Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday October 10 2014, @11:49AM   Printer-friendly
from the do-you-feel-lucky-punk? dept.

Robert X. Cringely points out the hidden costs of running corporate IT over the public internet:

How cheap is IT, really, if it compromises customer data? Not cheap at all. Last year’s Target hack alone cost the company more than $1 billion, estimated Forrester Research. The comparably-sized Home Depot hack will probably cost about the same. JP Morgan Chase is likely to face even higher costs.

He wonders why companies aren't shifting to dedicated networks, like they used to make with leased lines.

Taking a bank or retail network back to circa 1989 would go a long way toward ending the current rash of data breaches. It would be expensive, sure, but not as expensive as losing all the money that Target and others have recently done.

Is this practical? If so, how would it be accomplished with modern equipment?

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Friday October 10 2014, @12:15PM

    by Anonymous Coward on Friday October 10 2014, @12:15PM (#104415)

    Cringely's column was down for quite a while. It should have stayed down. Or at least he might try to learn about these new fangled things called firewalls and VPNs. But i guess that, for an internet blogger like Cringely, completely cutting off the enterprise's intranet from the internet is unthinkable.

  • (Score: 3, Interesting) by Bot on Friday October 10 2014, @12:19PM

    by Bot (3902) on Friday October 10 2014, @12:19PM (#104417) Journal

    If I recall correctly, ethernet cables can be crippled to allow one way only transmission. Dunno how much of the tcp stack it disrupts, but surely it can be worked around.
    That would secure all backup servers from data leak.
    Many other business processes could benefit from one way comm.

    --
    Account abandoned.
    • (Score: 1, Interesting) by Anonymous Coward on Friday October 10 2014, @12:24PM

      by Anonymous Coward on Friday October 10 2014, @12:24PM (#104421)

      Dunno how much of the tcp stack it disrupts

      TCP would be disrupted completely because it depends on two-way communication.

      UDP could be used; however with no back channel at all, the only thing you can do it to broadcast pre-defined information (think TV). This might work for pure monitoring when the amount of data is low enough that you can send everything continuously, but otherwise a one-way channel would be quite useless.

    • (Score: 0) by Anonymous Coward on Friday October 10 2014, @12:25PM

      by Anonymous Coward on Friday October 10 2014, @12:25PM (#104422)

      How can the device or system actually storing the backup report whether the storage was successful or not if the communication only goes one way?

      How can the data be retrieved from the backup server for legitimate restorations if the communication only goes one way?

    • (Score: 3, Informative) by ticho on Friday October 10 2014, @12:26PM

      by ticho (89) on Friday October 10 2014, @12:26PM (#104423) Homepage Journal

      If such action really does cause one direction to stop working entirely, then TCP won't work at all. UDP might, since it does not require any response from the receiver.

    • (Score: 1) by artman on Friday October 10 2014, @06:27PM

      by artman (1584) on Friday October 10 2014, @06:27PM (#104565)

      WOM I love it!!!!

      Nobody can access the data.

      --
      No Sig for me Thanks
  • (Score: 4, Informative) by ticho on Friday October 10 2014, @12:19PM

    by ticho (89) on Friday October 10 2014, @12:19PM (#104418) Homepage Journal

    Most of the big companies are indeed using leased lines for sensitive stuff, and have never stopped using them. But, of course, that never makes the news.

    • (Score: 2) by VLM on Friday October 10 2014, @01:04PM

      by VLM (445) Subscriber Badge on Friday October 10 2014, @01:04PM (#104437)

      Lower latency and much lower jitter, its obvious if you're not getting switched or multiplexed...

      • (Score: 2) by jasassin on Saturday October 11 2014, @07:43AM

        by jasassin (3566) <jasassin@gmail.com> on Saturday October 11 2014, @07:43AM (#104711) Homepage Journal

        We used Multitech multiplexers on leased lines from branch offices between banks. Impressive shit, even at 9600 baud! Leased lines, in my day, were just a batphone. Not sure what kinda speed you can get now.

