191 million US voter records dislosed

[icecream-guy]

...and no one seems to care or want to take ownership...

http://www.csoonline.com/article/3018592/security/database-configuration-issues-expose-191-million-voter-records.html

[deanwebb]

191 million... that's another way of saying ALL THE VOTERS in the USA. All of them.

Of course, they didn't need security for the information because it had never been a problem before... also, they didn't know of any long-term exploitation of their breaches. They didn't know about the breaches, either. So it wasn't a problem.

Corporations have to realize that not getting comprehensive security in place is like allowing a guy with tuberculosis and bird flu sit in a small, closed room with them and then proceed to cough and sneeze without sneezing... and then saying that, since you can't see the little nasties in the spew from the sick person, they're not a problem.

0. Get a bulk traffic router to filter raw Internet traffic.
1. Get a firewall.
2. Get an IPS.
3. Now that your perimeter is hardened, get a firewall and IPS for the datacenter.
4. Get some netflow monitoring in place.
5. Harden your DNS.
6. Implement a NAC solution.
7. Put in an intellectual property protection system.
8. Implement- hey! Where ya going? Don't walk off!

OK, so security is neither cheap nor easy if it is good. Fast is out of the picture, which is likely why so many companies just give up and expect to lose a certain amount of money each year to the security hemorrhage. Problem is, that first big loss may lead to the firm closing its doors permanently, often within a week or even days of a theft or destruction of information.

This is yet another thing that keeps small and midsize firms from succeeding.

[NetworkGroover]

Yeah seriously who cares?  It's all about the electoral college anyway....

[deanwebb]

Yeah seriously who cares?  It's all about the electoral college anyway....

In this case, marketers and fundraisers. If you know that a guy is going to vote for one party, rain or shine, you have information that, coupled with his Google history, can allow you to deliver advertising to him for products that tend to be popular among party diehards. Likewise, if one is noncommittal about politics, other products pertain to his interests.

As for fundraisers, they're obvious. Political fundraising is a massive industry, and the guys that know where the money is can charge big fees to direct a party's phone banks in those directions.

[icecream-guy]

my CERT people say the site is no longer online.

[Otanx]

The reason nobody cares is 1 - Besides IT and Cyber professionals nobody can keep up with the number of breaches. Even as a cyber professional myself I tend to glaze over breaches that don't pertain specifically to my customers. I just assume all of my information is out there, and that it is just luck every day that I don't have my identity stolen. 2 - This information was public for most people anyway. I checked, and I can register on the state website, and then send an email, and get access to all the voter registration information for my state. There isn't even a fee charged that I can see. If I know your name, and last four of your SSN I can request your specific record without even registering.

What it comes down to for most people is that unless it directly impacts them they don't care anymore. Too many times have these massive breaches been reported, and the average joe didn't get his identity stolen so now he tunes it out. He knows the bank will send him a new card. He does not feel the need to do anything. As for the professionals that leave these systems out there I think alot of it comes down to the old saying good fast cheap. Pick two. Companies see IT as a cost center, and so they want cheap. They also don't want to wait for the IT guy so fast is their second selection. This leads to under-trained staff trying to finish a project quickly. Even the ones who know better are going to forget stuff when they are in a rush.

-Otanx