backtop


Print 16 comment(s) - last by MoneyisaScam.. on Nov 30 at 7:36 PM


  (Source: Reuters)
Sources say workers involved are being disciplined

With the myriad high-profile hacks and attacks on government and corporate computer systems around the world, it's easy to believe that the U.S. federal government and its many arms would do all they can to keep its networks secure. However, that is not always the case.

Reuters reports that workers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers that contained highly sensitive information from stock exchanges. The failure to encrypt the information left data vulnerable to cyber attacks according to people familiar with the situation.

The computers left unencrypted reportedly belonged to a small number of employees in an office within the SEC Trading and Markets Division. That particular division is tasked with ensuring that various stock exchanges follow guidelines to protect the markets for potential cyber threats and system problems.
 
That makes it incredibly ironic that the employees tasked with ensuring systems are protected from cyber threats would leave their own computers unprotected.

Some of the staffers are known to have taken the unprotected computers to a Black Hat convention where computer hackers gather. There is no clear indication of why the staffers would have taken unencrypted and unprotected computers into the hackers den.


The SEC insists that no data was breached from the insecure computer systems. However, the SEC was forced to spend around $200,000 to hire a third-party firm to conduct a thorough analysis to come to that conclusion.

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Really??
By dgingerich on 11/9/2012 10:34:17 AM , Rating: 2
quote:
With the myriad high-profile hacks and attacks on government and corporate computer systems around the world, it's easy to believe that the U.S. federal government and its many arms would do all they can to keep its networks secure.


Would you really expect this of government workers? I certainly don't. Some, maybe, but most are too lazy to do any extra work like that.




RE: Really??
By gamerk2 on 11/9/2012 11:07:36 AM , Rating: 2
To be fair, server/pc encryption is handled by the IT department. And if there is no requirement from the US government for mandatory encryption, it won't be done.

Point being, its on Congress to pass a bill making encryption mandatory for hard drives for all government functions.


RE: Really??
By dgingerich on 11/9/2012 1:31:31 PM , Rating: 2
Do you honestly think Congress is going to go through the extra effort to make government agencies do extra stuff? they want the government jobs to be nice and cushy, so they can get people to stay in them for life, never having to do any real work. Congress can't even be bothered to make cyber fraud or cyber extortion (like fake anti-virus programs) a real crime.


RE: Really??
By drycrust3 on 11/9/2012 1:55:24 PM , Rating: 1
I agree. At the very least it should have been the local IT department's rule (although it should really have been a directive from the head person at the SEC) that all the computers in their care have encrypted HDD prior to use, which again points at the IT department for not having such a rule. I'm sure they wouldn't forget to load their favourite antivirus software, so how come they thought it was ok to not have an encrypted HDD? The only logical answer is because they have lots of HDD that aren't encrypted, which is stupid because PCs are often sold when they are deemed "out of date", and people have often resurrected data from "erased" HDDs in the past. If every computer did have an encrypted HDD, and one "escaped the net" and was sold without having the HDD securely erased ... Do I have to ask? Do they have a policy regarding this?
As an aside, I do wonder what indications the new computers would have given if they did or didn't have encrypted drives to their new owners. When I bought this computer it booted up to Windows 7 in just seconds (I removed it and loaded a Linux distribution), so how is a new owner supposed to know the HDD wasn't encrypted?
Is it possible for the LAN to be set up so that there is an immediate indication given that a computer doesn't have an encrypted HDD, e.g. no one can login on it?
I think these employees are just being made scapegoats for the failure of a whole department of "yes men".


RE: Really??
By knutjb on 11/11/2012 12:13:54 PM , Rating: 2
quote:
To be fair, server/pc encryption is handled by the IT department.
Um, no. It is the responsibility of those who posses sensivtive materials to ensure the are properly secured, not the IT department. If the IT department failed to protect said computers it is still the responsibility of the end users. That is how it is in law.

Do we really need more laws? If you don't punish who fail to do their jobs correctly any new law won't work either. That office should be fired at minimum and prosecuted for their violations. What would the SEC do to a company that did what they just did, fine them and possibly send it to the Department of Justice.


RE: Really??
By drycrust3 on 11/11/2012 2:24:18 PM , Rating: 2
quote:
It is the responsibility of those who posses sensivtive materials to ensure the are properly secured, not the IT department. If the IT department failed to protect said computers it is still the responsibility of the end users. That is how it is in law.

