[Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost)

Patricia Herberger patricia57 at adelphia.net
Mon Jun 9 03:54:13 UTC 2008

What about the "Liability Follows the Data" section of the FACTA Red Flags
Rule?  According to that Rule, both the courier and the company that gave
their data to the courier would be at fault.

Patricia L. Herberger
Certified Identity Theft Risk Management Specialist

-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of V.
Sent: Saturday, June 07, 2008 8:45 PM
To: DAIL, WILLARD A; security curmudgeon; dataloss at attrition.org
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)

At 07:30 PM 6/6/2008 -0400, DAIL, WILLARD A wrote:
>Aside from the privacy issue, couriered tapes  are also a concern 
>due to the "Crash Restart" method of system attack.
>Basically, a hacker colludes with your courier to drop off your 
>tapes in the morning.  The courier then picks up the altered tapes 
>that afternoon.  A couple of really nasty things happened to your 
>tapes that day.

In addition to the scenario outlined in Mr. Dail's post, imagine your 
tapes (or laptops) make an unauthorized stop just to be copied.  Not 
so far fetched, and in many cases this type of loss would remain an 
unknown occurrence.  All it requires is a payoff to someone -- the 
courier, or the custodian of the data.

Almost everyone has a price; if bribed with enough money, many people 
will find they can't resist.  Most identity loss is probably due to 
negligence and/or apathy, but collusion is a possibility which must 
be considered and investigated in many cases.  If a courier is 
offered a large amount of cash to wait just a very few minutes while 
someone copies a hard disk, how many couriers could say no?  While 
this scenario is hard to imagine in the case of a small business, 
tapes or backups belonging to big, influential entities are certainly 
at risk for this type of criminal behavior.

(BTW, many people assume a laptop running Windoze is secure by virtue 
of having a boot password, but these can be bypassed by booting with 
a Linux CD.  Remove the CD, shut down the laptop, return to courier.)

  /__________________________________ \
  \  _______________________________/\ \
   \ \ \                            \ \ \
    \ \ \(c)2008 veedot at earthlink.net\ \ \
     \ \ \____________________________\_\ \
      \ \/_________________________________\
"Doubt is not a pleasant condition, but certainty is absurd."
                                  - Voltaire

Dataloss Mailing List (dataloss at attrition.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!

More information about the Dataloss mailing list