BreachExchange mailing list archives
Re: At Least 20 Big-Name Passports Breached
From: "Jim Kerr" <james.kerr () ceelox com>
Date: Fri, 28 Mar 2008 11:14:06 -0400
The fact of true accountability would address this issue. If a person needs to swipe a finger to gain access to information then that person knows there is a proof positive audit trail of that event (unlike a password that could be socially engineered or taken from under the keyboard). This would deter users from this activity knowing that their credentials could not be assumed by another. This is probably how it is happening so frequently. Just assume someone else's identity and have at it. a) There would be no reorganizing infrastructure since the technology available is non invasive to provide the credentialing. b) Again biometric technology gives you the ability to use 25 character passwords that don't need to be remembered (or typed in) and the print is converted into a proprietary algorithm that is encrypted in an AES 256 cipher. c) This could be done and again the accountabilty factor will dramatically reduce attempts. -----Original Message----- From: allan.friedman () gmail com [mailto:allan.friedman () gmail com] On Behalf Of Allan Friedman Sent: Friday, March 28, 2008 10:50 AM To: james.kerr () ceelox com Cc: mhozven () tealeaf com; dataloss () attrition org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached On Fri, Mar 28, 2008 at 10:38 AM, <james.kerr () ceelox com> wrote:
We have had tremendous success in protecting identities within the banking industrie by use of biometric technology. The customer can pass
credentials
with more safety than pin numbers and pictures of ducks.
I'd love to learn more about this, particularly how it scales across bureaucracies, particularly if the customer isn't present. I'm not thinking about public databases but large private ones that have many people with many different functions doing different things, (e.g. medical records). I'm guessing that to prevent the above mentioned passport file snooping from happening to some one not on a pre-specified watch list you would need to a) reorganize the data architecture of the entire system b) overlay a pretty strong identity layer c) introduce secure credentialing that allow a yes/no query without leaking more info d) probably some chunk of all of the above. As long as access to databases is fairly unsupervised inside the organization, you're going to see identity theft. allan _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- At Least 20 Big-Name Passports Breached Richard Forno (Mar 26)
- Re: At Least 20 Big-Name Passports Breached Chris Walsh (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Max Hozven (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Allan Friedman (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Max Hozven (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Jim Kerr (Mar 28)
- Message not available
- Re: At Least 20 Big-Name Passports Breached Allan Friedman (Mar 28)
- Re: At Least 20 Big-Name Passports Breached Jim Kerr (Mar 28)
- Re: At Least 20 Big-Name Passports Breached Casey, Troy # Atlanta (Mar 28)
- Re: At Least 20 Big-Name Passports Breached Max Hozven (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Chris Walsh (Mar 27)