        --
        jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
    • (Score: 2) by Nerdfest on Friday October 10 2014, @02:29PM

      by Nerdfest (80) on Friday October 10 2014, @02:29PM (#104471)

      When I first read TFS I was going to post that the leased lines can be completely co-opted by the government to send all data to them more easily than public internet. The summary is about public data breaches, but I find it a bit sad that the first thing that came to mind was the NSA.

  • (Score: 2, Insightful) by Anonymous Coward on Friday October 10 2014, @12:34PM

    by Anonymous Coward on Friday October 10 2014, @12:34PM (#104427)

    I think in most cases a firewall that blocks everything except for VPN traffic would suffice (assuming your VPN is reasonable secure): The only way to get into your computers is through valid VPN packets, and as long as the VPN is not hacked, that means someone already has to have access to your internal network, in which case even a lased line won't help you any more.

    However note that both least lines and VPN-only mean no internet connection; for a retailer whose customers expect to buy over the internet, this is simply no option.

    • (Score: 0) by Anonymous Coward on Friday October 10 2014, @04:46PM

      by Anonymous Coward on Friday October 10 2014, @04:46PM (#104529)

      Actually not true.

      You can build meaningful security...
      Websites have firewalls to block all traffic except say 443. Port 80 is redirected to 443 via a different router and webserver, so control is in place.
      Websites talk to APP severs again via different firewall and port and encryption.
      APP servers talk to database servers via again another router and port and encryption.
      Database servers handed off again to via another router and port to handle actual processing of credit card data and order
      Now this is where we are getting into the actual network of the company. Which again is using different routers and VPN between sites.
      Local internet connection at any is out. Only allowed to go back to corp, and corps firewall and inspection allows traffic to internet, if at all.

      Yes, that is allow of equipment, you may want to use a single large CISCO router to do it all. DO NOT DO IT. That makes a single point of failure if a configuration goes bad. Different routers/firewalls between different segments. At least two nic cards in each server - one of the "internal" and one for the "external", with the default router to the bit bucket. Firewalls block in BOTH directions. So again bad traffic cannot leak out.

      It is the layers of an Onion. At no point do you allow each of the different networks to SHARE a common box/firewall. The traffic is all encrypted and none is using "open" connection. ie: the traffic terminates in a service that limits what can and cannot be done though it. If any layer is broken, then you cutoff access to next layer quickly.

      Also reuse the IPs between networks! All private of course. This limits more information gained by a breach, because it has to travel a very tight course though in levels and machines. PORT and IP, so it cannot bore a new hole out to the Internet.

      Help once on this with an insurance company. There was firewall between internal users and main servers. This allowed only a "telnet" session on port 22 and printers on 9100. This way if the server after a upgrade, turned on SQL query functionality to network (unknown to operator), the users could not get access to the new port - firewall blocked it. The server could not access anything expect on 22 or 9100. The network scan of the server's network, would show it up.

      Belt and Suspenders!

  • (Score: 3, Insightful) by kaszz on Friday October 10 2014, @12:35PM

    by kaszz (4211) on Friday October 10 2014, @12:35PM (#104428) Journal

    A lot of the data breaches is due poor design and not doing ones homework. Slapping leased lines as a solution to this doesn't help. Instead crooks will know that you trust the line and make sure to access those junction boxes..

    • (Score: 3, Interesting) by Thexalon on Friday October 10 2014, @01:14PM

      by Thexalon (636) on Friday October 10 2014, @01:14PM (#104443)

      A lot of the data breaches is due poor design and not doing ones homework.

      Yes, but rarely is the question asked, "Is our developers learning?"

      The challenge is that most of the big data breaches recently have been companies that were in fact following correct procedures. What I recommend for my clients when dealing with sensitive data is to as much as possible make it Somebody Else's Problem e.g. use the payment processor's hosted tools so that your boxes never see the CC data. But I know that's not solving the problem, it's just making it so that my clients aren't liable if there is a problem.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2) by kaszz on Friday October 10 2014, @02:06PM

        by kaszz (4211) on Friday October 10 2014, @02:06PM (#104461) Journal

        One could also ask "Does management allow our developers to learn?" or maybe they just outsourced it..
        Then comes "Is there resources (time) available to do something about our knowledge?"..

        Considering Murphy's law. It might actually be an efficient strategy. Provided the API isn't a royal pain.

