[Dataloss] At Least 20 Big-Name Passports Breached

Casey, Troy # Atlanta Troy.Casey at McKesson.com
Fri Mar 28 15:58:49 UTC 2008 

Someone is over-selling the accuracy of biometrics.  Thanks, I've seen
the false-positive and false-negative rates for fingerprint scanners,
and I'm not buying.  I'll stick with my 14-character password.

And not only are biometrics far less accurate than the vendors
advertise, they are prohibitively expensive for the types of large
enterprises that house a lot of the subject data.  Further, I will
contend that if companies that don't monitor their audit logs today add
biometrics, no meaningful improvement to security is achieved.  If
companies that don't bother to lock down data access to only those with
a true "need to know" adopt biometrics, they only achieve the illusion
of security.

Real security requires that companies make the investment of time and
effort to first lock down access to only those with a need to know, then
maintain those access controls ongoing AND invest in personnel and
technologies to review application audit logs - assuming they wrote
their applications to audit access - then PROSECUTE violators of the
access policy whenever they are found.  How many of you are working at
companies that are willing to erode their profits by making such
investments?  No technology is a panacea, and in the absence of these
measures all that new technology will achieve is the illusion of
security -- which is far more dangerous than a clear understanding of
where security is lacking.

As long as we as a society both accept the proliferation of our data as
somehow not constituting a privacy violation, and kid ourselves that
some silver bullet is going to solve the security problem, identity
theft will never be solved.

Yeesh,
Troy

Troy D. Casey


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Jim Kerr
Sent: Friday, March 28, 2008 11:14 AM
To: 'Allan Friedman'
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached

The fact of true accountability would address this issue. If a person
needs to swipe a finger to gain access to information then that person
knows there is a proof positive audit trail of that event (unlike a
password that could be socially engineered or taken from under the
keyboard). This would deter users from this activity knowing that their
credentials could not be assumed by another. This is probably how it is
happening so frequently. Just assume someone else's identity and have at
it. 

a) There would be no reorganizing infrastructure since the technology
available is non invasive to provide the credentialing.
b) Again biometric technology gives you the ability to use 25 character
passwords that don't need to be remembered (or typed in) and the print
is converted into a proprietary algorithm that is encrypted in an AES
256 cipher.
c) This could be done and again the accountabilty factor will
dramatically reduce attempts.

-----Original Message-----
From: allan.friedman at gmail.com [mailto:allan.friedman at gmail.com] On
Behalf Of Allan Friedman
Sent: Friday, March 28, 2008 10:50 AM
To: james.kerr at ceelox.com
Cc: mhozven at tealeaf.com; dataloss at attrition.org
Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached

On Fri, Mar 28, 2008 at 10:38 AM,  <james.kerr at ceelox.com> wrote:
> We have had tremendous success in protecting identities within the 
> banking  industrie by use of biometric technology. The customer can 
> pass
credentials
> with more safety than pin numbers and pictures of ducks.

I'd love to learn more about this, particularly how it scales across
bureaucracies, particularly if the customer isn't present. I'm not
thinking about public databases but large private ones that have many
people with many different functions doing different things, (e.g.
medical records).

I'm guessing that to prevent the above mentioned passport file snooping
from happening to some one not on a pre-specified watch list you would
need to
a) reorganize the data architecture of the entire system
b) overlay a pretty strong identity layer
c) introduce secure credentialing that allow a yes/no query without
leaking more info
d) probably some chunk of all of the above.

As long as access to databases is fairly unsupervised inside the
organization, you're going to see identity theft.

allan


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list