Join Early Retirement Today
Reply
 
Thread Tools Display Modes
Network Concerns?
Old 12-21-2014, 08:00 AM   #1
Recycles dryer sheets
 
Join Date: Nov 2006
Posts: 428
Network Concerns?

With all the news about the Sony Hack I have become concerned about retirement fund safety.

Are others becoming more concerned? Has anyone taken steps to increase security?
Tekward is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 12-21-2014, 08:17 AM   #2
Recycles dryer sheets
 
Join Date: Nov 2006
Posts: 428
One useful action from Krebs: registering your account on the SSA portal: Crooks Hijack Retirement Funds Via SSA Portal — Krebs on Security
Tekward is offline   Reply With Quote
Old 12-21-2014, 08:53 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Quote:
Originally Posted by Tekward View Post
With all the news about the Sony Hack I have become concerned about retirement fund safety.

Are others becoming more concerned? Has anyone taken steps to increase security?
Not really. Sony's been hacked before and never fixed their existing issues. Apparently their management didn't care enough to really fix the core issues. I'd read a piece claiming the dollar amount of damage, a great deal of that number was fixing security holes they knew existed, before this last hack!

Take your mutual fund account (wherever). They are regulated and audited. These audits are no fun, the auditors are signing off they did due diligence. The first hack at Sony would have caused a mutual fund company to fix everything, starting with the apparently incompetent security staff.

Think about it, Sony cost themselves a lot of money. They didn't take it away from you. If a fund company lost its client's data/money how long do you think they would be in business? The redemptions would destroy the business.

I don't understand the reports that the hackers deleted Sony's data. Where is the off site backup? Really you don't have one, that is beyond sad. (Data recovery 101)

All that said, take proper precautions (strong passwords, don't share, AV, and OS updated...) and relax.

Yes I strongly believe these hackers should be prosecuted and put away. I hope the rest of corporate America wakes up, there are bad guys that want in, you need to have staff and funding to keep them out. Good career speciality for a while.

Thanks Tekward good advice on ssa.

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app
MRG is offline   Reply With Quote
Old 12-21-2014, 10:19 AM   #4
Administrator
Alan's Avatar
 
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,021
I suspect most non-financial corporations have similar terrible IT security. I used to work for a mega-chemical company who also didn't take IT security seriously enough imo, even after they paid a security company to test the company security.

The "hackers" first tried the internet firewall which they concluded was well configured, but front doors are often heavily barred. They then used "social engineering" tactics and it was easy. At the global HQ in Texas they observed and took photos of employees arriving at work, and then made realistic looking photo-id badges for themselves and simply walked into the building following workers who held the door open for them. (The badges did not actually work to access the elevators). They then went into a printer/fax room and connected a small wireless router between a printer and its wall connection, leaving the box hidden behind the printer.

From outside they sat in the public courtyard and connected to the Corporate network, downloaded a network sniffer and easily got access to just about anything they wanted because the internal network is not encrypted and as users log onto their account the names and passwords are transmitted in clear text. (no SSL). Also the company does not register network devices which is why any network device such as personal laptops, personal wireless routers etc are allowed and don't set off intrusion alarms.

The IT security company also did a similar successful breach through one of the R&D facilities. They simply waited until closing time after the receptionist had left, and walked in as employees left, again the employees were only too happy to hold the door open as someone they didn't know, but wearing a fake id badge wanted to come in.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
Alan is offline   Reply With Quote
Old 12-21-2014, 10:32 AM   #5
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
harley's Avatar
 
Join Date: May 2008
Location: No fixed abode
Posts: 8,764
I worked in network security in a super megacorp for a large part of my career. Our job was to keep everything patched and to keep everyone out of everything. We spent all our time denying access to everything, and everybody hated us for making them prove they needed the access. I even had a keychain fob that I picked up at the Spy Museum that said "Deny Everything". But whenever it came down to a decision based on the company making money vs. staying secure, the money always won. As it should be in a good capitalist environment, but it created large holes that management knew about (from our constant harping). If/when one of them would be exploited and something bad happened, they just had to suck it up. We kept good notes and when they tried to blame us we'd pull them out and say "told ya so".

Many other companies aren't even that good, and I'm assuming Sony was one of them. I wouldn't conflate what happened there with an organization that takes security seriously.


Also, security is getting a lot more difficult with everybody bringing their own devices into the network. We used to control all the desktops and laptops and access points, but that's all changed with the advent of smart phones and wifi and all. I wouldn't want to be the one responsible for keeping out the bad guys in this environment. But a company that is truly concerned about security (like a financial company) won't allow those things in and should be much tighter.
__________________
"Good judgment comes from experience. Experience comes from bad judgement." - Anonymous (not Will Rogers or Sam Clemens)
DW and I - FIREd at 50 (7/06), living off assets
harley is offline   Reply With Quote
Old 12-21-2014, 01:04 PM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Car-Guy's Avatar
 
Join Date: Aug 2013
Location: Texas
Posts: 10,836
Quote:
Originally Posted by harley View Post
I worked in network security in a super megacorp for a large part of my career. Our job was to keep everything patched and to keep everyone out of everything. We spent all our time denying access to everything, and everybody hated us for making them prove they needed the access.
As a "networker" you probably kept your routers, switches and firewalls patched and had to block addresses, subnets and protocols because the systems folks wouldn't or couldn't protect themselves.