Ok, so you're the new boy in the office, you've just got the job fighting a thousand other people for the job, you've had to meet a hundred people who's names you can't remember, you've been given a desk right where everyone can hear every phone conversation with your mother, your manager has given you an assignment that he wants you to complete today and you've no idea what he's talking about, and then some clown turns up with a computer and says it's yours and here is your login and password. Now, tell me, are you going to say "Thanks ... which of these ports on the desk is the one I plug the Ethernet cable into?" or "Does it have an encrypted Hard Disk Drive"?
Or right out of the blue, just before you're due to go to a meeting that has taken 6 months to organise with some dude from a company that persistently isn't following the rules, some clown turns up and gives you "here is your new computer, we've set it all up for you" and demands "I need to take your old computer back with me ... right now". So you're going to ask "Can't you come back tomorrow morning?" or "Does it have an encrypted HDD?"
Or you turn on your computer every morning, the same as always, and for 30 seconds there are lots of meaningless DOS messages, and you're going to notice the one that says "This computer has an encrypted HDD"? isn't there?
You are right in the sense that it is everyone's responsibility to protect data, but that includes the top people in the SEC. As I said, these employees are being used as scapegoats for failings that go to the very top of the SEC. If they had done their job right those laptop computers would have been confiscated and replaced for not having encrypted HDDs.
I still think the SEC has lots of computers and servers that don't have encrypted HDDs, and no one has said I'm wrong.


RE: Really??
By AntiM on 11/9/2012 11:22:40 AM , Rating: 2
Doesn't surprise me.

SEC Porn Problem: Officials Surfing Sites During Financial Crisis, Report Finds

http://abcnews.go.com/GMA/sec-pornography-employee...

One senior attorney at SEC headquarters in Washington spent up to eight hours a day accessing Internet porn, according to the report, which has yet to be released. When he filled all the space on his government computer with pornographic images, he downloaded more to CDs and DVDs that accumulated in boxes in his offices.


RE: Really??
By deathwombat on 11/9/2012 12:44:42 PM , Rating: 2
quote:
Some, maybe, but most are too lazy to do any extra work like that.


It shouldn't be extra work, it should be mandatory! You're right that it's unreasonable to expect (public or private sector) employees to do work that they're not required to do. Securing systems should be a requirement.


RE: Really??
By MadMan007 on 11/9/2012 7:45:33 PM , Rating: 2
I bet you don't even know a single government worker. Easier just to paint them all with your prepackaged biases, right?


RE: Really??
By tjcinnamon on 11/10/2012 12:55:44 PM , Rating: 2
quote:
Would you really expect this of government workers? I certainly don't. Some, maybe, but most are too lazy to do any extra work like that.


Could we get a source on this "laziness" you speak of (other than Fox News)? Or are you just so blindly anti-government and public service worker that you've made a blind sweeping derogatory comment?

<sarcasm> I'm sure in the private sector everyone are these studly workhorses. </sarcasm>

The truth is in any large company there's going to be morons and there's going to be amazing workers. NEVER will there be all of one or the other.


RE: Really??
By Ringold on 11/10/2012 2:35:10 PM , Rating: 2
Ever been to a post office? Maybe a DMV? Clerk of courts office?

And, anyway, can't remember the journal, but there's published studies showing government workers, no matter how one controls for outside variables, are less productive. There's no institutional pressure to perform. Even liberal economists would, begrudgingly, agree because, again, there is no institutional pressure for them to. It's not their money, their job security depends only vaguely on performance, and if budgets get busted, usually more magically appears.


RE: Really??
By thirdshop on 11/12/2012 8:46:28 AM , Rating: 2
It's pretty convenient that you forget who published these "studies". So what you're say is facts don't matter, just trust me because I have "studies" backing me up. Is it any wonder R&R lost when they too used the same type of "studies" you are basing your comments upon.

Let me turn this around, ever been to a bank? Maybe your telephone company? Your internet/cable provider?

Anyway can't remember the journal, but there's published studies showing how monopolistic companies, no matter who controls the outside variables are less productive. There's no institutional pressure to perform. Even conservative economist would, begrudgingly, agree because, again, there is no institutional pressure for them to.

I used the same sources you did.


"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki