[HN Gopher] Every Louisiana driver's license holder exposed in c...
___________________________________________________________________
Every Louisiana driver's license holder exposed in cyberattack
Author : anigbrowl
Score : 83 points
Date : 2023-06-16 20:09 UTC (2 hours ago)
(HTM) web link (www.theguardian.com)
(TXT) w3m dump (www.theguardian.com)
| DemiGuru wrote:
| I strongly recommend that you freeze your credit. It's not the
| end all be all but it's a good way to keep entities from applying
| for loans, credit cards or open accounts in your name. I don't
| know what is the equivalent measure one can take outside of the
| US.
| [deleted]
| briffle wrote:
| Oregon too:
|
| https://www.oregonlive.com/commuting/2023/06/massive-hack-of...
| costco wrote:
| Don't states already sell this info to private investigators? I
| guess this breach would include social security numbers but half
| the country as already had theirs leaked anyways.
|
| https://www.vice.com/en/article/43kxzq/dmvs-selling-data-pri...
| no_wizard wrote:
| What should someone do? I can't imagine for many people this
| isn't the first, and certainly won't be the last time this
| happens.
|
| Should we just default freeze our credit? Is it time to finally
| get some ID monitoring service w/ insurance?
| ceejayoz wrote:
| Give up. Assume your driver's license and SSN are compromised.
| Everyone's either is already or will be soon.
| EvanAnderson wrote:
| I can give up. Since so many third-parties continue to act as
| if these are "secret" (relying on them for "authentication")
| giving up does me no good.
|
| I guess I can try to avoid doing business with companies who
| insist on using these "secrets". Sometimes I don't have a
| choice, though.
|
| It would be wonderful to have ubiquitous PKI for every
| citizen in the United States. I don't trust private companies
| to do it. A large segment of the electorate would never trust
| the government to do it. (I like the idea of the USPS
| leveraging their tremendous physical presence and delivery
| infrastructure to do it, personally, but I think that would
| meet about the same level of opposition as the government
| doing it.)
|
| I guess we'll just continue with this ridiculous charade of
| "secret" numbers, the silly idea of "identity theft", and
| most of the consequences applying to the individual.
| jen20 wrote:
| "Giving up" is not really an option until it is illegal with
| substantial penalties to use these trivially discoverable
| reference numbers for anything.
| jrm4 wrote:
| Exactly. In other words, is there anything you can do right
| now as an individual to protect yourself? Nope, not really.
|
| You'll have to get involved in policy, period.
| [deleted]
| midasuni wrote:
| My UK equivalent (NI number), and usual things like DoB,
| Address etc leaked a couple of weeks ago thanks to my company
| outsourcing to layers of companies who seem to have
| transferred PI by sending to pastebin or something. (Same
| moveit thing)
|
| My company just cries "it's not our fault" when it clearly
| is. The larger problem here is that this bit of unchangale
| data can be used not just to open lines of credit but do
| things like take student loans out.
|
| Those loans are then automatically deducted from your salary
| and they won't stop doing that even after you flag it. a
| private company can steal money from you after they cock up.
| sys_64738 wrote:
| Aren't National Insurance numbers purely for state pension
| contributions? I don't think it's like what the USA SSN has
| been butchered as. When I was at college in the USA the SSN
| was used as your student ID and the prof printed them on
| attendance sheets each lecture and passed it around the
| room.
| davchana wrote:
| And then many of my employers use or used it as employee
| number (or last 4), and same passed an attendance sheet
| with my full name n last 4 of social around.
| no_wizard wrote:
| I do assume this, but I'm checking with the wider community
| here, how do you insulate the negative affects?
|
| Monitoring + insurance? We did the freeze, but is that
| sufficient enough?
|
| Seems like I'm gonna have to get some kind of insurance +
| monitoring in case something goes really south, no?
| 2023throwawayy wrote:
| You should have frozen your credit after the breeches of the
| credit agencies in years past.
| bombcar wrote:
| The law needs to be changed so that loans can be unpaid with no
| penalties if there is no signed and notarized proof it was you.
|
| That'll fix it real fast.
| phpisthebest wrote:
| 100%...
|
| The entire premise of "identity theft" is backwards. No one
| stole my identity, no they committed fraud against the bank.
|
| In any other context fraud costs are born by the victim of
| the fraud, i.e it should be the bank. Only in "identity
| theft" do we allow a 3rd party of the fraud to be liable for
| the damages.
|
| I am not sure how that even happened
| StrangeATractor wrote:
| This is ridiculous and really only happens because the cost of
| securing your customer (or citizen) data is higher than the cost
| of losing control of it. If the cost of losing data to hacks was,
| say three times higher than the cost estimated to secure it, the
| problem would become much less common very quickly.