Quote:
Originally Posted by harley View Post
Also, security is getting a lot more difficult with everybody bringing their own devices into the network.
That's certainly one of the major threat vectors for the bad stuff to get in. Nothing like bringing in a compromised machine from the outside and plugging it into a secured subnet.

I could go on and on for a while on this topic.
Car-Guy is offline   Reply With Quote
Old 12-21-2014, 01:25 PM   #7
Administrator
Alan's Avatar
 
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,021
Quote:
Originally Posted by harley View Post

Also, security is getting a lot more difficult with everybody bringing their own devices into the network. We used to control all the desktops and laptops and access points, but that's all changed with the advent of smart phones and wifi and all. I wouldn't want to be the one responsible for keeping out the bad guys in this environment. But a company that is truly concerned about security (like a financial company) won't allow those things in and should be much tighter.
Our site used to have a lot of independence from Corporate and we had a policy of all networked devices being registered in the router tables so that only the unique ID of a network card in a PC/Printer/etc that was recognized in the router tables could be connected to our network. But in 2000 our site was sold to another Megacorp who soon imposed their Corporate IT standards and opened up the site so that anyone could bring in a personal laptop and plug it into the network. Even without malice aforethought a personal laptop is much more likely to have viruses and worms just waiting to be injected into a large network.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
Alan is offline   Reply With Quote
Old 12-21-2014, 01:35 PM   #8
Moderator
Walt34's Avatar
 
Join Date: Dec 2007
Location: Eastern WV Panhandle
Posts: 25,290
No, I am not concerned either.

What MRG, Alan, and harley said.
__________________
When I was a kid I wanted to be older. This is not what I expected.
Walt34 is offline   Reply With Quote
Old 12-21-2014, 10:13 PM   #9
Thinks s/he gets paid by the post
 
Join Date: Jun 2014
Posts: 1,069
The only security i'm worried about is tdameritrades and vanguards.


Sent from my iPhone using Early Retirement Forum
dallas27 is offline   Reply With Quote
Old 12-22-2014, 05:53 AM   #10
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 11,313
I can't help but worry about it. Sooner or later (or more likely already) a major financial institution is going to lose a boatload of client funds to criminal hackers. It is not if, but when. I just hope they cover our butts when it does. My biggest fear is finding myself in a fight with an institution that loses my funds while enforcing two factor authentication and then fights me over whether the breach is real. Not much to be done about it.
__________________
Idleness is fatal only to the mediocre -- Albert Camus
donheff is offline   Reply With Quote
Old 12-22-2014, 06:13 AM   #11
Administrator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 40,518
Wasn't Chase hacked? They have not yet fully disclosed the extent of the damage and data theft.

Hacking is everywhere and never ending. System and data safety is not that difficult, what it really needs is management commitment and organizational discipline. With profit margins at historic highs it looks to me like there is room to deal with this.

Perhaps if corporate boards started giving the boot to executives of corporations suffering from major security lapses, the others would take it more seriously.
MichaelB is offline   Reply With Quote
Old 12-22-2014, 07:18 AM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Chase was hacked. But other than IDs theft they didn't lose anything.
I guess we accept id theft anymore.

I agree when boards are made accountable things will change faster. Some feel they are accountable now, those are the companies that really place value on secure data. I remember our C level execs saying they didn't look good in orange and data security had the highest priority. They backed their words with actions.

There was no faster way out the door where I w*rked than bringing in a device like a laptop or a USB stick. By the time you were plugged in a couple nice people were there to escort you out.

You can secure customer data, it just has to be a priority.

http://lifehacker.com/chase-bank-hac...nts-1642063956

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app
MRG is offline   Reply With Quote
Old 12-22-2014, 07:30 AM   #13
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,644
Quote:
Originally Posted by MRG View Post
I agree when boards are made accountable things will change faster.
This is probably true generally. Perhaps changing the legal structure and making directors and officers general partners with primary liability. Penalties, losses etc would first pass to the general partners before hitting the shareholders.
jebmke is offline   Reply With Quote
Old 12-22-2014, 08:57 AM   #14
Full time employment: Posting here.
 
Join Date: Apr 2006
Posts: 969
Similar fears result in me doing business with what most here consider a ridiculous number of institutions: 4 banks and 5 brokers + TreasuryDirect + 2 other HSA custodians.

At one point, I was considering consolidating to make rebalancing and general management easier; but, spreading it around does help me sleep at night.

