• Government databases

    From Dumas Walker@VERT/CAPCITY2 to ARELOR on Sun Nov 28 10:01:00 2021
    * Somebody has to create a mechanism for tracking the population, such as a database. Personal information sells at about 14 bucks in the black market, so
    this means you need to create a repository worth a lot of money and give the keys to somebody.

    In the United States, there are several examples (although some may not be
    well known) of state, federal, and trusted-third-party vendor networks
    being hacked and PII being leaked to the black market. A lot of people
    have had their IDs stolen as a result of these hacks and don't know it.

    Whenever the government (especially federal) starts putting together a new database, it is a big target.


    * SLMR 2.1a * DALETECH - for all your home security needs!

    ---
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Andrea@VERT/MNOCULUS to Dumas Walker on Mon Nov 29 20:25:11 2021
    * Somebody has to create a mechanism for tracking the population, such as a database. Personal information sells at about 14 bucks in the black market, so
    this means you need to create a repository worth a lot of money and give the keys to somebody.

    In the United States, there are several examples (although some may not be well known) of state, federal, and trusted-third-party vendor networks
    being hacked and PII being leaked to the black market. A lot of people
    have had their IDs stolen as a result of these hacks and don't know it.

    Whenever the government (especially federal) starts putting together a new database, it is a big target.


    * SLMR 2.1a * DALETECH - for all your home security needs!

    ---
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
    I remember a friend discovering a flaw in one of the portals used to book hospital visits in Italy by Regioen Lombardia; basically you would enter you "SSN" (codice fiscale) and it would land you to a authentication page, however just having the SSN (really easy to do: https://en.wikipedia.org/wiki/Italian_fiscal_code#Fiscal_code_generation) would provide all kind of sensible personal data from street address to telephone number and so on. All you had to do was looking at the requests and you had a fantastic JSON with all the data possible. Bad design.

    ---
    ■ Synchronet ■ bbs.monocul.us > Come visit us!
  • From Dumas Walker@VERT/CAPCITY2 to ANDREA on Mon Nov 29 17:00:00 2021
    In the United States, there are several examples (although some may not be well known) of state, federal, and trusted-third-party vendor networks being hacked and PII being leaked to the black market. A lot of people have had their IDs stolen as a result of these hacks and don't know it.

    I remember a friend discovering a flaw in one of the portals used to book hospital visits in Italy by Regioen Lombardia; basically you would enter you "SSN" (codice fiscale) and it would land you to a authentication page, however
    just having the SSN (really easy to do: https://en.wikipedia.org/wiki/Italian_fiscal_code#Fiscal_code_generation) woul
    provide all kind of sensible personal data from street address to telephone number and so on. All you had to do was looking at the requests and you had a fantastic JSON with all the data possible. Bad design.

    A few years back, sometime between 2012 and 2016, the US had a web site
    where you could go in and fill out forms for student loans (or some other government-backed loan program). Once you got on, they made it easy for
    you to pull your transcript of your past IRS tax filings, which were
    necessary to apply for the loans.

    Needless to say, the way it would get you to that point was not much more secure than what you are describing. So, fraudsters could pull your past
    IRS tax filings, too, which have all sorts of info about you. They used
    these mainly to file fake tax returns requesting large refunds (but realistic, based on your past filings).

    Taxpayers were not aware that their IDs had been compromised until they
    went to file their electronic return the next year and their filing was rejected because the fraudster had already filed a return using their ID.


    * SLMR 2.1a * Tell me, is something eluding you, Sunshine?

    ---
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Andrea@VERT/MNOCULUS to Dumas Walker on Tue Nov 30 20:16:48 2021
    Re: Re: Government databases
    By: Dumas Walker to ANDREA on Mon Nov 29 2021 05:00 pm

    Stuff like this gives me goosebumps. I don't know if goverments have a special bucket of trash syops, devs and security experts for hire when they have to develop something for the public that needs to be secure. It's like magic; Some courthoses here still have old public ftp servers with documents trown around (some even recent) containing sensitive stuff like transcipts of private conversations and so on. Sad stuff.

    ---
    ■ Synchronet ■ bbs.monocul.us > Come visit us!
  • From Dumas Walker@VERT/CAPCITY2 to ANDREA on Tue Nov 30 16:33:00 2021
    Stuff like this gives me goosebumps. I don't know if goverments have a special
    ucket of trash syops, devs and security experts for hire when they have to dev
    op something for the public that needs to be secure. It's like magic; Some cou
    hoses here still have old public ftp servers with documents trown around (some
    ven recent) containing sensitive stuff like transcipts of private conversation
    and so on. Sad stuff.

    Governments often have to bid out their work, and the winning bidder is
    often (although not always) the cheapest one. If they award something to a bidder that is not the cheapest, the cheapest (who isn't supposed to know
    they are but, from past experience, will know they are) will often protest, which winds up costing the government money.

    So, they wind up getting what they pay for sometimes... light security on public facing servers.


    * SLMR 2.1a * Make BC Great Again! Trump for Premier!!!!

    ---
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP