Thursday, June 29, 2006

Computers "returned"? What's that all about?

The "return" of the computers “stolen” from a Veteran's Administration analysts home does not mean at all that military personnel whose information was on these laptops can now rest easy.

There is no hard evidence that the data was not compromised, in spite of reassurances by the FBI. The computer(s) were returned under very suspicious circumstances. The data could have easily been viewed, copied, or downloaded. If I had breached secure data I'd try to "return" the system from which the data was taken and get everyone to relax and let their guard down. Brilliant!

Read the post below from 2 hours ago as I am writing these comments. From InfoWorld.com:

"June 29, 2006. How can anyone be sure stolen VA laptop data wasn't taken?

There are dozens of ways that any computer's data can be taken without modifying a single forensic's bit on the original hard drive.

News sources today are announcing that the VA's stolen laptop (with millions of identity records) has been recovered ... [and] the VA and its forensic experts are claiming the data was not touched or extracted. I hope this is an oversimplification, because there are dozens of ways the data could have been read/copied and the data left untouched. How?

Here's two easy ways:

  • 1. Boot on any device except the hard drive (e.g. floppy disk, CD-ROM, DVD, USB device, etc.). Use an NTFS-compatible version of Linux (e.g. Knoppix, Backtrack, Nubuntu, etc.) and steal away.
  • 2. Ghost the hard drive and manipulate the copy


I can come up with a dozen ways in a few minutes.

Every computer security forensic person is required by their job to be able to access other people's hard drives and data without modifying a single original bit. So, while common thieves wouldn't know how, there's probably tens of thousands of computer professionals that do.

... the VA and the news sources are oversimplifying the case. A better opinion would have been, "We have found no evidence to indicate the data was not read or copied." not "After examining the evidence we are SURE the data was not copied or read."

Posted by Roger Grimes on June 29, 2006 01:45 PM"

(Note: This was edited slightly from original)

I consulted with one of the top security programs in the US and asked for her/his reaction to the Grimes comments. The response was simple: "I agree with the statement, it is very easy to "copy" a hard drive without changing it or letting anyone else know."

So now we must stay vigilant.

The danger to veterans also lies in the fact that in data losses or thefts the criminal activity or abuse normally takes place month or even years after a theft or breach.

The reason is that a person’s social security number, name, place and birth date has and almost unlimited shelf life.

These pieces of information are useable for more or less 90 years starting with the day of birth of the individual. If the victim was an infant that child's base line information will stay the same for 90 years more or less (the outer edges of life expectancy). A 40 year old veteran is at risk for the next 40 or 50 years. Critical data abuse is a long term problem.

What anyone in the armed forces whose vital information was on those computers needs to do is to monitor their financial information and do regular scans for signs that their name and identity is being used by unauthorized individuals.

It is not only unwise but also dangerous to "breathe easy" at this point. My advice for the brothers and sisters of the armed services is:

1. Keep vigilant.

2. Protect the perimeter.

3. Conduct personal IO- Intelligence Operations!

These are missions the military understands.

Semper Fi!

Tuesday, June 27, 2006

The Security Gap

In the past 16 months, over 88 million people in the United States alone have had their identity compromised as a result of database breaches. Banks, credit unions, universities, healthcare providers, retailers, data aggregators, government agencies, and others have been hit. Some of them, even multiple times.

Security breaches of personal identifying information are accelerating and putting all Americans at HIGH risk for identity theft. If you want to view the national “how and who” list of data breaches, visit www.privacyrights.org.

The growing epidemic of identity theft and the trend of database breaches are causing giant waves of security changes in the way business is managed. Employers must comply with increasing identity theft and privacy laws at the state and national levels. These laws dictate security guidelines.

Personnel files, benefits data, payroll and tax data are all vulnerable, often to insider theft according to the Federal Trade Commission. Does your company have a written data security plan to protect the data of employees, customers, and vendors? Has it been implemented? Is there on-going maintenance of the plan? Does it meet the ever-changing environment, personnel, and computer security needs?

ComputerWorld.com advocates that even though data security is your IT Department’s job, it isn’t a problem that IT can completely solve. The solution, however, will help close the security gap. It takes non-IT employees to make security a priority so IT employees can make it a reality.

