General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsNothing to see here: AZ lawmakers possibly 'compromised' after computer screens show up in Russian
In an email forwarded to the legislature, Mike Lettman, chief information security officer for the State of Arizona, wrote that multiple senators and legislative staff received emails from what appeared to be the states human resources department prompting employees to reset their passwords.
According to Lettman, senators who clicked on the link provided in the suspicious email and changed their passwords received a screen in Russian.
At this point, anyone who clicked on the link or changed their HRIS password has their login and password compromised, he said.
Its possible that their desktop or laptop was also affected, Lettman said.
The Arizona Department of Administration has shut down the external access system until the problem is fully assessed. The system is expected to be accessible again on Monday.
MORE:
http://www.abc15.com/news/region-phoenix-metro/central-phoenix/arizona-lawmakers-possibly-compromised-after-computer-screens-show-up-in-russian
Cracklin Charlie
(12,904 posts)MineralMan
(146,316 posts)but you can't fix stupid. As long as stupid people click links in emails and enter their logon information, attacks are inevitable.
Often, sadly, you can't teach stupid people anything either.
karynnj
(59,503 posts)Seriously, it was absolutely stupid that he used an email link to change his password. It is not tough to independently find the correct link if you have any reason to think there was a genuine reason to change your password.
However, in the wake of ALL of the Podesta emails put out to harm HRC, you would think that anyone not clued in before would have seen that as a very graphic example of how bad not thinking and clicking could be.
However, I bet this is not real, but a sting by someone to show the risk in that legislature. If this were a real hack I doubt you would be given a page in Russian to alert you that you just screwed up!
MineralMan
(146,316 posts)The problem is that many people don't think much at all. Phishing is one of the most common ways for people to access systems. It takes only a short time to create a fake login page or change of password page that looks just like a corporate or government one. Then, you host it and send an email with a link to it.
While most people know about phishing and won't bite, there is still a small percentage of people who will see your well-worded email warning them to check something or change their password and click your link. Most of those won't even look to see where the link goes. And that applies to even high-level people in organizations. In fact, they're often the most vulnerable, because they have little actual knowledge of how to use computers.
How do you know those people's email addresses so you can go phishing? Well, they're on the contact page of company and government agency websites and elsewhere. If you can get a login from someone who has administrator level access, you're in and can do tremendous damage.
Brute force hacking or breaking logon information is rarely needed. If you try hard enough with a phishing scheme, you'll probably find someone who will give up their login name and password freely.
mopinko
(70,111 posts)jebus people. access the site from your own bookmark, or through the google if you must. dont use their links.
not like anyone here doesnt get that, but there are a lot of people out there who have a tenuous grasp on technology, but use it anyway.
unc70
(6,114 posts)While clicking on links is one way to get in trouble, there are many ways to attack where you do not need to take any obvious action. Simply reading an apparently normal email is all that it takes. Or on some systems, previewing the email.
I have posted about this a lot over the years here. Some are in my old DU journal.
2naSalit
(86,634 posts)I don't know about that state's system but any government computer I have ever had to use required a password update/change every 60 days (or something like that because I have to do it at least twice every season) but it NEVER shows up in an email message, it comes up as a little poo-up that takes me to the login and password change page in a secure system.
But those are federal computers and not in a state system.
highplainsdem
(48,987 posts)Just one possibility, of course...but the Russians can't be happy about his very open opposition to their hacking.
ProudLib72
(17,984 posts)all the repuke's computers are zombies, will they think twice about Russian hacking? Nah, probably not. Could easily have been a 400 pound dude in his mom's basement in New Jersey (who just happened to have a Russian IP address and spoke perfect Russian).
erronis
(15,273 posts)National Security Advisor.
THe neat thing is that there is no longer any vetting of anyone. No ethics, no security, nothing.
Does anybody else remember how Cheney got named as dumb-ass's VP? He was in charge of vetting everyone else - when they "failed", he named himself.
Only problem I see is that tRump will be jealous of the kid's heft - The Rump can barely crack a 300# on the scales.
DFW
(54,387 posts)Trump is too dumb to b charged with treason when this is all over, but a bunch of his pals and manipulators will not deserve to get off so lightly.
Amaryllis
(9,524 posts)hacking DNC emails. All that other hacking was just to prove they could do it.