid $7300 cash for. Now that it's undriveable just yesterday I bought an 07 Vibe from a family member's dealership for a huuuuge discount but I still have to finance $5,000 out of the $8000 cost because I simply don't have the money. I've got no family, no girlfriend, no expensive hobbies, and a tiny apartment and my other part time job, owner of a computer repair shop, isn't paying much because it's fairly new and my prices are ultra-competitive. Still, no spare money. I can, however, afford the $111/mo loan and I do in fact need a car to drive.

I'm currently looking for a better job, most of which pay triple, and I crush the rest of the US on standardized skills testing in IT and have 2 degrees but HR departments are filled with non-tech people who don't understand that so I'm getting nowhere. So unless you were going to buy me a car, I used my flawless credit score to get a car loan. Deal with it.

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44949131)

Semantics is bullshit when it comes to something like this. Yes, they're just numbers, and yes your actual, living identity is more than numbers, but your credit and your SS# are your fucking identity in 2013.

How do you propose a lower-middle class person purchase a home, car, or college without a loan? Not everyone comes from sunshine fucking daisy land. Life is hard, and sometimes debt is necessary to make it less hard.

Some people go overboard - what with credit cards and what-not, sure. But for many, many people, debt is required to get established at first.

Fuck yourself and your upper-middle class white-bread overly-entitled attitude.

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44954001)

Lets be real. If you can't afford it, why are you buying it? All that happens is that the loans get defaulted on and end up additional taxpayer burden when someone can't afford their new BMW they bought to show off, but are still living in the 'hood.

If you can't afford a McMansion or the latest Lexus, why should a bank pick the tab up when you feel like not paying anymore? This is why banks have stopped lending in the US, just because they have better places to spend money on indigents with no work ethic and a large sense of entitlement.

This sense of entitlement coupled with a president that plays to the people addicted to the dole is why the US's economy is in the shitter and has been for so many years.

The Ship Has Sailed (0)

Anonymous Coward | about a year ago | (#44949339)

Identity can be stolen and you can be seriously and negatively impacted by that theft, even if you have no debt and no need for credit.

When some fuck steals your identity and racks up huge debt in your name, the creditors come for you! You must then defend against the creditors and it is not an easy fight at all. In many cases you cannot win, despite have done nothing wrong!

You're right that it is a contrivance of the large corporations, but the individual cannot simply choose to not participate. If an individual is impersonated, it can have severe repercussions through absolutely no fault of their own.

Re:Identity cannot be stolen (3, Insightful)

onyxruby (118189) | about a year ago | (#44949453)

This is a horrible idea, let's start with how credit worked in the old days. You got a house loan or car loan by paying 1/3 the cost up front. You also paid off your credit on terms that were much shorter than today's terms. I don't know about you, but outside the rich or someone that has been saving for many years that is simply no longer feasible in today's society. Simply put, only the rich could afford to get credit if we adopted the old standards.

Your also forgetting other reasons that people went to numbers such as racism, religious based discrimination and so on. When you had everything done by having someone approve the loan by who they knew the result was that people that were in better favor with the banker were more likely to be approved. In many towns if you were a protestant or a catholic you simply couldn't get credit in that town, or you had to go your bank. If you weren't a member of either church in good standing than you certainly weren't getting a loan.

Problems with this kind of behavior became so bad that it became known as redlining. Bankers would literally draw a line around certain neighborhoods on a map with a red line. If you lived in that neighborhood you either couldn't get credit or had to pay a lot more for it.

Many lawsuits were filed and banks lost badly in days gone by over these practices and the modern credit system was in large part derived as a result of them. Nowadays the person approving your loan is someone you don't know, probably doesn't live in the same state as you and who tries to look at you abstractly - as a number - for the express purpose of ensuring that discrimination doesn't occur.

All that being said, the idea that people should rely less on debt is one I agree with, but you have obviously never worked in credit.

Re:Identity cannot be stolen (1)

0123456 (636235) | about a year ago | (#44949697)

This is a horrible idea, let's start with how credit worked in the old days. You got a house loan or car loan by paying 1/3 the cost up front. You also paid off your credit on terms that were much shorter than today's terms. I don't know about you, but outside the rich or someone that has been saving for many years that is simply no longer feasible in today's society. Simply put, only the rich could afford to get credit if we adopted the old standards.

And how is that bad?

Just imagine how cheap houses would be if banks weren't giving million-dollar mortgages to anything with a pulse.

Credit does not make you rich. It just allows people with less forethought to outbid you in restricted markets so you can no longer afford to buy the things you could otherwise have bought.

Re:Identity cannot be stolen (1)

ADRA (37398) | about a year ago | (#44949873)

"Just imagine how cheap houses would be if banks weren't giving million-dollar mortgages to anything with a pulse."

That's pretty much Canada at the moment.. and we now have a debt service ratio that was higher than the US during it's crash... *holding breath* But at least housing costs are at a record high! No correlation or anything...

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44949875)

Imagine how much smaller power bills would be if people bought reasonably sized houses?