      • (Score: 0) by Anonymous Coward on Friday October 10 2014, @02:57PM

        by Anonymous Coward on Friday October 10 2014, @02:57PM (#104480)

        e.g. use the payment processor's hosted tools so that your boxes never see the CC data. But I know that's not solving the problem, it's just making it so that my clients aren't liable if there is a problem.

        It does more than that: Given that your payment processor needs to get the CC data anyway, keeping it only with the payment processor means a smaller attack surface.

      • (Score: 0) by Anonymous Coward on Friday October 10 2014, @03:58PM

        by Anonymous Coward on Friday October 10 2014, @03:58PM (#104519)

        Yes, but rarely is the question asked, "Is our developers learning?"

        Indeed. And for a good, grammatical reason.

      • (Score: 2) by DeathMonkey on Friday October 10 2014, @06:41PM

        by DeathMonkey (1380) on Friday October 10 2014, @06:41PM (#104571) Journal

        The challenge is that most of the big data breaches recently have been companies that were in fact following correct procedures.
         
        That doesn't sound like the case for Home Depot, at a minimum:
         
          Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.
         
          reference [arstechnica.com]

      • (Score: 2) by Hairyfeet on Saturday October 11 2014, @06:50AM

        by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Saturday October 11 2014, @06:50AM (#104705) Journal

        Devs ain't got shit to do with it, good security costs good MONEY and the MBAs won't spend the bucks. This is one of the reasons I got out of corp IT, they would have a security nightmare that could be fixed by spending X to set up Y but would they spend X? Fuck no, in fact they would often cut IT to the bone so they could say "I saved the company X amount of dollars!" and get a sweeter job at another place while the system fell apart behind them.

        --
        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    • (Score: 2) by theluggage on Friday October 10 2014, @02:20PM

      by theluggage (1797) on Friday October 10 2014, @02:20PM (#104469)

      Instead crooks will know that you trust the line and make sure to access those junction boxes..

      If your data was that sensitive, surely you'd go "belt & braces" and encrypt the data on your line anyway?

      Plus, scalability anybody? Even if, at some stage in the history of telecoms, a "leased line" really was a physically private copper wire or fibre exclusively connecting A to B, I can't see that being viable in these days of ubiquitous networking and globalisation - you'd have to flood-wire the world! For anybody smaller than the average national security agency, a modern "leased line" must surely be a euphemism for "outsourcing your VPN kit to your telecoms provider".

      • (Score: 0) by Anonymous Coward on Friday October 10 2014, @03:48PM

        by Anonymous Coward on Friday October 10 2014, @03:48PM (#104515)

        wait, this is exactly what it was claimed that the nsa did to google and others, they tapped the exit and entrance nodes on the "point to points". Data wasn't encrypted between locations, and it undermined the entire system. Who cares it the data on the server is encrypted, if no one is walking off with the server. It's unencrypted the moment it leaves the box unless other actions are taken.

        Considering that, a private leased line is not what people think it is. It is almost always on a shared network, and just because you can't see other customers doesn't mean it's configured right in the ISP from end to end. Privacy isn't what it used to be; unless you ran the line yourself, the telco can provide access.

        Using VPNs for everything is foolish, but it makes a lot more sense to run a VPN over a leased line if you are really worried about security. Having permissions on a firewall to let unencrypted traffic through does nothing to protect against an entity tapping in and recording the transmissions, nor anything to stop something bad coming through on the ports you opened since you trust the other side. Nothing is stopping something on a, for example, MPLS network from being introduced into the "point to point" if the carrier is able to do so.

        It takes a a secure approach to all methods and options for exit and entry, not just getting a leased line.

        You would be more secure using a dial up modem. Demodulating a call is not something the current batch of tools is very good at doing, and if you encrypted the call--you'd be more secure than anything we've discused so far, but it would be slow. And very suitable for financial dropbox sort of transactions, like FTP or what have you, that you do not want anyone else to get a hold of.

        Just don't set the modem to auto answer...

        • (Score: 2) by sjames on Sunday October 12 2014, @05:08AM

          by sjames (2882) on Sunday October 12 2014, @05:08AM (#104977) Journal

          That is more or less what happened to Target. They had a secure VPN nailed up between them and their HVAC contractor. The hackers got into the contractor's network and came in through that to attack the POS systems.

