this post was submitted on 11 Apr 2024
104 points (100.0% liked)

Cybersecurity

5745 readers
377 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
top 11 comments
sorted by: hot top controversial new old
[–] [email protected] 35 points 7 months ago (2 children)

Researchers: Hey you're breached

ATT: MMMM I don't think so. Pretty sure other people got breached and it looks like our data.

Researchers: Pretty sure it was you. Here's pretty compelling evidence.

ATT: No actually. I'm pretty sure we would know if we were breached.

...

...

... ATT: We were breached

[–] [email protected] 12 points 7 months ago

If they denied and they didn't know how 51 million records were taken, that's even scarier.

[–] [email protected] 10 points 7 months ago

Gotta stall 'til the shares sell

[–] [email protected] 30 points 7 months ago

I think we need to do two things:

The US government needs to take a more active role in coordinating hardening of infrastructure, including the networks of private companies. This is analogous to the safety regulations the USG puts on car and airplane manufacturers, chemical plants, etc. This is a case of technology outrunning regulation, plus a dash of Alan Greenspan’s “flaw in my model” thinking that the market will optimize around security.

Second, companies need to be held legally and financially responsible for the data breaches that occur. This would open up an insurance market, which would be motivated to audit the companies accurately in order to set rates.

Honestly, I think we’d be better served by having a department of cybersecurity than a Space Force, since right now there’s only spotty coverage divided among the various intelligence agencies.

[–] [email protected] 22 points 7 months ago (1 children)

The US desperately needs to rework its citizen ID system. I'm tired of having to spend hours freezing and unfreezing multiple credit accounts after so many of these breaches. It's not too hard to have a secure system since companies don't care to protect confidential information.

Also, it was disclosed to AT&T in 2021 and they're just now admitting to it? Then only offering 1 year of identity theft protection?? If a SSN breach occurs, they should be made to pay for lifetime identity theft protection. Then if they don't want to pay that, they can use the good ol' lobbying system to advocate for a more secure citizen ID.

[–] [email protected] 9 points 7 months ago

lifetime identity theft protection

Eh, I honestly don't see much value in that "protection," it's a cop-out for companies to get away with really bad behavior with a slap on the wrist. I don't think it actually protects anyone in any meaningful sense.

Instead, we should be fining companies heavily for improper security practices. If they would've avoided it if they practiced industry-standard security, big fine. If they had a reasonable amount of time to deploy a patch but didn't, big fine. If they don't respond quickly to a breach with industry-standard procedures (forcing users to change passwords, key rotation, etc), big fine. And the fine should get bigger very fast the longer they take to address it.

And yeah, we should absolutely have a more secure system. It's ridiculous that big tech companies are moving toward passkeys when the federal government literally relies one one 9-digit number that's static for life for pretty much everything. So if there's one breach that includes your SSN, you're screwed. These problems aren't hard to solve, the tech around passkeys has been around for decades. There's no reason we can't have a system like that where companies only get the data they need, such as:

  • employer - work authorization and criminal record - they shouldn't even need your full legal name, date of birth, etc
  • police officer - driver's license status, criminal record, city of residence, age range (minor, 18-21, 21+, senior citizen)
  • cell service - I'm honestly not sure what they really need, maybe just a token in case you want to transfer to another carrier?

The only group that really needs your SSN is the Social Security Administration, and they could just keep that internal and do authentication w/ a passkey or similar. The #1 rule of security is to only have the access you need, whereas companies just grab everything "just in case." Even lawsuits could be filed without actually knowing your personal details, as long as they have a token that uniquely refers to you, they could initiate legal proceedings to the court.

[–] [email protected] 21 points 7 months ago

While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers.

So 51 million customers, and 19 million FORMER customers.

[–] [email protected] 5 points 7 months ago (2 children)

Hey Americans, why does a telcom need your SSN?

[–] [email protected] 4 points 7 months ago (1 children)
[–] [email protected] 2 points 7 months ago
[–] [email protected] 0 points 7 months ago* (last edited 7 months ago)