Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dataloss] followup: ACS Breach Warning Letter
From: Al Mac (macwheel99sigecom.net)
Date: Wed Nov 08 2006 - 11:42:25 CST
The protection of password varies greatly across various OS that I have
worked on. I consider passwords much more secure on IBM mainframes than on
Windows and Unix, but I do not know about Linux.
Companies might think their data is password protected, encrypted, other
protections, but unless they have passed some kind of security audit, they
really do not know for sure. Many breaches have been because of some
carelessness, and lack of security verification, leading to private data
posted on the web that some kind of security procedure might have
prevented. I think that if security awareness training is too much of a
bother for a company to be doing for all its people, at least it should be
required for people with access to the sensitive data.
The mass public think passwords give some measure of protection, so these
notification phraseologies are intended as PR mitigation.
Once upon a time certain types of communications were banned from Ham
Radio, because of a rule that the FCC had to be able to digest anything
over the public airways, without any effort. This may be why a lot of
pager traffic, and wireless, is in plain text readable by anyone with a
police scanner hooked up to a computer printer, which may be illegal, but
Once upon a time the DoD banned encryption in computer products going
overseas, on the theory that the USA had some strategic advantage the
military did not want exported. But that mentality has been overshadowed
by mass off-shoring of all sorts of computer manufacture and software
development, let alone parallel development in other places such as Europe
and Asia. The illusion that we have some kind of advantage is akin to the
Axis in WW II broadcasting all their secrets over communication channels
that they were convinced no one could crack.
just a programmer, sys admin, security officer, help desk, etc. worker
, Bruce.Forestal wrote:
>The claim of "password protected" is a joke as most all of these laptops
>are Windows OS with only a logon password which is easily bypassed.
>This is somehow supposed to make the public have a warm fuzzy feeling
>that their data is safe. Once in a while we hear that the data is
>encrypted and password or pass-phrase protected. Someone had commented
>previously that at least some of the current disclosure laws don't
>require notification if the data is encrypted. I'm curious as to how
>many incidents of data loss are occurring but not reported because the
>data is encrypted?
>Speaking of encrypting personal information, has this technology not
>been taught in college, or banned from use by anyone outside of the DOD?
>Most all of these incidents of data loss could have been mitigated by
>just simple encryption. Encryption is both easy and cheap; actually it
>can be had for free. Laptops are a target for thieves, this is not
>going to change although one can surely reduce the chance of theft by
>teaching employees some user awareness but it won't be eliminated.
>I'm personally a fan of PGP Desk, all of my client data is saved on a
>PGP encrypted partition and all emails that even hint of sensitive data
>are encrypted. Most Non Disclosure Agreements require me as consultant
>to protect client data, using anything short of a reliable encryption
>scheme would put my client data at risk and leave my butt hanging in the
>wind. I would not be happy if my laptop was stolen or lost but at least
>I could state with confidence that the client data was very secure.
>Other than the NSA or like entities I don't know of anyone that would
>even have a chance of breaking the encryption.
>It's obvious in many of these data loss incidents that an encryption
>policy was not in place or not followed. Roughly two-thirds of the
>states have a disclosure laws but that does not mean they are always
>followed and then there is the government side. Does anyone know the
>disclosure laws for government? Does anyone have an idea of the
>percentage of data loss that is not-disclosed?
>Bruce Forestal, CISSP
Dataloss Mailing List (datalossattrition.org)
Tracking more than 140 million compromised records in 465 incidents over 6 years.