          The real failure was letting a route exist between HVAC and POS. An actual leased line instead of a VPN would have made exactly zero difference.

    • (Score: 2) by MrGuy on Friday October 10 2014, @05:08PM

      by MrGuy (1007) on Friday October 10 2014, @05:08PM (#104537)

      ...the Target breach (one of the two examples given).

      In Target, the attackers got access via an environmental monitoring system - they had a service to remotely manage/make recommendations on power/HVAC to some Target stories. Amazingly, those servers were on the same network (with no isolation) from all the POS machines doing actual credit card processing, which is how the attackers were able to compromise the credit card processing.

      If Target had designed their network remotely sanely, this service (that admittedly needed internet access) would have been walled off from the network customer transactions happened on. It was not.

      Lease lines, by the way, wouldn't have helped Target a whit. They could have had dedicated leased lines between the POS systems and the credit card processors, and it wouldn't have helped them. It's not like they were using a VPN and the attackers compromised the VPN (which is the ONLY attack vector I can see that would have been thwarted by dedicated leased lines). The problem was their INTERNAL network was a mess.

  • (Score: 2, Informative) by goody on Friday October 10 2014, @12:36PM

    by goody (2135) on Friday October 10 2014, @12:36PM (#104429)

    Dedicated networks built with leased facilities are fine and dandy, but there will always be some portion of a company's network facing the outside hostile network to provide things like customer portals, email, links with other companies that are in their supply chain, banking, etc. I don't think most of the high profile hacks have been due to lack of layer one security. If you have hacks coming in your private WAN, whether it's built from public or private network links, you've got some bigger problems than leased lines can solve.

    I'm sure it can be accomplished with modern equipment if you don't mind bonding T1s and DS3s. But you'd have the same level of security if you did something with a reputable carrier and used MPLS and encryption.

    Overall, it doesn't sound like Cringely knows what he is talking about.

    • (Score: 0) by Anonymous Coward on Friday October 10 2014, @03:22PM

      by Anonymous Coward on Friday October 10 2014, @03:22PM (#104500)

      Most of these sorts of attacks seem to be using leveraged assets ladders.

      Where you compromise one computer to get at another with every higher rights.

      So even though you may have 100% secure leased lines. The other side of the house may want to use the internet. Then there is some bridge between the two...

      To do it truly right you have to have 100% segregated network and computers with review boards and change controls. Now that crap builds in time to complete and boring meeting headaches and empire building CYA managers. It also builds in a distrust of building a better network. Because 'should not do this' turns into 'do not ever do this even though now it is way better to do'. So you have to figure out what is your compromise just so you can have 'ease of use' vs 'security'.

  • (Score: 3, Informative) by Foobar Bazbot on Friday October 10 2014, @03:34PM

    by Foobar Bazbot (37) on Friday October 10 2014, @03:34PM (#104508) Journal

    Remember a few months ago [washingtonpost.com]? When we all heard that Google already was using leased lines, and NSA+GCHQ were tapping those "secure" lines?

    At this point it became clear that one must encrypt data on leased lines as well, and since that's the same encryption needed to be secure on the internet, security doesn't seem like a reason to choose leased lines.

  • (Score: 0) by Anonymous Coward on Saturday October 11 2014, @03:06AM

    by Anonymous Coward on Saturday October 11 2014, @03:06AM (#104672)

    As someone who has been involved in implementing new measures in a small number of chain retailers, many of them are indeed moving "back" to T1s and such coupled with shiny new Cisco routers and newer managed switches (managed such that each cable has to be accounted for and goes in a particular jack, partly because of the VLANs and partly because any free jacks are turned off on the switch unless/until a new device is installed & cable run is commissioned).

    Unfortunately, these sorts of changes are not overnight (even though the work is performed after-hours) but there's often a gap of 1 to several months between the replacement of any given equipment, as well as the actual installation of the T1... as a result I usually have to revisit any given store 2, 3 or more times to install equipment in phases.

    Over the last few months I have encountered different chains and different stores operating on everything from 3G modems to satellite and DSL (some do have fiber but not many). So far I haven't encountered any on cable though.