Create an Account
username: password:
 
  MemeStreams Logo

RE: Data Theft Affected Most in Military
search
Home Agent Weblogs Social Network Post Help About

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: Data Theft Affected Most in Military
Topic: Computer Security 7:33 pm EDT, Jun  7, 2006

finethen wrote:

Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft.

Hotel.com had info stolen too in the last few days. Is there some fancy new trick to stealing info or are these just flukes?

Neither. These kinds of databases have been around a long time, but 20 years ago they'd require serious computing centers that couldn't be easily lost or stolen. They did get hacked into from time to time, but you can't take an IBM Mainframe with you in your carry on luggage. Today three things have occured:

1. Technology has advanced. The entire Veteran's Affairs database can run off of someone's laptop. That makes it easier for it to leave the building.

2. Technology has become more widespread. In the 80's these things were the exclusive domain of large businesses and government agencies. Now there are hundreds of thousands of dot com companies with customer databases that are directly connected to the internet, any one of which could get hacked into.

3. A larger criminal market has arrived. In the 80's very little actual theft occured as the result of computer crime. Today organized criminal groups have cropped up, largely situated in the anarchocapitalism that exists in Russia and the Eastern Block as they struggle to build real, sustainable economies. These groups target the wide array of potentially insecure information sources, collect identity data, and convert it into cash. Distributed international networks of operatives coordinated through the internet monetize the results of these thefts and funnel money back to central coordinators.

There are three things that need to be done:
1. Organizations that deal in personal information need to continue to take computer security seriously. In particular, the credit card companies, and other organizations that deal with money, need to build better systems for determining whether or not you are you before they'll authorize a financial transaction with your money.

2. Organizations that deal in personal information need to have strict internal policies for access to information. People shouldn't have the database floating around on CD.

3. Some amount of regulation may be needed. However, IMHO the feds are 0 for 2 with SOX and HIPPA, so I'm not sure they've proved that they can regulate in an effective way.

Real Computer Security is hard, because you have to prevent bad stuff without being noticed as the good guys go about their jobs. When you get noticed, you've done something wrong, either because there has been a breach or because someone can't do their job because your security system stopped them. There is a certain art to finding the balance and it depends greatly on the specific requirements of the people you are working for and your wisdom in being judicious about what you control. Things like SOX and HIPPA micromanage the problem with one size fits all policies that inevitably fail in the real world.

Congress should operate on the level of incentivization and not on the level of specific requirements. For example, one of the reasons credit card fraud is so easy is that credit card companies don't bare the costs associated with fraud (the merchants do) and so they don't have any economic incentive to deploy technologies that are harder to subvert. In fact, credit card companies are making money on fraud by selling useless identity theft protection and credit report monitoring services. This is a problem lawyers can fix. They should focus on who is liable and leave computer security to the computer security professionals.

RE: Data Theft Affected Most in Military

Thread [3]


  
 
Powered By Industrial Memetics		RSS2.0