Does Roger Contract His Services?

Does Roger Contract His Services?

Joined: January 5th, 2016, 1:53 pm

December 28th, 2017, 5:51 pm #1

My wife's the lead programmer / developer / analyst / jack-of-all-trades for a state-level enterprise system, and she could use the help of someone who thinks breaking the DMV is easier than resetting hardware codes...

Just wondering.

Jason
Quote
Like
Share

Joined: September 11th, 2014, 4:45 pm

December 28th, 2017, 8:09 pm #2

Quote
Like
Share

Joined: January 24th, 2017, 1:35 am

December 29th, 2017, 7:12 am #3

My wife's the lead programmer / developer / analyst / jack-of-all-trades for a state-level enterprise system, and she could use the help of someone who thinks breaking the DMV is easier than resetting hardware codes...

Just wondering.

Jason
Well, in theory at least, it only takes one weak password to gain access to a system. Bonus points if they use factory default on their firewall so you can add yourself as a superuser. And of course, there's many known leaks in most of the commonly used networking setups, so if you know what they use, you have a good set of first options. Big thing is making sure you've got good enough counter-hacking to keep them from tracing back to you. And no, satellite bounces don't work, the government tracks those.

I've never done security analysis on any DMV, so I'm not really prepared to make any sort of definitive statements on the topic of how likely it would be to try and hack them, but while I doubt it would be as easy as an SQL injection, it also probably isn't as hard as some make it out to be. It's a large government body, after all. SOMEONE's bound to have used a weak password, no matter what conditions you hem them in with. Hell, hemming them in with conditions in many ways just makes it easier, because now you have a set of conditions you can plug into your password guesser. Use a botNet to bypass three strikes rule so you can hit it from all over with different attempts. Really, unless they use a two-stage authentication system with a physical requirement, there's bound to be a way in somewhere.

Of course, most likely, there's a buffer of inbound requests that has to be manually cleared so you don't get jokers registering obscenities, and the security on that buffer has got to be far less secure than what is around the VIN database. Wiping the buffer ought to remove the code you don't want released, and whoever else's submissions that were sent since the last time someone cleared out the queue. But hey, government inefficiency and bureaucratic 'file and forget' make absolutely ironclad excuses for that. Which is as easy as getting any ol' user's account up and running and manually rejecting anything in said queue at the time. Including yours. Or just selectively remove yours. Either way.

Yanno, speaking theoretically and hypothetically of course.

Of course, Roger has access to resources most people don't have, so he'd probably have a significantly easier time of it. After all, worst case scenario, he could wormhole the input.
Quote
Like
Share

Joined: September 16th, 2016, 6:41 pm

December 29th, 2017, 2:47 pm #4

... and had to pay $37,000 (nine Bitcoins) to get over 70 terabytes of information unlocked. In Alabama, the Probate Offices handle vehicle tags and registrations, wills, as well as business and marriage licenses.
Of course, no one could explain how the hackers were able to get into the system to encrypt the files, but it seems somebody had a very weak password that allowed fairly easy access. The Probate Office is working with the FBI trying to figure out how and who is responsible but since they paid the ransom it's very unlikely they'll ever find the responsible party. Other state and local offices were attacked, but Montgomery was the only system hacked. Makes one wonder if the IT department is worth the money they're being paid.

Quote
Like
Share

Joined: August 14th, 2017, 10:03 pm

December 29th, 2017, 3:18 pm #5

Thou shalt make backups (and your backup system shall be remote to the main system being backed up, not part of it!)
Quote
Like
Share

Joined: September 12th, 2014, 3:32 am

December 29th, 2017, 3:21 pm #6

... and had to pay $37,000 (nine Bitcoins) to get over 70 terabytes of information unlocked. In Alabama, the Probate Offices handle vehicle tags and registrations, wills, as well as business and marriage licenses.
Of course, no one could explain how the hackers were able to get into the system to encrypt the files, but it seems somebody had a very weak password that allowed fairly easy access. The Probate Office is working with the FBI trying to figure out how and who is responsible but since they paid the ransom it's very unlikely they'll ever find the responsible party. Other state and local offices were attacked, but Montgomery was the only system hacked. Makes one wonder if the IT department is worth the money they're being paid.
It depends a great deal on how the ransomware got in (malicious email attachments are a primary vector; we've fended off a fair number of those at RedactedCo), how well the systems are maintained, and how competent the department is on handling those types of events.
Quote
Like
Share

Joined: July 10th, 2015, 8:58 pm

December 29th, 2017, 3:59 pm #7

Thou shalt make backups (and your backup system shall be remote to the main system being backed up, not part of it!)
Back up that back up elsewhere and have an off-line Back up somewhere too. Or at least the latter.
Quote
Like
Share

Joined: September 29th, 2016, 1:55 am

December 29th, 2017, 5:57 pm #8

Thou shalt make backups (and your backup system shall be remote to the main system being backed up, not part of it!)
Can I get an AYY-Y-YYY-MEN, brothers and sisters?
Quote
Like
Share

Joined: January 5th, 2016, 1:53 pm

December 29th, 2017, 6:06 pm #9

My wife's the lead programmer / developer / analyst / jack-of-all-trades for a state-level enterprise system, and she could use the help of someone who thinks breaking the DMV is easier than resetting hardware codes...

Just wondering.

Jason
Would Roger know Java and SQL?
Quote
Like
Share

Joined: September 11th, 2014, 5:58 pm

December 29th, 2017, 7:42 pm #10

Can I get an AYY-Y-YYY-MEN, brothers and sisters?
When it comes to a backup, is that in the name of the son, father, grandfather.. etc
Quote
Like
Share