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44951749)

They still redline. Of course they would never tell you that, but every credit application asks for your residence. You had better believe that the quality of credit in the area you live is a factor in your final credit score.

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44957449)

Simply put, only the rich could afford to get credit if we adopted the old standards.

Before the widespread introduction of the credit card, unsecured credit in not-trivial amounts was largely limited to the rich. If the everyman wanted a loan on short notice he generally had to get it from a pawnbroker by pledging collateral and paying a relatively high rate of interest. Credit cards still have high interest, but they don't require a vehicle title just to get a few thousand dollars of credit.

Re:Identity cannot be stolen (1)

WhatHump (951645) | about a year ago | (#44949571)

I don't have debt (other than a very small mortgage). I always pay off my credit card bill every month and in 30 years have never paid a penny in interest. I have lots of savings - short term, long term and pension. I use credit cards for the convenience of not having to carry large amounts of cash (safer too). However, I also have a social insurance number (Canadian equivalent of SSN), a driver's license number, bank account numbers, health card numbers, insurance policy numbers, employee number, etc. If you want to live in modern society you will generate lots of numbers and electronic records, that are a proxy for your identity. The alternative is to cash in all your assets, head for the woods and live off the land. Not practical for most of us.

Re:Identity cannot be stolen (1)

erroneus (253617) | about a year ago | (#44952875)

My complaint, just to be clear, is how, against protest and wisdom, society was quite literally handed over to bankers as indentured servants. Every time you hear deficit and all that. It's money "borrowed from the Fed" with taxpayer money as the collateral. And when people say "our grandchildren are in debt" they are exactly correct and deadly serious. It means in our lifetimes, we cannot be the collective collateral for the borrowing of the government. Our children cannot be the collective collateral. It will take our grandchildren to pay this off and the way thing are going (because they aren't stopping) it'll be worse than that. When the democrats had a budget surplus, that was a great achievement, but it was virtually meaningless in that they temporarily halted the growing principal, but they can't quite touch the interest for quite a white.

Society has been hijacked... all of it. Sold to bankers. This is not wild-eyed conspiracy theory. This is something any anyone can look into and verify. There are distinctive "before" and "after" and I liken it all to electronic appliances in the home. With every new gadget, things somehow "got easier" and yet everything still seems to take the same amount of work and time.... well, with the exception of microwave popcorn. People think they have everything better and easier but I think differently. Having some perspective on the matter, I would say slightly worse. And by worse, I mean the consumerist society we live in is just bad. Not to make a morality argument here, but it is quite literally WRONG to measure a person by what he owns. But it's what we do. And we even give a person more respect based on it... where they live, what car they drive and all that. The 80s and the ridiculous gold jewelry? Do you think it was because we just loved shiny stuff? It was "respect." (And Mr. T seemed to need a LOT of it didn't he?)

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44955397)

People are greedy and jealous, news at 11.

If you go into debt to get things you dont really need (by your own words, things didnt get any easier when you bought them) just because other people have them and your competing because your jeaouse of them. Dont blame it on the banks that gave them cheap loans.
Any blame should be reserved for the govt that bailed those stupid banks out, all those banks would be gone and all the deadbeats who shouldnt be able to borrow money wouldnt be able to any more, problem solved.

Re:Identity cannot be stolen (1)

erroneus (253617) | about a year ago | (#44963911)

You cannot and should not blame people for being stupid. The dumbing down of the people has been intentional in all of this. It has been done under the color of many, many things and among them have been racial equality. It's ridiculous. (And seriously, I am not saying some races are smarter or dumber than others. There are frikken geniuses in all races, so shut up already!) Also, you can't blame the masses for being the masses. You can blame the few for taking unfair advantage of them. After all, we don't blame the masses for pick-pockets. We blame pick-pockets for their own actions.

Re:Identity cannot be stolen (0)

Anonymous Coward | about a year ago | (#44951321)

everyone here has "good reasons" for using credit instead of cash.

Like how saving money is useless unless you have a mechanism for making >3% interest per year, to protect you against inflation? A mechanism which, as far as I've found, is utterly unattainable by the majority of the population, without some kind of market investment requiring by law the very "identity" info you recommend against?

I agree with you, homes, I really do, and I've been debt-free for half a decade now, but it's no simple matter to cut the ties that bind; simply being in debt is not the half of it.

what it stands for (1)

cellocgw (617879) | about a year ago | (#44949373)

My guess: 'nbc' here is short for "NSA Botnet Communicator."

Then again, it might never have been found if they'd been smart enough to name it "svhcost.exe" [sic] or "winupdate475YWHV63275278592,bat"

Re:what it stands for (0)

Anonymous Coward | about a year ago | (#44950509)

Hmm, that comma would kill it though.

The bigger question (1)

NynexNinja (379583) | about a year ago | (#44951485)

Is why does LexisNexis, which has been around since at least the 1970's, trust the use of Microsoft Windows to their server infrastructure. Sounds like they really dropped the ball here. Hopefully heads will roll on this one.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>