Friends are coming, friends are going
Ain’t got no password, just friend or foe
Maybee there is a fight
When nothing else to do
From Friday Evening by Unit Lost
So there I was, enjoying my summer vacation, blissfully ignoring Security for All blogging duties and generally just having a swell time doing pretty much nothing, when a government agency pulls an anti-infosec stunt so egregiously asinine that I was compelled, nay – forced – to emerge from my self-proclaimed sabbatical to blog about it. But I’m getting ahead of myself, here. This post from the DenverChannel.com describes the incident thusly.
Colorado has one of the easiest and quickest online business databases. Business owners can update their name and address on the Secretary of State’s website, but so can anyone else.Twenty five businesses in Colorado have had their company information changed through the Secretary of State’s website, leading to $750,000 in fraud in the last four months.
“Altering that information allowed the perpetrators to actually apply for and receive lines of credit in the name of that particular business,” said Colorado Bureau of Investigation director Ron Sloan.
“Now hold on just a darn minute!”, I hear you saying, ” Are you trying to tell me that the database where businesses register with the State of Colorado is not authenticated?”. Yep, that’s exactly what I’m telling you. I know this first hand, because my wife (AKA “the brains of this operation”) is setting up a new business and needed to register her trade name and other particulars with the state. She drew my attention to this after she (smart lady) found it suspicious that the site had captured her credit card number but never asked for or allowed her to set up a login and password. She also drew my attention to this article in a bit of a (justified) panic. So my reaction was initially just like yours – i.e. you can NOT be serious! Nobody could be that irresponsible. Actually it gets worse.
The state isn’t putting any security measures in place to prevent access to company information.”I’m not convinced that setting up passwords and pins has served as a deterrent that it’s thought to be,” said Secretary of State Bernie Buescher, D-Colorado. “Getting that implemented for 800,000 businesses, when this is a crisis right now, is not practical.”Buescher estimated that pins and passwords would require about six new employees and would cost the state millions of dollars in salaries, overhead and computer equipment.Instead of security measures, the state recommends that business owners register their e-mail address, so they can be notified if their information gets changed.”Signing up for e-mail notifications, we believe is an effective — cost-effective and easy way for people to take steps to prevent their corporate identities from being stolen,” said Buescher.
You have GOT to be kidding, right? “Not convinced that setting up passwords and pins has served as a deterrent that it’s thought to be” – well duh, Bernie neither am I, but that doesn’t mean they aren’t a deterrent at all or that you shouldn’t implement them! You know, for that due diligence thing. And what’s with that [I paraphrase here] “this is going to cost too much so we’re going to let Colorado businessess twist in the wind” deal? I mean seriously, nobody outside of public service would ever consider letting such a blatantly moronic statement pass their lips in public. Bernie, dude, watch BP and learn. And finally, “Signing up for e-mail notifications, we believe is an effective — cost-effective and easy way for people to take steps to prevent their corporate identities from being stolen.” Are you freaking serious? Why not sign up your own business with this system, Bernie, and I’ll be glad to show you why this “mitigation” doesn’t pass the laugh test. [Let’s see, if I can change information for your business without even going through the motions of cracking authentication, then what prevents me from changing the email notification destination].
My eldest son, now a lawyer working for a DHS agency, once remarked that if you think the Federal Government pulls some stupid stunts, just watch State and local government for the really breathtaking stupidity. I now see what he was talking about. This story just keeps diving to new and lower levels.
“I’m content that in this point in time this is the most effective and efficient way to deal with the problem that we’ve got on our hands,” said Suthers [Attorney General John Suthers, R-Colorado]. “If (identity thieves) change the records and the company is immediately notified of that change, they can act before there’s any stealing of money. The important part of the crime has not yet been committed.”
Yeah. Sure. This is the same AG that is wasting our taxpayer money on (er… pursuing – with extreme prejudice) that “Anti-Obamacare” lawsuit. Here’s a tip John-Boy – notice that Bernie is a Democrat. Someone with your keen political intellect should be able to make big political hay with this fiasco. I mean, letting a Dem slide like that? What kind of tea partier are you?
Oh, and Bernie, with regards to that “six new employees and would cost the state millions of dollars in salaries, overhead and computer equipment” cost estimate, I can see where you might think that, being involved in State government and all. But seeing as how I gave AG Suthers a tip to throw you under the bus, I owe you a tip as well: At least a few of those “800,000 businesses” you so blithely exposed to the bad guys, must have a couple of marginally IT-savvy interns they can loan you for a week or two. Of course if the entire State HR apparatus is as efficient as your department, you may have to wait a long time.
Seriously though – JUST FIX IT!
Security For All 