|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dwayne Edwards (dwedward) (dwedward
cisco.com)
Date: Wed Oct 15 2008 - 15:23:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Unless of course the attacker is a pedophile and like a certain age
range, or geographic location...........
-----Original Message-----
From: dataloss-bouncesdatalossdb.org
[mailto:dataloss-bouncesdatalossdb.org] On Behalf Of Arshad Noor
Sent: Wednesday, October 15, 2008 1:41 PM
To: security curmudgeon
Cc: datalossdatalossdb.org
Subject: Re: [Dataloss] Indonesia's blunder on privacy
We can rant about the stupidity of the Indonesian officials; or we can
marvel at their brilliant foresight and perspective!
What makes information insecure? Not the information itself, obviously,
but the fact that it can be used to the advantage of the unauthorized
user and, potentially, against the legitimate owner of the information.
But this can only happen if the information is used in some business
process as a secret that unlocks something of value (money, services,
goods, etc.) and which while intended for the legitimate user, can be
usurped by the attacker.
How can one render this information useless to the attacker? Easy! By
changing the business process so that it does NOT require the use of
such secrets to deliver value to the owners of the information. It is
entirely possible that the Indonesian systems (education, financial,
healthcare, etc.) do not rely on such information as secrets to deliver
anything of value, and as such see no earthly reason to hide it.
In the US, our business processes are geared towards revenue-generation
and not consumer information protection. Secondly, the benefits and
consequences of breach to that information is asymmetric: it benefits
companies that use it in their business processes (even when it has no
real relevance to the transaction - mother's maiden name in a customer
support call to a bank??) but hurts the owner of the information when it
is breached.
Until such time American business processes change to eliminate the use
of "publicly accessible" secrets, consumers will continue to pay for the
inefficiency of such business processes and attackers will continue to
pillage our IT systems for Social Security numbers, birth-dates, etc.
Arshad Noor
StrongAuth, Inc.
security curmudgeon wrote:
>
> ---------- Forwarded message ----------
> From: InfoSec News <alertsinfosecnews.org>
>
> http://asia.cnet.com/blogs/toekangit/post.htm?id=63006854
>
> By Budi Putra
> CNet Asia
> Oct 13, 2008
>
> Amid concerns about privacy and security on the Internet, the
> Indonesian Ministry of Education recently put up a detailed database
> of students online and in downloadable files. There are at least 36
> million students listed on the Web site in Excel files containing
> names, dates, places of birth and addresses!
>
> I got the breaking news the last weekend from Treespotter's blog [1].
> He
> wrote:
>
> The database was put online a while ago, but Google had already
> indexed it by now--if you have kids at school (private, public
and
> religious schools all)--you can try Googling them to see what
comes
> out. You can find the FULL FILES in XLS downloadables without too
> much trouble. Of your children.
>
> As I wrote in my blog, the Government's blunder just confirms one
thing:
> They have a lack of capacity and capability in optimizing the New
> Media benefit. They may have good intent to put online a complete
> database, but clearly aren't aware about the issues of privacy and
> security. How could they publish the complete addresses and details
> (even the dates of births) on their Web site?
>
> I downloaded one of its Excel files at that time, and got a shock
> reading all details of Indonesian students there! Today, as of
> publishing this post, the downloadable database is still there. (I
> will not post any link here for obvious reasons).
>
> [1]
> http://treespotter.blogspot.com/2008/10/diknas-and-bakrie-alert.html
>
> [...]
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]