Senators Press AT&T, Snowflake For Answers on Wide-ranging Data Breach (therecord.media) 27
A bipartisan pair of U.S. senators pressed the leaders of AT&T and data storage company Snowflake on Tuesday for more information about the scope of a recent breach that allowed cybercriminals to steal records on "nearly all" of the phone giant's customers. From a report: "There is no reason to believe that AT&T's sensitive data will not also be auctioned and fall into the hands of criminals and foreign intelligence agencies," Sens. Richard Blumenthal (D-CT) and Josh Hawley (R-MO), the leaders of the Judiciary Committee's privacy subpanel, wrote Tuesday in a letter to AT&T Chief Executive Officer John Stankey.
The duo also sent a missive to Snowflake CEO Sridhar Ramaswamy that said the theft of AT&T subscriber information "appears to be connected with an ongoing series of breaches" of the company's clients, including Ticketmaster, Advance Auto Parts, and Santander Bank. "Disturbingly, the Ticketmaster and AT&T breaches appears [sic] to have been easily preventable," they wrote to Ramaswamy. Blumenthal and Hawley have asked the corporate leaders to answer a series of questions about the lapses by July 29.
The duo also sent a missive to Snowflake CEO Sridhar Ramaswamy that said the theft of AT&T subscriber information "appears to be connected with an ongoing series of breaches" of the company's clients, including Ticketmaster, Advance Auto Parts, and Santander Bank. "Disturbingly, the Ticketmaster and AT&T breaches appears [sic] to have been easily preventable," they wrote to Ramaswamy. Blumenthal and Hawley have asked the corporate leaders to answer a series of questions about the lapses by July 29.
Motorcycle wisdom applies to Tech (Score:5, Insightful)
In the motorcycle community there is a common saying of wisdom for why we wear protective gear:
Everyday it seems like there is a report of yet-another-company getting hacked. Maybe this saying should get adopted by tech companies?
Re:Motorcycle wisdom applies to Tech (Score:4, Informative)
Re: (Score:1)
One of my CEOs wanted to know what I was doing to keep various hostile governments out of our systems.
I explained to him they operate on an entirely different level and companies that spend more on security every month than our small company's net worth get hacked by various governments all the time. We keep our head low, don't make any politician noise about foreign governments, continue doing our best with what we got to keep our data safe and sleep well at night with the assumption that they don't care
Re: (Score:1)
In the motorcycle community there is a common saying of wisdom for why we wear protective gear:
Everyday it seems like there is a report of yet-another-company getting hacked. Maybe this saying should get adopted by tech companies?
If motorcycle tech required you to buy a new helmet, boots, and leathers every week to sustain your safety and security, you’d probably find your analogy quite dead.
Re: (Score:1)
oh my god thank you for putting him in his place! holy shit, how would we survive without you?!!
If all it took to prevent a major hack on any corporation was a handful of one-time purchases, a lot more companies wouldn’t become senseless victims.
There. Feel better now, little one?
Re: (Score:1)
/asshole
Re: (Score:2)
It's a tough choice between protecting customers versus profit. Ok, maybe it isn't a tough choice after all...
Here lieth conspiracy theories... (Score:1)
Donning my tinfoil hat, I remember a lecture by a CISSP about cloud providers. He said that in theory, a cloud provider can be hacked, blame it on a "bucket marked as public", maybe even edit a client config to make that so, and no matter how egregious the breach or how insecure the cloud provider is, the blame can be shifted to the client. The client has no proof that it was not set as default, and there always can be an audit log thrown in with some random employee's name. If a company controls the hor
Time to focus on tokenization and minimization? (Score:4, Interesting)
Maybe this is a good push to focus on tokenization and minimization. For example a database on one hand just needs the serial numbers of flights. Instead of storing all that data, just have accessible the flight ID, and the rest of the info stashed somewhere different, similar to how transactions are handled where tokenized transactions have fewer PCI-DSS regs than ones with credit card numbers.
A lot of things can be minimized by using SLCs. For example, a boarding pass can have times its valid, then signed by a SLC for that day. With this type of system and a solid PKI, the boarding pass readers wouldn't even need Internet access to validate that someone's boarding pass is correct. Or, say a prepaid SIM card is good until a certain period of time, have it certified with a SLC, and when it is prepaid again, another cert with a later expiration date is tagged onto it. That way, anything checking the SIM knows it is valid without having to have access to a database.