|
| As it is, states and corporations externalize the costs of hacks
| to the victims of their incompetence. They have no reason to take
| opsec seriously because they aren't held liable in even the most
| egrigious cases. Data should be a liability.
| wmf wrote:
| For government IT in particular, the cost of security is
| basically infinite because they aren't organizationally mature
| enough to do anything right. There's no way to make the cost of
| being hacked infinite; no court or legislature is going to
| order the DMV to be disbanded.
| jfengel wrote:
| The cost benefit calculation also includes the odds of being
| hacked. Enormous numbers of organizations are at risk but most
| survive by security by obscurity. Most are content to hope to
| remain obscure.
|
| Especially since the cost of actual security is very high. You
| have to build it into every aspect of the system. It makes
| development cost an order of magnitude more and constrains
| usability... and you'll still never really be certain
|
| When you take employees into account the cost becomes almost
| insurmountable. Keeping bank style security means tightly
| limiting access, making even simple operations more work.
|
| That's not an excuse. That's a warning. We are at grave risk,
| and we need to completely reconsider how almost every piece of
| software is written. Competence is hard and expensive.
| nyc_data_geek1 wrote:
| >> Data should be a liability.
|
| This is the crux of it, methinks. "Data is the new oil" has
| been a common refrain and as long as the externalities of poor
| security posture hygiene can be completely outsourced while
| these companies make mountains of cash by monetizing your every
| scrap of behavior, attention and information, this will only
| get worse as every entity seeks to hoard more information on
| you.
|
| Keeping more data than absolutely necessary for critical
| business operations should be an existential threat for any
| entity. Those businesses built on this data ought to take Fort
| Knox level pains to secure it. Anything short of that and we
| will continue to exist in a society of deteriorating trust and
| social contract.
| cco wrote:
| A framing I often use is, "Data is like holding uranium". It
| can be incredibly valuable, but also very dangerous. You
| should be very sure that the data you're holding is worth the
| cost of safely protecting it (a high cost), and if it is not,
| get rid of it.
|
| Stripe is a good mental model here, I don't want a person's
| credit card data, I want to charge them for my product. I
| love storing a Stripe customer ID, if a hacker were to grab
| that table, I wouldn't lose (a lot) of sleep, they couldn't
| do much with it. If that table held credit card data...I
| would.
|
| That farms out a lot of responsibility to Stripe, but for a
| side project, I don't have the time necessary to do as good
| of a job at it relative to Stripe.
| [deleted]
| ronsor wrote:
| > "Data is the new oil"
|
| The common usage of this phrase isn't too inaccurate. Keep in
| mind what oil does to the environment, not just during spills
| but even in normal refining!
| seanw444 wrote:
| Thank goodness for the government requiring ID for everything.
| There wouldn't be anything with life-altering consequences to
| leak.
| jmclnx wrote:
| Lets hope these States and others that may be keeping these
| MOVEit breaches hidden issues new Licenses for free.
|
| My State use to use your SSN for its License ID, but they changed
| moved away from that over 20 years ago. Glad they did. BTW, as
| noted Oregon too, I am sure there are others.
|
| Glad we are all on Real ID, that sure helped out the Russians a
| lot. But Real ID did nothing useful for me.
|
| edit: spelling
| buildbot wrote:
| Something I have not seen mentioned much is Qualys affected by
| this hack - leaking vulnerability scans on over 19000 companies.
|
| Edit - I was wrong and that happened in 2021 by the same group.
| mdaniel wrote:
| Well, even in your "mention" there is no "mention" of your
| sourcing for this claim. Because they published a write up for
| the actual vuln, a simple web search does not cough up any such
| reports
| buildbot wrote:
| I think I may he conflating an early hack of them, which is
| my bad: https://www.cybersecurity-insiders.com/major-cyber-
| attack-on...
|
| There was not date and given it was the same group, I made a
| bad assumption.
| nyc_data_geek1 wrote:
| This appears to have originally been reported back in
| ~march 2021, FYI.
| flangola7 wrote:
| Will this make fake IDs more viable?
| midasuni wrote:
| My company used to use move it but got rid of it in 2017 because
| of security concerns. Allas our crappy outsourced Hr company
| didn't.
|
| My understanding of this attack is that the company
|
| 1) didn't have IP access controls to limit machines that can talk
| to the moveit manager
|
| 2) didn't have SSL client certificates to prevent a machine from
| connecting without a valid certificate
|
| Now a sql injection really isn't good, it's not hard to protect
| against, both by sanitising inputs and using prepared statements,
| but that's why we have defence in depth
| selimthegrim wrote:
| Well that explains why my address was changed to an old out-of-
| state one at my credit agency and I had to change it back
___________________________________________________________________
(page generated 2023-06-16 23:00 UTC)