[Dataloss] At Least 20 Big-Name Passports Breached

Jim Kerr james.kerr at ceelox.com
Fri Mar 28 15:14:06 UTC 2008 

The fact of true accountability would address this issue. If a person needs
to swipe a finger to gain access to information then that person knows there
is a proof positive audit trail of that event (unlike a password that could
be socially engineered or taken from under the keyboard). This would deter
users from this activity knowing that their credentials could not be assumed
by another. This is probably how it is happening so frequently. Just assume
someone else's identity and have at it. 

a) There would be no reorganizing infrastructure since the technology
available is non invasive to provide the credentialing.
b) Again biometric technology gives you the ability to use 25 character
passwords that don't need to be remembered (or typed in) and the print is
converted into a proprietary algorithm that is encrypted in an AES 256
cipher.
c) This could be done and again the accountabilty factor will dramatically
reduce attempts.

-----Original Message-----
From: allan.friedman at gmail.com [mailto:allan.friedman at gmail.com] On Behalf
Of Allan Friedman
Sent: Friday, March 28, 2008 10:50 AM
To: james.kerr at ceelox.com
Cc: mhozven at tealeaf.com; dataloss at attrition.org
Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached

On Fri, Mar 28, 2008 at 10:38 AM,  <james.kerr at ceelox.com> wrote:
> We have had tremendous success in protecting identities within the banking
>  industrie by use of biometric technology. The customer can pass
credentials
> with more safety than pin numbers and pictures of ducks.

I'd love to learn more about this, particularly how it scales across
bureaucracies, particularly if the customer isn't present. I'm not
thinking about public databases but large private ones that have many
people with many different functions doing different things, (e.g.
medical records).

I'm guessing that to prevent the above mentioned passport file
snooping from happening to some one not on a pre-specified watch list
you would need to
a) reorganize the data architecture of the entire system
b) overlay a pretty strong identity layer
c) introduce secure credentialing that allow a yes/no query without
leaking more info
d) probably some chunk of all of the above.

As long as access to databases is fairly unsupervised inside the
organization, you're going to see identity theft.

allan

More information about the Dataloss mailing list