In general, anything requesting access to something for the customer, could pretty much (with exceptions, of course) be replaced by a PKI and SLCs.
Re: (Score:2)
Sure, you can put expiration time periods onto various electronic tokens, but you're going to find out that sometimes these screw up and you'll have people show up for a flight with a boarding pass that should have been valid somehow isn't.
What, you think that won't happen? It will happen all the time.
Re: (Score:2)
Ultimately, good security is expensive and inconvenient. Whereas leaders of companies are always trying to find ways to cut costs and increase the margins, and the business thinking today is all short term and not long term. Thus security gets short shrift. Often the inexpensive alternative is to offer customers one free credit check if (not when) they get hacked.
Asymetric encryption is (practically) unbreakable. (Score:2)
Perhaps if we took the time to use it (including the many years to backport security to all our existing digital infrastructure), we wouldn't have this problem?
Start with chat. Even when Slack proffered secure end-to-end cryptography, only the security-minded (myself included) cared. I couldn't get any of my social circle to use it.
Then there's email. Everyone has gotten used to sending postcards, zip/password protecting anything they managed to not want on the front page of the Times. E2E encryption
Re: (Score:2)
Even when Slack proffered secure end-to-end cryptography, only the security-minded (myself included) cared. I couldn't get any of my social circle to use it.
Slack does not offer and never has offered E2E. They only have in-flight and at-rest encryption. They also have a platform which is complete trash. It doesn't work worth one tenth of one crap, so no wonder nobody wanted to use it.
Security was never engineered into the internet - even when it went from v4 to v6 (a prime opportunity to introduce some security, IMHO).
Security being engineered into IPv6 is why nobody wants to implement it.
Re: (Score:2)
Re: (Score:2)
If loss of customer data to outside attack was a crime ( pointing at company C-suites ) then very little data-theft would occur. Why are such laws not already in effect ?
Because if this were the case, then nobody in their right mind would willingly become a C-level executive. Without these people there wouldn't be a functioning company, so there would be fewer companies doing fewer useful things. Progress, heck even maintenance of what society has already figured out, would skid to a near-stop. This isn't the way.
A far better way forward is harsh financial penalties against companies for using less than industry best practices. Those penalties can come from either the c
Re: (Score:2)
I think early on it was incovenient to pre-share info (public keys, certs, etc). But we've got infrastructure now that can make this nearly invisible - let the ISP authenticate the email address and name, the ISPs can generate the cert, regenerate it periodically. Or don't trust the ISP, then go with a major trusted authority (Verisign-like, if only you could get them to do this for free).
If you don't encrypt then you still have authentication, which clamps down on lots of spam and scams, and those not bo
Re: (Score:2)
Why does the original FTP protocol even exist anymore?
Because you can't make a secure FTP without the FTP. Just like you can't make secure HTTP without the HTTP. All encryption does is obfuscate. You still need to agree on what the rules of verbiage are to carry on a meaningful conversation.
Further not everything needs encryption. A Linux distribution ISO is public knowledge. Encrypting it in transit from one point to another doesn't enhance it's security the same way that encrypting a bank transaction will. Yes, the download will indicate that the download
Ramabalalaswamy (Score:1)
Is that dude related to Vivek Ramaboobapadamalaswamy?
The term "hacked" (Score:5, Interesting)
...is basically played out at this point. We have to admit that there have been so many data breaches that everyone's private information, all of it, has been exposed already. We're just waiting for another 20 years for the new batch of babies to grow up to have enough data worth stealing. And with the way society is going, the whole concept of "privacy" is disappearing totally.
At some point, we're going to do away with this whole concept of things belonging to people, and instead we're all going to be told that everything belongs to a dictator. Yep, an entire planet of South Korea|China|Russia mentality. Prove me wrong.
Re: (Score:2)
Well there is this (Score:2)
So in that world, it makes perfect sense to not have any more security than needed to ensure that the next quarter's profit is pleasing to the stakeholders.
As soon as the IT departments were turned into cost centers, and accelerating cloud useage became the ord