Wednesday, April 20, 2011

Why the Fed.Gov's Internet ID program is a persistently bad idea, part 2

Yesterday's post discussed the theory of why it's a bad idea.  Today we see the practical side.  Top Secret U.S. Weapons Laboratory hacked:

One of the most sensitive science labs in the US has shut down all internet access after attackers exploited a vulnerability in Microsoft's Internet Explorer browser to steal data from some of its servers, according to published news reports.

The security breach at the Oak Ridge National Laboratory is at least the second time since 2007 that computers have been hacked when employees were duped by phishing emails. The most recent compromise was initiated by messages that were manipulated so that they appeared to come from the lab's Human Resource Department, The Knoxville News Sentinel reported.
Nearly sixty employees clicked on the dodgy email, which exploited an Internet Explorer vulnerability to download custom malware.  The ORNL security team don't think that gigabytes of sensitive data were disclosed, but there's unlikely to ever be a precise accounting.

Now imagine that the Fed.Gov gets Grandma a nifty keen Internet ID - to keep her from having to remember so many passwords for secure sites, and everything.  How long do you think it will take before the Bad Guys are sending emails that look like they're from the Fed.Gov, saying there's a problem with your Internet ID and please click here to fix it?

And unlike the employees of Oak Ridge, Granny doesn't have a Top Secret security clearance with lots of special security awareness training.  As if it would help, anyway.

This is a huge, utter stinking hole of FAIL.  The only explanation is that it's the beginning of a power grab by the Fed.Gov, designed to eliminate Internet anonymity.

The Borepatch recommendation is do not touch this stinker with a ten foot pole.  And tell your family not to bother, too.

4 comments:

Anonymous said...

And unlike the employees of Oak Ridge, Granny doesn't have a Top Secret security clearance with lots of special security awareness training.

Accordingly, she at least has an excuse.

Jim

Borepatch said...

Jim, yup.

Quizikle said...

I've received Federal "Internet Security" training. Written by a committee for the lowest common denominator.

And:
Do you suppose the Federal government IT security folks would have the same level of concern for Granny as for Oak Ridge and other such places?
Well...maybe :(

Here's how to make a computer 100% secure:
Don't connect it to the Internet.
Don't turn it on. No...come to think of it, that doesn't work. Don't plug it in.

SiGraybeard said...

Thanks for these two, Borepatch. Good stuff.