In addition, if identity theft (not just a data breach) is traced back to your company, how would this be handled and what affirmative defense solution does your company have in place that would hold up in court?

By the way, did you know that Arizona, Nevada, and California lead the nation for identity theft?

Lois Hale, M.S.

Sunday, June 25, 2006

Sailor's Data Stolen. Everyone on deck with life jackets.


Friday, June 23, 2006. "The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian Web site.The Navy said Friday the information was in five documents and included people's names, birth dates and Social Security numbers."

Meanwhile, this same week the General Accountability Office removed some records from its Web site this week containing some personal identifying information of 1,000+- government workers. The data included individual names and Social Security numbers. The Naval Criminal Investigative Service (NCIS) is investigating the incident and the discovery of this data loss was made by the Navy Cyber Defense Operations Command. This unit of the Navy monitors the Internet to identify security leaks.

My personal and professional view is that ALL government agencies should have CyberSecurity units because all government agencies have serious issues in storing, manipulating and analizing, and distributing sensitive information.

I have been working for several years with the Iowa State University Information Assurance Program (INFAS) training students in information security (my role is in training them in the area of public policy).

My great frustration is that the federal government agencies and Congress have been irresponsible by cutting funding and by refusing to rapidly expand programs such as this. We could RIGHT NOW be supplying dozens of highly trained and top secret security clearance viable experts who would be protecting the sensitive data that, like sand, seems to be sifting through the fingers of federal agencies.

One of the problems we have all worried about is the extensive use of outsourcing by government agencies at the local, state, and federal leves. In that context apparently U.S. Rep. Edward Markey, (D-Mass.), said "... he had asked Rumsfeld two years ago about the implications of federal agencies outsourcing data collection and processing activities. While there is no indication that outsourcing was the problem in the Navy case, Markey said he wants to know what effect that would have on the security of information on military personnel."

We don't know if the Navy data loss was due to outsourcing. However, it is now very clear that government agencies must develp in-house, well vetted, well funded, and aggressive cyber security capabilities. These should be directed at:

  • careful and pervasive Internet security sweeps to identify breaches in information
  • "primeter security" of all digital files through layered encryption and password protection of all data especially Social Security numbers which should be treated as the equivalent of "top secret" information.
  • best practice rules on where data files may be taken by whom (NO laptops left in cars!)
  • physical protection of data hardware and software storage sites and equipment including servers and data nodes (this may be as simple as security guards and locked doors!)
  • relentless prosecution of data thieves.
  • stiff penalties for companies that fail to implement the highest levels of information security.


Sources: NY Times, CNN.com, Wall Street Journal, C-Net, The Identity Theft Institute.

Friday, June 23, 2006

Oops, they did it again! Will This NEVER end?!

(Note from blog administrator: Some of you bloggers wanted a picture of Dr. Schmidt for the lecture brochures you are making when he comes to speak at your organization. He provided us with this air-brushed version of himself!)

From Prof. Schmidt:

One of my most aggressive and excellent students in the ID theft class sent this info tonight-

HOPE YEN, Associated Press Writer filed the following story on June 22, 2006 -

  • "WASHINGTON - The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.

    The Federal Trade Commission said it would provide free credit monitoring for 110 people targeted for investigation whose names, addresses, Social Security numbers — and in some instances, financial account numbers — were taken from an FTC attorney's locked car."

My opinion? This is one of the truly outrageous breakdowns of our government.

The following are the other deficiencies in the Federal government that were reported in this AP story:

Agriculture Department. A hacker broke into the computer system and got the names, Social Security numbers and photos of 26,000 Washington-area employees and contractors.

Department of Health and Human Services. Confidential information of more than 17,000 Medicare beneficiaries was probably breached when an insurance company employee accessed the data from a hotel computer and did not to delete the file after accessing it.

Dept of Energy. Social Security numbers and other data for nearly 1,500 people working for the National Nuclear Security Administration were compromised when a hacker entered the computer system.

I don't know about you, but after reading this I am again extremely furious that the heart of the entity that is supposed to protect us from data losses the FTC could lose sensitive data. This careless attorney left his laptops in his car?!