At some point, I will likely reduce the numbers above somewhat but likely not lower than 3 + TreasuryDirect.
__________________
If there's one thing in my life that's missing; It's the time I spend alone
Sailing on the cool and bright clear waters; There's lots of those friendly people
Showin me ways to go; And I never want to lose your inspiration
CoolChange is offline   Reply With Quote
Old 12-22-2014, 09:58 AM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Quote:
Originally Posted by CoolChange View Post
Similar fears result in me doing business with what most here consider a ridiculous number of institutions: 4 banks and 5 brokers + TreasuryDirect + 2 other HSA custodians.

At one point, I was considering consolidating to make rebalancing and general management easier; but, spreading it around does help me sleep at night.

At some point, I will likely reduce the numbers above somewhat but likely not lower than 3 + TreasuryDirect.
Rustward had a great response to that pratice.

http://www.early-retirement.org/foru...ad.php?t=74870

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app
MRG is offline   Reply With Quote
Old 12-22-2014, 12:59 PM   #16
Moderator
Walt34's Avatar
 
Join Date: Dec 2007
Location: Eastern WV Panhandle
Posts: 25,290
Quote:
Originally Posted by donheff View Post
I can't help but worry about it. Sooner or later (or more likely already) a major financial institution is going to lose a boatload of client funds to criminal hackers. It is not if, but when. I just hope they cover our butts when it does.
I have little doubt that they will. If funds were stolen from Fidelity or Vanguard and they did not cover the loss how much would they still have under management following the headline "Customers lose all their retirement funds to hackers"?

Everyone who could still read would take their money out immediately and these companies know that.
__________________
When I was a kid I wanted to be older. This is not what I expected.
Walt34 is offline   Reply With Quote
Old 12-23-2014, 09:40 AM   #17
Thinks s/he gets paid by the post
 
Join Date: Aug 2006
Posts: 1,558
Many companies are doing a pretty good job with security. You can use dot1x authentication to prevent non-company devices from connecting to the the network, and you can lock down the workstations themselves to prevent the use of USB sticks. My company does both.

Its not perfect, but many companies are taking security very seriously.

The retailers as a group sure seem to be behind the curve though, given the pretty simple ways so many of them have been hacked.


Quote:
Originally Posted by MRG View Post
There was no faster way out the door where I w*rked than bringing in a device like a laptop or a USB stick. By the time you were plugged in a couple nice people were there to escort you out.

You can secure customer data, it just has to be a priority.
Hamlet is offline   Reply With Quote
Old 12-26-2014, 10:14 PM   #18
Recycles dryer sheets
 
Join Date: Apr 2008
Posts: 223
About the Sony attack, at first I was very concerned by reading all the headlines about "first foreign attack on a corporation," whether we are in a new era of hacking, etc, etc. I read a couple articles and sort of didn't understand what had happened and why. And then I saw a program on the movie that Sony pictures was planning on releasing, and everything made sense. Did no one connect the dots on why Sony pictures was hacked by a foreign government? Is this incidence really indicative of anything? No, I'm not saying it was justified, and yes, their security was likely inadequate.

The biggest risk is probably not using secure passwords or having them in accessible places, not a network attack on a financial institution (due to their security).
inquisitive is offline   Reply With Quote
Old 12-27-2014, 06:24 AM   #19
Thinks s/he gets paid by the post
 
Join Date: Mar 2010
Location: Kerrville,Tx
Posts: 3,361
There have been recent stories that Sony was an inside job a disgruntled it staffer provided the access. It does make sense since the volume of data taken was so great. Inside jobs are of course the oldest trick in the book.
meierlde is offline   Reply With Quote
Old 12-27-2014, 08:11 AM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Bottom line is we don't know who did the hack. It takes a long time to figure out who was responsible. Like months for real results.

I learned through my career to not make quick judgments on any IT issues. The first words spoken are never forgotten. If you speak too quickly you have to convince the folks that heard you say the problem was "X", and now you think the problem was "Y". C level execs want one truth that doesn't change. I'm sure the same applies when we talk about governments.

Not much has been disclosed regarding the "hard coded" passwords or paths. Maybe they're default passwords and paths that come from the vendors. Maybe their not and someone provided them, nobody here knows.

Please can we make the mods job easy. Keep the thread non-political and alive, or start thowing political issues in the mix and leave no choice but to kill it. (I'm no mod but it's clear in the forum rules).

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app
MRG is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Out of Network Bill at an In Network Hospital daylatedollarshort Health and Early Retirement 17 04-23-2014 01:36 PM
Prostate Concerns - PSA Results Ol_Rancher Health and Early Retirement 27 01-20-2007 10:36 PM
Nudity Added to Traditional Texas Concerns haha Other topics 10 10-02-2006 10:07 AM
After you are gone ! Any concerns ? frayne Life after FIRE 32 12-16-2005 09:12 PM
Early retirement and health concerns dwk FIRE and Money 15 05-03-2005 07:06 AM

» Quick Links

 
All times are GMT -6. The time now is 02:55 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2024, vBulletin Solutions, Inc.