Do YOU EVER leave your laptop in your car?! What kind of a sloppy moron attorney are working for the FTC the most crucial agency responsible for identity protection?! Are these lawyers civil service protected? If yes, then we are screwed (you can't fire these people). If not, fire them now!

Our Identity Theft Institute recommends that computers, portable hard drives, "thumb drives", CD's with ID data, ipods with data, or any other storage devices be encrypted, carried "on the body" of the person given responsibility of this precious information.Computers and digital storage devices MUST be access password protected so no ordinary crook can even log on. (Crackers of course can get into almost anything but encryption of data will keep almost anyone without the decryption key out).

Is that too much to ask for from the FTC, VA, Dept. of Agriculture and other government entities? I think not!

Steffen Schmidt, Ph.D.

  • (Note from The Identity Theft Institute Project Manager: Prof. Schmidt has 10 slots for speaking engagements left. Please do NOT contact Dr. Schmidt - The Scheduling Department of the ID Theft Institute will try to schedule a talk by Dr. Schmidt for your organization).

Monday, June 19, 2006

Iowa State University to Help Iowa Veterans Concerned about Identity Theft


Press Release: Iowa State University.

AMES, Iowa - Iowa State University faculty and staff are stepping up to help Iowa veterans concerned about identity theft.

Steffen Schmidt, professor of political science and coauthor of the book “Who is You? The Coming Epidemic of Identity Theft,” knew he had information that could help Iowa veterans learn about the theft of personal information and strategies to restore their personal identity if it were stolen.

Schmidt and his coauthor Michael McCoy taught courses spring semester through ISU Extension’s Continuing Education and Conference Services (CECS) unit. They knew the noncredit online short course had the information veterans concerned about identity theft would need.

“We are working on several tactics to get information out to Iowa’s veterans,” said Jack Payne, Vice Provost for Iowa State University Extension and Outreach. “Continuing Education and Conference Services is working to make the book and short course content available to veterans. One copy of the book will be in each ISU Extension county office, each Iowa public library and each veteran’s hospital in Iowa by the week of June 5.”

CECS and the authors worked with the University Book Store on campus so the book could be sold at a discounted price. Books may be ordered by calling (800) 478-0048. The short course content will be available soon on CD or online.

A Department of Veterans Affairs staff member took information on a disk drive home to work on a project, without authorization. The data included names, Social Security numbers and dates of birth for veterans. The disk drive was stolen May 3 from the staff member’s Maryland home.

Iowa has 276,000 veterans; the number of veterans who had information on the disc drive is uncertain.

Information about the ISU Extension effort will be on the Web at www.lifelearner.iastate.edu/idtheft.htm. Or call: 1-866-540-4636

Sunday, June 18, 2006

OOPS!! Another Stolen Laptop

Apparently a laptop containing the Social Security numbers and other personal data of 13,000 District of Columbia employees and retirees has been stolen.
Reports confirm that a computer was stolen Monday from the Washington home of an employee of ING U.S. Financial Services which administers the district's retirement plan.
The laptop was not password-protected and the data was not encrypted.
The company has sent letters to all affected employees warning them of the possibility of identity theft. ING also will set up and pay for a year of credit monitoring and identity fraud protection. I have a serious problem with companies thinking that this will solve the problem. I have interviewed actual criminals and hackers who say they are aware of such policies and they will just wait one year to use the information. They go on to say, "... we just keep enough stolen/hacked data in the pipeline."
Two other ING laptops containing information on 8,500 Florida hospital workers were stolen in December, but the employees were not notified until this week.
Where does it stop? Maybe companies should be proactive, spend some money on computer security and security training for their employees rather than being forced to spend tens of thousands of dollars reacting to stupidity.

Labels: , , ,

Friday, June 16, 2006

Veteran data loss

The recent 26 million records of veterans and even active duty personell that were lost by the Veteran's Administration indicate a potential greater laxity in the federal bureaucracy. We at the ID Theft Working Group at Iowa State University, Ames, Iowa, USA estimate that 28% or more of all federal government agencies have inadequate IT security for their critical sutomer information. This suggests that Congress must enact much more aggressive legislation to secure data and punish criminals who abuse data to which they are not entitled.

Thursday, June 15, 2006

Thank you for subscription

Thank you for subscribing to our blog via email. We will send you updates from us when they become available.

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft